Russian cyberattacks targeting Ukraine’s energy infrastructure have shifted focus from immediate disruption to intelligence gathering for guiding missile strikes, Ukrainian cybersecurity officials revealed at the Kyiv International Cyber Resilience Forum.
Strategic Shift in Attack Methodology
Oleksandr Potii, head of Ukraine’s State Service of Special Communications and Information Protection, confirmed that attackers are now prioritizing reconnaissance operations over destructive attacks. “Cyberattacks on critical infrastructure never happen on their own; they are always part of a broader operation,” Potii stated.
The new attack pattern focuses on:
- Mapping energy facilities and understanding their architecture
- Tracking repair crews and their deployment patterns
- Assessing recovery timelines after physical strikes
- Monitoring equipment replacement and component sourcing
The Long Game Strategy
Natalia Tkachuk, head of cyber and information security at Ukraine’s National Security and Defense Council, explained the strategic rationale: “Russia has realized it’s playing a long game — this will not be a blitzkrieg — so most operations now focus on intelligence gathering.”
According to Tkachuk, Russian operators maintain persistent access inside networks to:
- Monitor the extent of physical damage from kinetic strikes
- Track recovery efforts in real-time
- Calibrate future missile attacks based on infrastructure vulnerabilities
- Assess the effectiveness of previous strikes
Sandworm’s Evolving Tactics
The shift aligns with previous observations by security researchers, including Google analysts, who documented Sandworm’s transition from destructive cyberattacks toward intelligence-gathering operations. Sandworm, a Kremlin-linked hacking group attributed to Russia’s GRU military intelligence, has been the primary threat actor targeting Ukrainian energy infrastructure since the 2022 invasion.
Critical Infrastructure Under Sustained Assault
Since Russia’s full-scale invasion in February 2022, Ukraine’s energy infrastructure has endured repeated drone and missile strikes targeting:
- Power plants and generation facilities
- Electrical substations
- Transmission lines
- District heating facilities
These attacks have caused prolonged outages during freezing winter months, with cyber operations amplifying the impact of physical destruction.
Implications for Critical Infrastructure Defense
This evolution in Russian tactics demonstrates the convergence of cyber and kinetic warfare. Organizations defending critical infrastructure should recognize that network intrusions may serve as reconnaissance for physical attacks rather than immediate disruption.
Key defensive priorities:
- Monitor for persistent access that appears dormant
- Protect operational data about facility layouts and recovery procedures
- Segment networks to limit intelligence gathering
- Assume adversaries are mapping infrastructure for future targeting
