{
	"id": "eeaa196b-8503-480a-934d-053412c49164",
	"created_at": "2026-04-06T00:15:12.621284Z",
	"updated_at": "2026-04-10T03:30:33.083843Z",
	"deleted_at": null,
	"sha1_hash": "46f415ac12350ea541a38dcf8d97ab83fef7f416",
	"title": "Fog of war: how the Ukraine conflict transformed the cyber threat landscape",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 238877,
	"plain_text": "Fog of war: how the Ukraine conflict transformed the cyber threat\r\nlandscape\r\nBy Shane Huntley\r\nPublished: 2023-02-16 · Archived: 2026-04-05 13:15:24 UTC\r\nOne year after the Russian invasion of Ukraine Google TAG, with additional research from Mandiant and Trust \u0026\r\nSafety, provide insights into changes in the cyber threat landscape triggered by the war.\r\nNearly one year ago, Russia invaded Ukraine, and we continue to see cyber operations play a prominent role in\r\nthe war. To provide more insights into the role of cyber, today, we are releasing our report Fog of War: How the\r\nUkraine Conflict Transformed the Cyber Threat Landscape based on analysis from Google’s Threat Analysis\r\nGroup (TAG), Mandiant and Trust \u0026 Safety. The report encompasses new findings, and retrospective insights,\r\nacross government-backed attackers, information operations (IO) and cybercriminal ecosystem threat actors. It\r\nalso includes threat actor deep dives focused on specific campaigns from 2022.\r\nComing together to support Ukraine\r\nSince the war began, governments, companies, civil society groups and countless others have been working\r\naround the clock to support the Ukrainian people and their institutions. At Google, we support these efforts and\r\ncontinue to announce new commitments and support to Ukraine. This includes a donation of 50,000 Google\r\nWorkspace licenses for the government; rapid Air Raid Alerts system for Android phones in the region; support\r\nfor refugees, businesses, and entrepreneurs; and measures to indefinitely pause monetization and limit the reach of\r\nRussian state news media.\r\nOne of the most pressing challenges, however, is that the Ukrainian government is under near-constant digital\r\nattack. Shortly after the invasion, we expanded eligibility for Project Shield, our free protection against distributed\r\ndenial of service attacks (DDoS), so that Ukrainian government websites and embassies worldwide could stay\r\nonline and continue to offer critical services.\r\nhttps://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/\r\nPage 1 of 4\n\nWe continue to provide direct assistance to the Ukrainian government and critical infrastructure entities under the\r\nCyber Defense Assistance Collaborative — including compromise assessments, incident response services, shared\r\ncyber threat intelligence, and security transformation services — to help detect, mitigate and defend against cyber\r\nattacks. In addition, we continue to implement protections for users and track and disrupt cyber threats to help\r\nraise awareness among the security community and high-risk users and maintain information quality.\r\nThis level of collective defense – between governments, companies and security stakeholders across the world – is\r\nunprecedented in scope. We wanted to share what we have learned with the global security community to help\r\nprepare better defenses for the future.\r\nKey findings\r\n1. Russian government-backed attackers have engaged in an aggressive, multi-pronged effort to gain a\r\ndecisive wartime advantage in cyberspace, often with mixed results.\r\nThis includes a significant shift in various groups’ focus towards Ukraine, a dramatic increase in the use of\r\ndestructive attacks on Ukrainian government, military and civilian infrastructure, a spike in spear-phishing activity\r\ntargeting NATO countries, and an uptick in cyber operations designed to further multiple Russian objectives. For\r\nexample, we’ve observed threat actors hack-and-leak sensitive information to further a specific narrative.\r\nRussian government-backed attackers ramped up cyber operations beginning in 2021 during the run up to the\r\ninvasion. In 2022, Russia increased targeting of users in Ukraine by 250% compared to 2020. Targeting of users in\r\nNATO countries increased over 300% in the same period.\r\nIn 2022, Russian government-backed attackers targeted users in Ukraine more than any other country. While we\r\nsee these attackers focus heavily on Ukrainian government and military entities, the campaigns we disrupted also\r\nshow a strong focus on critical infrastructure, utilities and public services, and the media and information space.\r\nFrom its incident response work, Mandiant observed more destructive cyber attacks in Ukraine during the first\r\nfour months of 2022 than in the previous eight years with attacks peaking around the start of the invasion. While\r\nthey saw significant activity after that period, the pace of attacks slowed and appeared less coordinated than the\r\ninitial wave in February 2022. Specifically, destructive attacks often occurred more quickly after the attacker\r\ngained or regained access, often through compromised edge infrastructure. Many operations indicated an attempt\r\nby the Russian Armed Forces’ Main Directorate of the General Staff (GRU) to balance competing priorities of\r\naccess, collection, and disruption throughout each phase of activity.\r\n2. Moscow has leveraged the full spectrum of IO – from overt state-backed media to covert platforms and\r\naccounts – to shape public perception of the war.\r\nThese operations have three goals:\r\n1. Undermine the Ukrainian government\r\n2. Fracture international support for Ukraine\r\n3. Maintain domestic support in Russia for the war\r\nhttps://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/\r\nPage 2 of 4\n\nWe’ve seen spikes of activity associated with key events in the conflict such as the buildup, invasion and troop\r\nmobilization in Russia. At Google, we’ve worked aggressively across products, teams and regions to counter these\r\nactivities where they violate our policies and disrupt overt and covert IO campaigns, but continue to encounter\r\nrelentless attempts to circumvent our policies.\r\nThe covert Russian IO we’ve disrupted on Google product surfaces primarily focused on maintaining Russian\r\ndomestic support for the war in Ukraine, with over 90% of the instances in the Russian language.\r\n3. The invasion has triggered a notable shift in the Eastern European cybercriminal ecosystem that will\r\nlikely have long term implications for both coordination between criminal groups and the scale of\r\ncybercrime worldwide.\r\nSome groups have split over political allegiances and geopolitics, while others have lost prominent operators,\r\nwhich will impact the way we think about these groups and our traditional understanding of their capabilities.\r\nWe’ve also seen a trend towards specialization in the ransomware ecosystem that blends tactics across actors,\r\nmaking definitive attribution more difficult. The war in Ukraine has also been defined by what we expected but\r\ndidn’t see. For example, we didn’t observe a surge of attacks against critical infrastructure outside of Ukraine.\r\nTAG also sees tactics closely associated with financially motivated threat actors being deployed in campaigns\r\nwith targets typically associated with government-backed attackers. In September 2022, TAG reported on a threat\r\nactor whose activities overlap with CERT-UA’s UAC-0098, a threat actor that historically delivered the IcedID\r\nbanking trojan, leading to human-operated ransomware attacks. We assess some members of UAC-0098 are\r\nformer Conti members repurposing their techniques to target Ukraine.\r\nLooking ahead\r\nWe assess with high confidence that Russian government-backed attackers will continue to conduct cyber\r\nattacks against Ukraine and NATO partners to further Russian strategic objectives.\r\nWe assess with high confidence that Moscow will increase disruptive and destructive attacks in response to\r\ndevelopments on the battlefield that fundamentally shift the balance – real or perceived – towards Ukraine\r\n(e.g., troop losses, new foreign commitments to provide political or military support, etc.). These attacks\r\nwill primarily target Ukraine, but increasingly expand to include NATO partners.\r\nWe assess with moderate confidence that Russia will continue to increase the pace and scope of IO to\r\nachieve the objectives described above, particularly as we approach key moments like international\r\nfunding, military aid, domestic referendums, and more. What’s less clear is whether these activities will\r\nachieve the desired impact, or simply harden opposition against Russian aggression over time.\r\nIt is clear cyber will continue to play an integral role in future armed conflict, supplementing traditional forms of\r\nwarfare, and hope this report serves as a call to action as we prepare for what lies ahead. At Google, we are\r\ncommitted to doing our part to support collective defense and look forward to partnering with others to drive\r\ncontinued progress and help organizations, businesses, governments and users stay safe online.\r\nClick here for the full report, and security practitioners interested in the webinar can sign up here.\r\nhttps://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/\r\nPage 3 of 4\n\nSource: https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/\r\nhttps://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/"
	],
	"report_names": [
		"fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434512,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/46f415ac12350ea541a38dcf8d97ab83fef7f416.pdf",
		"text": "https://archive.orkl.eu/46f415ac12350ea541a38dcf8d97ab83fef7f416.txt",
		"img": "https://archive.orkl.eu/46f415ac12350ea541a38dcf8d97ab83fef7f416.jpg"
	}
}