Russia-Ukraine Conflict and Cybercrime - How the War Changed Cyber Threats
How the Russia-Ukraine war transformed the cybercrime ecosystem - attacks on critical infrastructure, hacktivism, FrostyGoop, Sandworm, and implications for Europe.
Eugene Wypior 
Józef Sulwiński 
In January 2024, residents of over 600 buildings in Lviv lost heating in the middle of winter. The cause was not a technical failure - the FrostyGoop malware sent crafted Modbus TCP commands to ENCO controllers, forcing incorrect readings and shutting down district heating systems. This is the first known case of the Modbus protocol being used for direct sabotage of heating systems in combat conditions.
This incident illustrates how the Russia-Ukraine conflict has fundamentally changed the nature of cyber operations - from espionage and data theft to physical impact on civilian life.
cyber incidents reported by CERT-UA in 2024
year-over-year increase in attacks
incidents in H1 2025
members of IT Army of Ukraine
Source: CERT-UA, Keepnet Labs 2026
Three phases of cyber operations in the conflict
Cyber operations in the Russia-Ukraine war have undergone a clear evolution since the beginning of the conflict in 2014.
| Phase | Period | Nature | Example |
|---|---|---|---|
| Preparatory | 2014-2021 | Espionage, tool testing, infrastructure reconnaissance | BlackEnergy - attack on Ukraine’s power grid (2015) |
| Kinetic | 2022-2023 | Wipers, data destruction, coordination with military operations | Industroyer2 - attempt to shut down power substations (2022) |
| Hybrid | 2024-2026 | Physical sabotage via OT, AI in malware, hacktivism as proxy | FrostyGoop - heating shutdown in Lviv (2024) |
Critical infrastructure sabotage - new tools
FrostyGoop - Modbus as a weapon
FrostyGoop is the first malware to use the Modbus TCP protocol for direct sabotage of industrial systems. Discovered by Dragos in April 2024, it was used in the attack on LvivTeploEnergo in January 2024.
Mechanism of action:
- Attackers gained access to the OT network of the district heating utility
- The malware sent crafted Modbus commands to ENCO controllers
- Controllers began reporting incorrect temperature readings
- Heating systems were automatically shut down
- Over 600 residential buildings lost heating in sub-zero temperatures
WARNING
FrostyGoop demonstrates that attackers do not need to exploit software vulnerabilities - knowledge of the communication protocol is sufficient. Modbus TCP has no built-in authentication or encryption mechanisms.
Sandworm (APT44) - cyber-kinetic coordination
Sandworm, operating as GRU Unit 74455, evolved from destructive wipers to precisely synchronized operations combining cyberattacks with missile strikes.
Key operations 2024-2025:
- ZEROLOT (October 2024 - March 2025) - a new wiper deployed against Ukrainian energy companies, synchronized with kinetic strikes on energy infrastructure
- Kapeka backdoor (2024) - KAMACITE (a component of the Sandworm ecosystem) used it to gain persistent access to systems delivering heat, water, and electricity
- WRECKSTEEL (March 2025) - attack on Ukrainian government systems using phishing and data-stealing malware
Hacktivism as a geopolitical tool
The war created a new threat category: state-aligned hacktivism - groups formally independent but operationally coordinated with intelligence services.
Russian side
| Group | Formed | Main operations | Affiliations |
|---|---|---|---|
| NoName057(16) | March 2022 | DDoS against NATO governments, 1,500+ attacks | Coordination with CARR, KillNet |
| Cyber Army of Russia Reborn (CARR) | 2022 | Attacks on US water systems, meat processing plants | Members transitioned to Z-Pentest, Sector16 |
| KillNet | 2022 | DDoS against airports, hospitals in Europe | Reorganized in 2024, some members moved to Black Skills |
| Z-Pentest / Sector16 | September 2024 / January 2025 | Attacks on SCADA systems in the US and Europe | Composed of former CARR and NoName057(16) members |
TIP
CISA issued alert AA25-343a (December 2025) on pro-Russian hacktivists targeting US and global critical infrastructure. Organizations operating OT systems should verify internet-facing access to HMI interfaces.
IT Army of Ukraine
Ukraine also conducts offensive cyber operations. The IT Army of Ukraine, established in February 2022 by Minister of Digital Transformation Mykhailo Fedorov, evolved from a loose volunteer group into a sophisticated structure:
- 125,000 members in 2025
- Cooperation with GUR (Main Intelligence Directorate) in DDoS and data exfiltration operations
- Evolution from simple DDoS attacks (+50% in 2024) to cyber intelligence operations, data exfiltration, and persistent access to Russian systems
- In June 2024, the group contributed to the largest DDoS attack in history, paralyzing the Russian banking sector
”Dark Covenant” - the state and cybercrime
The Recorded Future report “Dark Covenant 3.0” (2025) documents how Russia transitioned from tolerating cybercrime to actively managing criminal groups as geopolitical instruments.
Key mechanisms:
- Selective impunity - arrests of ransomware group members (e.g., REvil in 2022) are tied to diplomatic cycles, not law enforcement
- Group consolidation - after the Conti chat leaks (2022) and BlackBasta leaks (2024), it was revealed that senior members maintain contacts with Russian intelligence services
- Hacktivism as cover - hacktivist groups (NoName057(16), CARR) conduct operations that intelligence services can deny
- Technology transfer - tools developed by APT groups enter the cybercriminal ecosystem (e.g., the EternalBlue exploit used in NotPetya and WannaCry)
Implications for organizations in Europe
The Russia-Ukraine conflict directly affects the security of organizations in Poland and across Europe:
Supply chain attacks - IT service providers for Ukrainian organizations become targets, which can impact their European clients and partners.
Hacktivism as a vector - pro-Russian hacktivist groups have repeatedly attacked critical infrastructure of NATO countries, including Poland. DDoS attacks on government portals and banking systems are regular occurrences.
Escalation of OT techniques - tools developed for attacks on Ukrainian infrastructure (FrostyGoop, Industroyer) can be adapted against similar systems in Europe. Many European district heating and energy systems use the same controllers and protocols.
TIP
Organizations operating critical infrastructure should:
- Verify IT/OT network segmentation and access to industrial protocols (Modbus, DNP3, IEC 104)
- Monitor hacktivist activity on forums and Telegram channels associated with NoName057(16)
- Implement CISA AA25-343a recommendations for securing HMI interfaces
- Conduct incident response exercises that include OT system attack scenarios
Summary
The Russia-Ukraine war has permanently altered the global cyber threat ecosystem. The boundary between state operations, cybercrime, and hacktivism has virtually disappeared. Tools developed for the conflict - from wipers to OT malware - are becoming available to an increasingly broad range of actors.
For organizations in Poland and Europe, this means cybersecurity must be treated not as a technology problem but as an element of national security. OT systems and critical infrastructure require particular attention - as FrostyGoop demonstrated, an attack on an industrial controller can have a direct impact on the lives of thousands of people.
SEQRED helps critical infrastructure organizations assess their resilience against these types of threats - from OT system penetration testing to APT attack simulations in a red teaming format.
Sources
- CERT-UA: Cyberattacks on Ukraine surge 70% in 2024
- Dragos: FrostyGoop ICS malware analysis
- Recorded Future: Dark Covenant 3.0 - Russia’s cybercriminals
- CISA: Pro-Russia Hacktivists Conduct Opportunistic Attacks (AA25-343a)
- Trustwave: Three Years of Cyber Warfare
- Brandefense: Sandworm APT44 analysis 2025
- Intel 471: Pro-Russian hacktivism shifting alliances
- Keepnet Labs: Ukraine IT Army and Cyber Warfare 2026
- CNA: Russia’s Cyber Industry During the War
Need help in this area?
Our experts will help you assess the risk and plan next steps.