Russia Shifts Ukraine Cyber Campaign Toward Espionage as Defenses Improve

Russia has not abandoned destructive cyberattacks against Ukraine, but its operational center of gravity has moved toward persistent network access and intelligence collection, according to Ukrainian cyber officials, Western analysts, and corroborating data from Ukraine's national incident-response team. The shift marks a significant evolution in Moscow's digital campaign, now more than three years into Russia's full-scale invasion that began in February 2022.

Dave Luber, the National Security Agency's director of cybersecurity, stated at Recorded Future's Predict conference in Washington that Russia has shifted toward cyberespionage, with the Kremlin focusing on gathering intelligence to inform ground-level military operations. That assessment aligns with observations from Ukrainian practitioners. Victor Zhora, who served as deputy chair of Ukraine's State Service of Special Communications and Information Protection (SSSCIP) during the first two years of the war, told POLITICO that Moscow's current priority is "trying to gain persistence in networks and behave as quietly as they can." [POLITICO] Helen Popp, Estonia's ambassador-at-large for cyber diplomacy, similarly described to POLITICO a "move towards cyber intelligence, particularly espionage targeting the military and the defense industrial sector." [POLITICO] Ukraine's Computer Emergency Response Team, CERT-UA, confirmed the defense industrial sector is a primary focus, noting that Sandworm, the GRU-linked advanced persistent threat group, continued operations in 2025 targeting energy, defense industrial organizations, telecom providers, and research institutions.

Russian hackers are also increasingly attempting to regain access to systems they previously compromised. CERT-UA warned that attackers are revisiting earlier breaches to verify whether access persists, whether vulnerabilities remain unpatched, and whether harvested credentials are still valid. This trend reflects a broader tactical shift across 2025: in the first half of the year, many intrusions relied on a "steal-and-go" approach, in which attackers deployed malware to rapidly collect credentials before withdrawing to avoid detection. By the second half, the pattern shifted toward sustained access and follow-on espionage operations. Google researchers separately revealed that Russian military intelligence operatives infiltrated Signal messenger accounts used by Ukrainian troops, including by exploiting captured devices to monitor battlefield communications.

The underlying data support the tactical shift narrative, though with an important caveat: improved Ukrainian defenses appear to be driving the numbers down simultaneously. CERT-UA's most recent analytical report found that the overall number of cyber incidents declined in the second half of 2025 compared to the first, the first such decrease since Russia's full-scale invasion began. Researchers attributed the drop in part to Ukrainian organizations gradually improving their defenses. Specifically, no critical cyber incidents were recorded in Ukraine in the second half of 2025, while high-level incidents fell 17 percent, medium-level incidents fell 2 percent, and low-level incidents fell 87 percent. Those figures follow a year in which Russian cyberattacks surged nearly 70 percent in 2024, with 4,315 incidents targeting critical infrastructure, government services, the energy sector, and defense-related entities. Mark Montgomery, who leads cyber policy work at the Foundation for Defense of Democracies and has advised Ukraine on cyber defense, told POLITICO that despite the 2024 volume surge, the number of serious successful attacks declined dramatically, reflecting both Russia's persistence and Ukrainian resilience. [POLITICO]

Ukraine has paired its defensive improvement with significant institutional development. The Ministry of Defense established a dedicated Cyber Incident Response Center in 2024, creating a separate structural unit to expand the ministry's cyber defense responsibilities beyond its pre-existing team of cybersecurity professionals. The center operates similarly to what other countries designate as a military computer emergency response team, or milCERT, and will cooperate with NATO allies to counter joint cyber threats. On the legislative side, President Volodymyr Zelenskyy signed Law No. 4336-IX, titled "On Amendments to Certain Laws of Ukraine Regarding Information Protection and Cybersecurity of State Information Resources, Critical Information Infrastructure Objects," approved by parliament March 27, 2025, and enacted April 17, 2025. The law establishes a multi-tiered national system for responding to cyber incidents, attacks, and threats, with defined roles for the SSSCIP, CERT-UA, and sectoral and regional response teams. Ukrainian lawmakers framed the legislation as a step toward harmonizing Ukraine's legal framework with European partners and deepening transnational cybersecurity cooperation.

The espionage pivot does not eliminate the destructive threat. ESET, the cybersecurity firm, cautioned that Sandworm continued conducting wiper attacks against Ukrainian entities on a regular basis into 2025, notwithstanding reports of a broader refocusing on espionage in late 2024. Separately, ESET found that APT28's BeardShell malware, first discovered in 2024, continued to appear in espionage operations through 2025 and into 2026, primarily targeting Ukrainian military personnel for long-term surveillance. Alexander Leslie, senior adviser for government affairs at Recorded Future, told POLITICO that Russia's goal is to "gain enough control of the system to create a military advantage when it matters," adding that the shift toward persistence makes the threat to critical infrastructure "more subtle and, in some respects, more dangerous." [POLITICO] In May 2025, the United States, the United Kingdom, France, Germany, and other allies issued a joint advisory warning of a Russian cyber campaign targeting the delivery of defense support to Ukraine and other NATO defense and technology sectors. That advisory confirms that the espionage-oriented campaign extends beyond Ukrainian networks and into the allied defense industrial base, broadening the legal and policy implications for member states with obligations under NATO's collective-defense framework.