Recently, the government's computer emergency response team CERT-UA recorded new cyberattacks against Ukrainian defense enterprises: these are not isolated cases of targeted cyberattacks against representatives of the Defense Forces of Ukraine. Thus, in the Signal messenger, facts of distribution of messages with archives were discovered, which allegedly contained a report with the results of a meeting.
And recently, the digital security hotline for Ukrainians Nadiyno investigated methods of compromising Telegram accounts and named the most common hacking schemes: phishing attacks through fake messages from "support", friends, or favorite channels. As part of the study, experts also concluded that the use of AI to personalize attacks is gaining momentum, and fraudulent messages are becoming even more convincing.
On March 11-12, 2025, the Kyiv International Cyber Resilience Forum was held, which brought together over 1,000 visitors — cybersecurity leaders, government officials, cyber diplomats, the business community, investors, industry experts, analysts, and media. We attended the event. So, we talk about the evolution of the confrontation between Ukraine and the Russian Federation in cyberspace, new approaches to cybersecurity that Ukrainian business is already implementing today, and the cyber challenges that await us in the near future.
From sabotage to espionage: the evolution of cyberwarfare
Over the past eight years, the Ukrainian cybersecurity market has grown fourfold and reached $138 million in 2024: cloud security, data protection, and endpoint protection demonstrated the fastest growth. According to research data from the consulting company DataDriven Research & Consulting, analysts predict that the Ukrainian cybersecurity market will grow by another 50% over the next five years and reach $209 million. According to experts, the key segment of the cybersecurity market in Ukraine is network security. The full-scale war unleashed by the Russian Federation has caused a surge in cyberattacks in Ukraine, increasing the demand for automated solutions and innovative technologies. Currently, the largest number of cyberattacks in the world are carried out on the USA, Ukraine, South Korea, and China, and the most common types of cyberattacks are DDoS, Ransomware, and Phishing. In Ukraine, constant cyberattacks by Russian hackers most often target government agencies, the defense industry, telecommunications, financial institutions, and the energy sector.
According to the results of 2024, the global cybersecurity market is expected to reach $186 billion. Ukraine's share in this market is currently less than 1%, but experts believe that our country is a market trendsetter, ahead of other countries in cyber expertise thanks to work in the R&D segment. Thus, the main driving forces of the market in Ukraine are: the implementation of digital solutions in business and the public sector; constant Russian cyberattacks; increasing financial and reputational damage from cyberattacks; increasing use of AI; stimulating the market with projects and programs of international technical assistance.
Serhiy Prokopenko, Head of the Department for Ensuring the Activities of the National Cybersecurity Coordination Center (NCCC), a specialized service of the NSDC of Ukraine, who has 20 years of experience in the field of cybersecurity, told the forum that the Russians are currently actively changing their tactics. "According to our assessment, the seventh stage of cyberwar is underway and, perhaps, the transition to the eighth stage is already underway. This stage is characterized by very well-prepared phishing campaigns aimed at specific people in whom Russia is interested. It uses topics, phishing documents, and baits that are directly related to everyday work. They have enough information about almost every target that is of interest to the Russian special services to conduct a targeted attack," explained cybersecurity expert Serhiy Prokopenko.
According to him, attacks are occurring on both computers and mobile phones, including using commercial spyware such as Pegasus.
Reference: Pegasus is spyware that can be installed stealthily on mobile phones and other devices running certain versions of Apple's iOS and Android mobile operating systems; developed by the Israeli company NSO Group Technologies; the developer claims to provide "authorized governments with technology to help them fight terrorism and crime"; Pegasus infects devices via SMS, WhatsApp, iMessage, and possibly other channels; allows you to extract messages, photos and correspondence, contacts, and GPS data, as well as record calls and silently turn on the microphone and camera.
"We have encountered attacks in which high-ranking officials and commanders of Ukraine are attacked in order to gain access to their personal devices. The enemy involves in these cyber actions against Ukraine not only professional officers of its special services, but also cybercriminals," the specialist noted. He also spoke about another major direction of attacks - pseudo-activists or fake activists. These are groups that allegedly run Telegram channels and which, in the interests of the Russian special services, publish some data leaks, call for cyberattacks on Ukraine and Ukraine's partners.
"One of the trends is that Russia has begun to use artificial intelligence more actively. This applies not only to information operations. Everyone knows about the tools that create networks of fake sites, bots in social networks, the purpose of which is to spread disinformation and propaganda in the interests of the Russian Federation. In addition, Russia's strategic goal is to poison artificial intelligence. Some countries are relying on AI-based decision-making and may make the wrong decisions because the data is already poisoned. Accordingly, the conclusions are poisoned. We also see that the quality of phishing has improved. Russians do not know how to speak Ukrainian and cannot prepare high-quality materials. Now AI is coming to their aid," noted Serhiy Prokopenko.
And, according to the specialist, a large-scale trend is that Russia is very actively coordinating cyberattacks with military and information operations. "A few weeks ago, when there was a cold snap in Ukraine, the Russian Federation initiated a series of cyberattacks on our energy and heat supply facilities, that is, a specific moment was awaited and all these cyberattacks were also accompanied by kinetic attacks. Russia is also increasing the number of destructive cyberattacks. If earlier they tried to attack state institutions more, now the priority is business," the cybersecurity expert noted.
Recall that on December 12, 2023, a hacker attack took place on the largest Ukrainian mobile operator Kyivstar, which led to a large-scale failure. The company's president, Oleksandr Komarov, later said that during this hacker attack, the operator's infrastructure was destroyed by 40%. But on the night of January 22, 2025, hackers carried out a large-scale cyberattack on the MHP agricultural holding, which is the largest producer of chicken in Ukraine. At that time, part of the company's IT infrastructure was not working, and the hacker attack became the largest in the entire history of the holding.
"In January, the largest cyberattack in history was carried out on MHP. This will cause certain changes in our internal processes, which we will not talk about publicly. But I can honestly say: this incident confirmed the effectiveness of our approach to monitoring. Many years of work on developing security policies and procedures have yielded results. Today, we are improving this system — adding new tools to expand our perimeter monitoring and strengthening backup procedures," Taras Goshovsky, Director of Information and Digital Technologies at MHP, recently told us.
Read also: Hezbollah's explosive pagers - the technical side of this special operation
Serhiy Prokopenko, head of the department for ensuring the activities of the NCCC, a specialized service of the NSDC Apparatus, also said that in the information space, Russians are gradually beginning to spread the thesis that Ukraine is not a victim of cyberwar, not an adversary of Russia, but an aggressor. "The best example is Elon Musk's statement that Ukraine hacked X (Twitter). The narrative about Ukraine as an aggressor is directed at a rather narrow, professional community of those involved in cybersecurity. But this same narrative is also being promoted at the global level - where reports are spreading that Ukraine is preparing to shell border countries - Poland, Romania, in order to provoke NATO into entering the war. This suggests that the Russian Federation plans all these operations very qualitatively and they support each other. If you look at all these trends, in most cases the final goal is precisely informational influence. If we take the last three years, cyberattacks on Ukraine make up about 20% of the total number of Russian operations. The majority, which is almost 70%, fall on our partners. These are both cyberattacks and influence operations. All of Europe is also under the sights," Serhiy Prokopenko summarized.
The analytical review for 2024 on key events, trends, and challenges in the field of cybersecurity, which was created by the NCCC with the support of the USAID Cybersecurity Activity, states that in January of last year, several particularly powerful cyberattacks were carried out - one of which was aimed at the banking sector, and another noticeably affected one of the largest data centers in Ukraine (this is the attack on the Parkovy data center), which led to a disruption in the availability of services of several state organizations and information systems; in the second half of 2024, increased interest from hostile hackers in the Ukrainian telecom sector was also recorded; among the groups carrying out attacks on Ukraine, the most active are those that are currently not associated with the aggressor's special services, although they act in the interests of the Russian authorities.
By the way, the director of the Parkovy data center (the cloud storage of which is used by Diia, among others), Volodymyr Pokatilov, told colleagues from dev.ua at the forum that the attack in January 2024 was aimed at destroying data, and in total two petabytes of data from the hard drives of virtual machines were erased. "And there are more backups, because backup is a factor of 1.5-2," the top manager noted. But due to the fact that some of the data center's backups were also protected, the attackers were unable to completely destroy the data. As it turned out, one of Parkovy's clients was a spy. "This was a client who came to us before the war, took it for a test, and then bought services," Volodymyr Pokatilov said.
Regarding global trends, the NCCC experts highlighted the following:
▪️Intensification of competition between the US and China in cyberspace;
▪️intensification of Chinese espionage activities against the EU;
▪️active creation of cyber forces by various states;
▪️Pall Mall process — combating the threat of commercial cyber proliferation: it concerns the uncontrolled distribution of tools created by various companies that can be used for illegal purposes for offensive cyber operations;
▪️increasing attention to the cybersecurity of space objects;
▪️safety of submarine cables and competition for them;
▪️special attention of states to the role of quantum technologies;
▪️the impact of AI on cybersecurity.
"Elections and election interference are generally the Russians' chip. They are now going to actually put election interference and attempts to achieve the results they need on the stream. We can say that this will be interference in products as a service. There is a country, there is a set of tools - AI generates influence operations, cyberattacks destroy infrastructure, there is a populist and on the wave of protests he will earn political points and come to power. This is a rather serious threat. The most difficult, but one of the very effective tools for combating the Russian Federation may be to restrict its access to technology, because all this is done using Western technologies," said Serhiy Prokopenko.
In his opinion, Ukraine is still winning this cyberwar with Russia. "Reports from the FSB and other Russian entities indirectly confirm that Ukraine is quite effectively taking out Russian infrastructure in its attacks. We can say that Russia has not achieved almost any of the goals it set for itself in the cyberwar. Ukraine is holding on, cybersecurity is working, information systems are working. Here we must thank not only state bodies, but also cooperation with the private sector, cyber volunteers. And of course, our Western partners who provide assistance," concluded the head of the NKCC's support department.
And the National Cybersecurity Coordination Center, together with the Ukrainian cybersecurity company Maverits, prepared an interesting report on the activities of the APT28 hacker group, which is associated with Russian military intelligence (GRU). The report is available at the link.
Cyber startups in Ukraine
Before a panel discussion on cyber startups at the Cyber Resilience Forum, Google Ukraine Director Tetyana Lukyniuk spoke about the growing gap between large companies and medium and small businesses in countering cyber threats.
"On the one hand, large companies are coping quite well with cyberattacks, on the other hand, the number of cyberattacks increased by 44% in 2024 alone compared to the previous year. More than half of medium and small businesses in Europe have faced cyberattacks over the past two years. According to the World Economic Forum, while large organizations demonstrate good resilience to cyberattacks, small and medium-sized businesses suffer losses and face challenges that are new and not entirely clear to them," said Tetyana Lukyniuk, Director of Google Ukraine.
She said that over the past two years, Google has launched a series of free cybersecurity training programs for businesses, focusing on small and medium-sized businesses and with an emphasis on artificial intelligence. These programs provide practical skills for protecting businesses from cyberthreats, knowledge about cyber hygiene, countering cyberattacks, risk analysis, and building a cybersecurity system from scratch.
Read also: Searching with AI — can Google lose a new battle for search?
The event was also attended by representatives of Ukrainian cyberstartups or startups with Ukrainian roots that are already implementing their IT solutions in Ukraine.
The founder and CEO of Hideez, Oleg Naumenko, spoke about the solution for passwordless identification based on the global standard FIDO (Fast Identity Online). Thanks to cooperation with the National Center for Cybersecurity and the State Service for Special Communications, the Hideez startup received an expert opinion and already has many implementations in Ukraine. "The issue of identification is probably the first issue that modern companies need to solve. The FIDO standard allows this to be done without compromising on convenience and security. The number of cyberattacks related to password selection and phishing attacks has changed on the market. These are the most vulnerable attacks that can cause the greatest losses for companies. We have developed new standards - Passkeys (fingerprint scanning, face recognition or PIN code) for passwordless login and MFA. This is very convenient and at the same time safe. We have experience implementing this standard in Ukraine during the war, as well as experience using authentication in the military," explained Oleg Naumenko.
Olena Stepura, co-owner of the startup Artellence, whose algorithms identify people by photo and check suspicious people, talked about how her project analyzes big data from open sources.
"We now have one of the largest photo databases in the world from our region — Ukraine, Russia, Belarus, and we are top 1 or top 2 in the world in facial recognition in our region. We deeply study people's behavior on social networks and, based on this, draw various conclusions that are used by both the security forces of our state and other enterprises. As for the product, here we must do two things: quickly adapt to changes, using cutting-edge technologies, and help our state with automation," noted Olena Stepura.
LetsData Threat Intelligence Director Roman Osadchuk said that the company's service is an AI monitor for information operations. "We monitor the information space and inform our clients that such operations exist. In order to prepare and respond correctly in the same information space. Information operations are not a new thing. The main challenge is that there have been many more of these campaigns," Roman Osadchuk noted.
But the head of the Ukrainian office of Osavul (an international startup with Ukrainian roots), Stanislav Lurie, noted that the project is already quite successful even by the standards of Ukrainian defense tech: last year it attracted about $3 million in investments. "We are engaged in the search, monitoring, analysis and assessment of all kinds of information threats in the modern oversaturated information environment. In particular, such as FIMI (foreign information manipulation and interference) - this is foreign manipulation of information and interference in the democratic processes of other countries. We are one of the main partners of Ukraine in the fight against unprovoked aggression of the Russian Federation, with hybrid threats," Stanislav Lurie said.
According to him, high-quality text generated by artificial intelligence is difficult to distinguish from text generated by humans; it often contains not only hallucinations of artificial intelligence in the content, but can also be oriented towards authenticated messages. "AI capabilities have significantly developed in generating media content, video images due to the addition of new channels of perception, taking advantage of the fact that they appeal to our emotional component much better. They provide much more opportunities for manipulating both mass information and for spreading point threats such as scams. Our platform is one of the examples of the use of AI reverse engineering of this type of threat, we use AI in a controlled manner to analyze and evaluate large data sets in order to detect signs of automation in the behavior of information distributors," concluded Stanislav Lurie, head of the Ukrainian office of Osavul.
It is worth noting that the largest commercial consumers of services in Ukrainian cybersecurity, according to the study, are finance, telecom and energy. The market is dominated by international companies that provide advanced solutions. These players offer comprehensive tools for business and government organizations, so developers and startups have to look for a competitive advantage over global companies.