Cyber Operations

Aggressors may conduct multi-stage attacks in the digital environment for espionage, data theft, destruction of critical infrastructure, and paralysis of state institutions. These operations span a wide range of tactics: from reconnaissance, gaining initial access (for example, through phishing, account compromise, or supply chain attacks), and establishing persistence in the system, to defense evasion, credential theft, and information exfiltration. The final stage is often a destructive effect (Impact), such as data destruction, disk wiping, or Denial of Service attacks. These techniques are covered in more detail in the specialized MITRE ATT&CK framework.

ID: T0136
Sub-techniques:  No sub-techniques
People: Ukrainians
Version: 1.0
Created: 21 April 2026
Last Modified: 21 April 2026

Procedure Examples

ID Name Description
C0101 Continuation of the Russo-Ukrainian War: Armed Aggression in the Donbas (2014–2015)

Use of the Fancy Bear hacker group, controlled by the security services, to compromise the software of Ukrainian artillery crews (through infection of Yaroslav Sherstiuk's application) in order to obtain geolocation data and destroy the artillery of the Armed Forces of Ukraine[1]. Targeted cyberattacks by Russian security services on distribution substations of the Ukrainian power grid in the winters of 2015 and 2016, aimed at causing mass power outages for the civilian population[2][3].

C0103 Full-Scale Invasion (from February 24, 2022)

Large-scale operations by the security services of the Russian Federation involving cyberespionage, data interception (including through the hacking of public Wi-Fi networks), and the covert deployment of destructive software against Ukrainian organizations and citizens[4][5].
Massed cyberattacks on Ukraine's information and communication infrastructure using data-wiping malware directly during the invasion[6].

G0011 Russian Federation

Use of the Fancy Bear hacker group, controlled by the security services, to compromise the software of Ukrainian artillery crews (through infection of Yaroslav Sherstiuk's application) in order to obtain geolocation data and destroy the artillery of the Armed Forces of Ukraine[1]. Targeted cyberattacks by Russian security services on distribution substations of the Ukrainian power grid in the winters of 2015 and 2016, aimed at causing mass power outages for the civilian population[2][3].

G0011 Russian Federation

Large-scale operations by the security services of the Russian Federation involving cyberespionage, data interception (including through the hacking of public Wi-Fi networks), and the covert deployment of destructive software against Ukrainian organizations and citizens[4][5].
Massed cyberattacks on Ukraine's information and communication infrastructure using data-wiping malware directly during the invasion[6].

S0017 Secret Police and Security Services

Use of the Fancy Bear hacker group, controlled by the security services, to compromise the software of Ukrainian artillery crews (through infection of Yaroslav Sherstiuk's application) in order to obtain geolocation data and destroy the artillery of the Armed Forces of Ukraine[1]. Targeted cyberattacks by Russian security services on distribution substations of the Ukrainian power grid in the winters of 2015 and 2016, aimed at causing mass power outages for the civilian population[2][3].

S0017 Secret Police and Security Services

Large-scale operations by the security services of the Russian Federation involving cyberespionage, data interception (including through the hacking of public Wi-Fi networks), and the covert deployment of destructive software against Ukrainian organizations and citizens[4][5].
Massed cyberattacks on Ukraine's information and communication infrastructure using data-wiping malware directly during the invasion[6].

References