Since the start of the full-scale invasion, the digital front has been one of the most persistent battlefields. By mid‑2024 Ukrainian authorities and independent monitors were already documenting a high volume of hostile activity aimed at government services, critical infrastructure and defence suppliers. Ukraine’s Security Service reported that it had neutralized more than 4,000 cyberattacks on public authorities and critical infrastructure, while the government CERT (CERT‑UA) processed 2,543 incidents in 2023, a marked year‑on‑year rise in volume even as the number of classified high‑severity incidents reportedly fell.

Volume alone does not capture the strategic logic behind the surge. Adversary activity shows clear targeting and intent: campaigns aimed at degrading energy availability, disrupting logistics and extracting credentials that enable follow‑on access to military and industrial systems. CERT‑UA publicly disclosed attempts by groups associated with Russia to plan disruptive hits on multiple critical infrastructure providers, and Ukrainian operators suffered high‑impact events such as the December 2023 Kyivstar outage that temporarily degraded national connectivity. Those incidents are a reminder that kinetic strikes on power and communications are often mirrored or amplified by cyber operations meant to complicate recovery.

Technical tradecraft has matured and diversified. Phishing campaigns and credential theft remain staples, but adversaries increasingly combine social engineering with tailored malware, commodity tooling and legitimate remote management channels to move laterally. Intelligence and European CERT reporting from mid‑2024 highlighted targeted clusters abusing messaging apps, weaponized document lures, and remote access tools to compromise defence contractors and energy firms. These clusters are not one‑off burglaries. They are reconnaissance and foothold campaigns designed to enable data exfiltration, disruption of operational technology, or staging for destructive payloads when conditions are advantageous.

The cyber‑kinetic convergence is the primary risk vector for energy and defence operators. Modern energy grids and many defence support systems rely on commercial IT stacks stitched to operational technology. That coupling multiplies risk: an email to an engineer can become a path to a substation control network; a stolen VPN credential can let an adversary harvest schematics or manipulate industrial controllers. CERT‑UA’s disclosures about campaigns aimed at dozens of infrastructure providers underline that attackers are mapping both corporate networks and the OT systems that keep lights and factories running.

Why the spike in volume matters even if high‑severity incidents decline. A flood of low‑to‑medium severity probes and targeted phishing attempts force defenders to spend time and resources triaging noise. That operational friction reduces time for hunting, patching and improving resilience. Automated and commodified attack tooling means the adversary can test hundreds or thousands of vectors cheaply; the defender must be able to handle that scale or face the risk that one missed alert is the one that enables a disruptive intrusion. Analysis done on wartime campaigns shows this pattern of early surges in destructive activity followed by sustained probing and opportunistic operations over time.

Immediate priorities for defenders in energy and defence domains

  • Treat OT as first‑class security territory. Inventory controllers, RTUs and gateways; apply network segmentation and strictly whitelisted communications; isolate maintenance interfaces from internet‑facing networks. Physical access controls and hardware asset inventories are as important as software patching.

  • Harden identity and remote access. Enforce MFA, phish‑resistant authentication for remote logins, strict device posture checks for VPN access and short lived credentials for privileged sessions.

  • Bake resilience into architecture. Air‑gapped backups for ICS configurations, tested manual control failover procedures, and redundant communications channels reduce the payoff of timed cyberattacks synchronized with missile or drone strikes.

  • Scale detection and triage. Automation for initial triage, behavior‑based detection tuned for OT and supply‑chain patterns, and committed incident responders who can rapidly escalate suspected ICS anomalies will blunt the operational impact of high‑volume probing.

  • Prioritize supply chain and third‑party risk. Defence and energy ecosystems are multi‑vendor. Require secure development lifecycle attestations, minimize privileged API integrations, and contractually enforce incident reporting and defensive baselines.

  • Share strategic intelligence. Public sector CERTs and allies must push timely indicators and playbooks to industry partners; private sector intelligence must be operationalized at the control room level. Collective visibility shortens the window between detection and remediation.

Policy and strategic implications

Operational lessons need policy muscle. International coordination on norms and sanctions helps but does not remove the immediate need for technical hardening. Ukraine’s experience demonstrates that a state under sustained kinetic attack also needs scalable cyber defense: national cyber reserves, standardized incident classification, and resources to maintain 24/7 response for critical sectors. Investment in hardened, field‑tested OT protections and in the people who operate them will pay dividends in both wartime and peacetime.

Looking ahead, the adversary will continue to blend volume with surgical campaigns targeted at brittle links between IT and OT. For defenders the imperative is clear: shore up the edges where digital access intersects physical effect, invest in detection that operates at network speed, and operationalize resilience so that when adversaries try to magnify kinetic harm with cyber action, recovery does not become the secondary casualty. The volume metric matters. It is the canary that tells us the opponent has adopted a campaign logic built on scale and persistence. Our response must be equally systemic and sustained.