Recorded Future’s threat research team is tracking the cyber threats and influence operations that are targeting Ukraine

Last Updated March 6 at 7:43 p.m. ET

“We believe we’re observing the future of war… [the] convergence of kinetic, cyber, and information operations.” Those words were among the opening remarks made by Recorded Future Co-Founder and CEO Dr. Christopher Ahlberg during a Feb. 28 live web briefing about Russia’s invasion of Ukraine. One of the world’s largest providers and analyzers of open-source intelligence (OSINT), Recorded Future held the threat briefing to share some of its initial research on the conflict.

Craig Terron and Brian Liston, who both work for Recorded Future’s threat research arm Insikt Group, briefed viewers on the cybersecurity threats, influence operations, and geopolitical activity that Ukraine is facing. In the cyber arena, Russia launched coordinated and destructive malware attacks before its Feb. 24 invasion, with some malware victims believed to have been compromised as early as last November. Russia’s tactics have also included DDoS attacks, website defacements, and fraudulent messaging.

It’s likely that Russian state-sponsored and state-nexus threat actors ramp up cyber activities to try to undermine and discredit Ukraine’s government and military. As a result, Ukraine should expect to see more disruptive cyberattacks on its institutions and infrastructure. UNC1151 and SandWorm are among at least a half-dozen hacking groups that are taking Russia’s side. According to Recorded Future, these two groups should be closely monitored because of their capabilities and recent activity. Conversely, the group Anonymous has pledged its support of Ukraine and tweeted that it is “officially in cyber war against the Russian government.”

Beyond cyber, Russia is aggressively trying to influence public opinion and spread disinformation. This includes further tightening the control of information in Russia about what's happening in Ukraine and cracking down on dissent. Liston identified these as some of the key narratives being pushed:

  • Ukraine is the aggressor and a puppet-state
  • Russia is a defensive and humanitarian protector
  • NATO is not a defensive alliance but an offensive one

Some secondary narratives are also being peddled, including: Ukraine’s leadership and military are collectively Neo-Nazis, NATO has infighting and a lack of consensus, and Western media and defense industries are provoking war.

So where does the conflict go from here? Terron and Liston believe it’s likely that Russia prioritizes gaining control of the capital of Kyiv to bring a quicker and more favorable end to its invasion. This means it’s likely that the Russian military continues escalating its assault, leading to increased collateral damage. On Friday, Russian forces seized control of the Zaporizhzhia nuclear power plant, the biggest in Europe. Further escalation could include Belarussian forces coming to Russia’s side.

The United States, the European Union, and other allied countries are providing military aid to Ukraine but stopping short of sending troops. It’s possible their involvement changes—Ukraine has asked for immediate EU membership and pleaded with NATO to establish a no-fly zone. If the West intervenes, Terron and Liston believe there are even odds that Russian-backed and sympathetic cybercriminal groups will increasingly target Western nations for supporting Ukraine and imposing harsh sanctions on Russia.


Recorded Future, a strategic partner of Merlin Cyber, produces accurate and actionable intelligence at scale and delivers it in real-time. For more intelligence-driven insights about Russia’s invasion, please visit their new Ukraine Resource Center.

How PAM Can Protect Feds From Third Party/Service Account Cyber Attacks

How PAM Can Protect Feds From Third Party/Service Account Cyber Attacks

Share This