Anatomy of a Breach

Anatomy of a Breach: Russia-Ukraine — Cyber Warfare as a Component of Kinetic War

> series: anatomy_of_a_breach —— part: 158 —— event: russia_invades_ukraine —— cyber: viasat_wipers_ddos —— context: first_large-scale_cyber_war<span class="cursor-blink">_</span>_

Hedgehog Security 28 February 2022 15 min read
russia ukraine cyber-warfare viasat hermeticwiper wiper-malware nation-state series
Breach #158

Missiles and malware. Simultaneously. Cyber warfare became real warfare.

On 24 February 2022, Russia launched a full-scale military invasion of Ukraine. Hours before the first missiles struck, a cyber attack targeted Viasat's KA-SAT satellite network — deploying 'AcidRain' wiper malware to satellite modems across Europe. The attack disrupted Ukrainian military and government communications at the moment they were most needed, and caused collateral damage to thousands of Enercon wind turbines in Germany that relied on the same satellite network for remote monitoring.

The satellite attack was one component of a broader cyber offensive that had begun weeks before the physical invasion. Multiple wiper malware variants — HermeticWiper, IsaacWiper, CaddyWiper, WhisperGate — were deployed against Ukrainian government agencies, banks, and infrastructure. DDoS attacks hit Ukrainian government websites. And disinformation campaigns targeted both Ukrainian and international audiences. The conflict represented the most extensive integration of cyber operations into conventional warfare ever documented — confirming the theoretical scenarios that had been debated since Stuxnet (2010) and the Ukraine power grid attack (2015).

Cyber War Is Real War
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

From theory to doctrine. Cyber is now a permanent component of military conflict.

Viasat: Collateral Damage Across Borders
The Viasat attack targeted Ukrainian communications but disrupted satellite services across Europe — including German wind turbines. Like <a href="/blog/anatomy-of-a-breach-notpetya">NotPetya</a> (2017), cyber weapons targeting one country cause collateral damage internationally. For UK organisations dependent on satellite communications, the Viasat attack demonstrated real-world impact. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> assesses communications resilience.
Wipers: Destruction, Not Ransom
The wiper malware variants deployed against Ukraine were designed for permanent destruction — not ransomware for profit. This continued the trend from <a href="/blog/anatomy-of-a-breach-saudi-aramco-shamoon">Shamoon</a> (2012), <a href="/blog/anatomy-of-a-breach-notpetya">NotPetya</a> (2017), and <a href="/blog/anatomy-of-a-breach-olympic-destroyer">Olympic Destroyer</a> (2018). Defence requires immutable backups and tested recovery procedures. <a href="/penetration-testing/infrastructure">Infrastructure testing</a> validates backup integrity.
Global Spillover Risk
The <a href="https://www.ncsc.gov.uk/news/ncsc-supports-government-response-to-russia-invasion-of-ukraine">NCSC issued guidance</a> to UK organisations to strengthen their cyber defences in response to the conflict, warning of potential spillover effects from Russian cyber operations. <a href="/cyber-essentials">Cyber Essentials</a> provides the baseline controls. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for indicators of nation-state activity. <a href="https://www.cyber-defence.io/services/threat-intelligence">UK Cyber Defence</a> provides threat intelligence on conflict-related cyber threats.
Ukraine's Cyber Resilience
Remarkably, Ukraine's critical infrastructure proved more resilient than many expected — partly due to years of experience defending against Russian cyber attacks since 2014, cloud migration (which moved data outside Ukraine), and international support. Resilience — not just prevention — proved to be the decisive factor.
UK Implications

The NCSC warned UK organisations to strengthen defences. Have you?

The Russia-Ukraine conflict created heightened cyber risk for UK organisations — particularly those in critical infrastructure, defence supply chains, financial services, and energy. The NCSC's guidance to strengthen defences was not theoretical — it reflected assessed threat intelligence about potential Russian cyber operations targeting Western countries. Cyber Essentials addresses the baseline controls the NCSC recommends. Our penetration testing validates these controls. SOC in a Box provides 24/7 monitoring at heightened alert levels. And UK Cyber Defence's threat intelligence provides awareness of conflict-related threats targeting UK organisations.

Heightened Threat Level

Russia-Ukraine made cyber warfare real. The NCSC warned UK organisations. Have you strengthened your defences?

<a href="/cyber-essentials">Cyber Essentials</a> provides the baseline the NCSC recommends. <a href="/penetration-testing">Penetration testing</a> validates controls. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors at heightened alert.

Commission a Security Assessment Next: Lapsus$ Group
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 June 2017

Anatomy of a Breach: NotPetya — The $10 Billion Attack That Masqueraded as Ransomware

Breach #102. On 27 June 2017 — just 46 days after WannaCry — NotPetya struck. Disguised as ransomware but designed for destruction, NotPetya used the same EternalBlue exploit to spread, but also propagated through a poisoned update to M.E.Doc, a Ukrainian accounting software used by every company doing business in Ukraine. NotPetya caused over $10 billion in total global damage. Maersk lost 49,000 laptops, 4,000 servers, and its entire IT infrastructure. Merck's pharmaceutical manufacturing was halted. Reckitt Benckiser, Mondelēz, FedEx/TNT, and Saint-Gobain all suffered catastrophic damage. NotPetya was not ransomware — it was a Russian cyber weapon targeting Ukraine that escaped and devastated the global economy.

notpetya destructive-attack
16 min read
Anatomy of a Breach 31 August 2012

Anatomy of a Breach: Saudi Aramco and Shamoon — 30,000 Workstations Wiped in Hours

Breach #044. On 15 August 2012, a destructive wiper malware known as Shamoon struck Saudi Aramco — the world's most valuable company — wiping the hard drives of approximately 30,000 workstations and replacing their master boot records with an image of a burning American flag. The attack, attributed to Iranian state-sponsored actors, was the most destructive cyberattack against a single company at the time. Unlike Stuxnet (which targeted centrifuges) or Flame (which gathered intelligence), Shamoon had a single purpose: destruction.

shamoon saudi-aramco
13 min read
Anatomy of a Breach 31 July 2025

Anatomy of a Breach: Microsoft SharePoint — Zero-Day Exploited by Three Chinese Groups, 400+ Organisations Compromised Including NNSA

Breach #199. In July 2025, it was revealed that a zero-day vulnerability in Microsoft SharePoint had been exploited by three Chinese state-linked hacking groups to compromise over 400 organisations worldwide — including the US National Nuclear Security Administration (NNSA), the federal agency responsible for maintaining the US nuclear weapons stockpile. The vulnerability enabled remote code execution against self-hosted SharePoint servers. Thousands of vulnerable servers remained online even after the vulnerability was disclosed. The breach demonstrated the extraordinary risk of centralising sensitive data in a single collaboration platform — especially when that platform is targeted by nation-state adversaries.

microsoft-sharepoint zero-day
14 min read
All Posts Get in Touch