KYIV, Ukraine — Russian cyberattacks targeting Ukraine’s energy infrastructure are increasingly focused on collecting intelligence to guide missile strikes rather than immediately disrupting operations, Ukrainian cybersecurity officials said.

Although the number of major cyber incidents targeting critical infrastructure has declined, the threat itself has not diminished, according to Oleksandr Potii, head of Ukraine’s State Service of Special Communications and Information Protection.

“Cyberattacks on critical infrastructure never happen on their own; they are always part of a broader operation,” Potii told Recorded Future News on the sidelines of the Kyiv International Cyber Resilience Forum last week.

He said attackers now appear more focused on mapping facilities, tracking repair crews, and assessing how quickly energy systems can recover after strikes rather than causing immediate power outages.

Natalia Tkachuk, head of cyber and information security at Ukraine’s National Security and Defense Council, said cyber operations against energy facilities increasingly reflect Russia’s long-term strategy in the war.

“Russia has realized it’s playing a long game — this will not be a blitzkrieg — so most operations now focus on intelligence gathering,” she told Recorded Future News.

Russia often maintains quiet access inside networks to monitor the extent of physical damage and track recovery efforts.

“We try to conceal this information,” Tkachuk said, adding that attackers seek to understand what equipment has been destroyed, how quickly repairs are progressing, and where replacement components are sourced.

Cyber intrusions, she said, can occur both before and after missile attacks, first to help calibrate strikes and later to assess their effectiveness.

“Russia sees that missiles are a much easier way to destroy infrastructure,” Tkachuk said, adding that Moscow is now openly violating international law by targeting such sites.

Since the start of Russia’s full-scale invasion in 2022, Ukraine’s energy infrastructure has been repeatedly targeted with drone and missile strikes. Power plants, substations, transmission lines and district heating facilities have all been hit, causing prolonged outages during the freezing winter months.

Ukrainian officials have previously warned that the Kremlin-linked hacking group Sandworm used cyber operations against energy systems to amplify the impact of missile barrages. 

Security researchers, including analysts at Google, have also observed Sandworm’s shift away from destructive cyberattacks toward intelligence-gathering operations, a trend that is now playing out on the ground.