TLP:CLEAR

Analytic confidence: High for the strategic pattern, high for Russia-state linkage, medium for some specific cluster-level attribution, especially the Poland 2025 energy incident.

Executive Judgment

Russia has used Ukraine for more than a decade as the downrange target of an evolving cyber-warfare program. The campaign began as destabilization and coercion against Ukrainian state functions, matured into repeatable cyber-physical disruption against energy and telecom infrastructure, and now functions as a live operational model for pressure against Europe. Europe is preparing for a kind of cyber conflict that Ukraine has already been forced to survive, and Ukraine should now be treated as a doctrine producer for EU and NATO cyber defense, not merely as a recipient of assistance. The Gaze articles frame Ukraine as Europe’s only full wartime cyber-defense laboratory and argue that threats once concentrated on Ukraine are now spreading into Europe. (thegaze.media)

The refinement is attribution discipline. The December 2025 Poland energy-sector attack should be treated as a Russian state-linked destructive critical-infrastructure operation with high confidence. Sandworm involvement is plausible and supported by ESET at medium confidence, but CERT Polska’s public reporting confirms the destructive OT-adjacent effects without itself resolving the same unit-level attribution. (cert.pl)

Key Judgments

1. Ukraine is no longer just a victim environment. It is the primary European source of wartime cyber-resilience doctrine. ENISA’s 2023 working arrangement with Ukraine’s NCCC and SSSCIP explicitly covers capacity building, exercises, NIS2 implementation, telecoms, energy, and threat-landscape sharing. The EU’s June 2026 inclusion of Ukraine in the EU Cybersecurity Reserve further confirms that Ukraine is being integrated into Europe’s operational cyber-defense architecture. (ENISA)

2. Russian cyber operations against Ukraine are not isolated intrusion campaigns. They are a long-running state-function targeting program. Russia has repeatedly targeted electricity, telecoms, registries, government services, military support functions, logistics, public confidence, and recovery capacity. DOJ’s 2020 GRU Unit 74455 indictment describes destructive malware operations against Ukraine’s power grid, Ministry of Finance, and State Treasury Service, including BlackEnergy, Industroyer, and KillDisk, as part of a wider destabilization campaign. (Department of Justice)

3. The operational model has evolved from destructive spectacle to repeatable wartime pressure. Mandiant’s 2022 Ukrainian OT case shows Sandworm using OT living-off-the-land techniques to likely trip substation breakers, followed by CaddyWiper in the IT environment. That is cyber-physical targeting integrated with broader Russian missile strikes against critical infrastructure. (Google Cloud)

4. Russia’s cyber campaign now extends beyond Ukraine into the European support ecosystem. Poland’s December 2025 incident targeted more than 30 wind and photovoltaic farms, a manufacturing company, and a CHP plant supplying heat to nearly half a million people. CERT Polska reported damage to RTUs, loss of remote control, destructive malware, firmware damage, and interference with industrial devices. (cert.pl)

5. Russia-aligned operators are exploiting ordinary enterprise neglect as wartime access infrastructure. The June 2026 WinRAR reporting shows SHADOW-EARTH-066/UAC-0226 and Earth Dahu/Gamaredon continuing to exploit CVE-2025-8088 against Ukrainian organizations nearly a year after patch release, using the flaw for credential theft, cookie theft, file theft, and espionage staging. (www.trendmicro.com)

Strategic Framing

The most useful framing is not “Russia conducts cyberattacks against Ukraine.” That is too narrow. The better formulation is:

Russia has treated Ukraine as the downrange battlespace for cyber-enabled coercion, sabotage, intelligence collection, and resilience exhaustion.

“Downrange” matters analytically. It means Ukraine has been the live-fire target environment where Russian operators test access vectors, wiper families, OT effects, public-service disruption, telecom destruction, registry paralysis, influence synchronization, and recovery interference under conditions of real war. Europe is now seeing parts of that model move westward, especially through energy-sector targeting, logistics targeting, support-to-Ukraine networks, and exploitation of widely deployed software.

Europe has been slow to make the conclusion that: EU cyber policy still often treats Ukraine as the defended partner, but Ukraine has experience that EU member states lack. ENISA’s own language acknowledges that cyberattacks in Russia’s war have been met by Ukrainian resilience and increased EU alertness and preparations. (ENISA)

Campaign History

Reuters reported that Russian hackers were inside Kyivstar from at least May 2023 before the December 2023 destructive attack, and later reporting noted Kyivstar allocated $90 million to deal with the aftermath. Reuters also reported Russia’s December 2024 mass cyberattack on Ukrainian state registries, temporarily suspending services tied to vital citizen records. (Reuters)

Threat Actor Ecology

The Russian campaign against Ukraine and Europe is not one actor. It is an ecosystem.

Sandworm / GRU Unit 74455 remains the central destructive cyber-physical actor in this reporting set. DOJ tied Unit 74455 officers to BlackEnergy, Industroyer, KillDisk, NotPetya, and Olympic Destroyer. ESET describes Sandworm as a destructive actor targeting government, logistics, transport, energy, media, grain, and telecom sectors, and notes a long sequence of wiper families used since 2022. (Department of Justice)

GRU Unit 29155 represents a parallel Russian military cyber-sabotage capability. NSA, FBI, CISA, and allies assessed that Unit 29155 has conducted malicious cyber activity for espionage, sabotage, and reputational harm since at least 2020, deployed WhisperGate against Ukrainian victim organizations as early as January 2022, and focused since early 2022 on disrupting aid to Ukraine. (NSA)

Earth Dahu / Gamaredon / UAC-0010 remains a persistent Ukrainian-focused espionage and access actor. In the WinRAR case, Trend Micro attributes one CVE-2025-8088 exploitation chain to Earth Dahu/Gamaredon, using HTA/VBS/VBE Startup-folder execution, Dynamic DNS, Cloudflare Workers patterns, and espionage tooling against Ukrainian organizations. (www.trendmicro.com)

SHADOW-EARTH-066 / UAC-0226 appears as a separate Russia-aligned campaign exploiting the same WinRAR flaw, using GIFTEDCROOK-family credential and document theft. Trend Micro reports this actor moved from basic Excel macros and Telegram exfiltration to WinRAR exploit chains, in-memory DLL loading, and encrypted C2 in under a year. (www.trendmicro.com)

TTP Analysis

Russia’s Ukraine-facing cyber operations show a consistent operational rhythm.

First, operators seek access through whatever vector remains cheapest and reliable: spearphishing, compromised mailboxes, VPN exposure, edge devices, weak credentials, unpatched utilities, unmanaged software, and trusted administrative paths. The WinRAR CVE-2025-8088 exploitation shows this clearly. The flaw was patched in July 2025, but remained exploitable because WinRAR is often manually updated and outside centralized enterprise patch channels. (www.trendmicro.com)

Second, Russian actors convert initial access into either intelligence collection or destructive potential. The WinRAR campaigns leaned toward credential and document theft. The 2022 Sandworm OT incident and the 2025 Poland incident leaned toward disruption and sabotage. The same ecosystem can move between espionage, prepositioning, wiper deployment, and cyber-physical effects depending on operational requirement.

Third, Russian destructive operations increasingly attack recovery, not only production. Wipers, firmware damage, deletion of system files, destruction of RTU function, compromise of telecom infrastructure, and registry disruption all degrade the defender’s ability to restore service quickly. CERT Polska’s report is especially important because it describes attacks affecting both IT systems and physical industrial devices, a rarely publicized category of effect. (cert.pl)

Fourth, Russia’s campaign uses Ukraine as the primary target but Europe as the secondary pressure surface. Poland’s role in stabilizing Ukraine’s electricity supply is relevant; ESET assessed that the December 2025 Polish energy incident may have been intended to strain Ukraine’s power grid during winter. (WeLiveSecurity)

Poland 2025: The Warning Shot

CERT Polska reported coordinated destructive attacks on 29 December 2025 against renewable energy grid-connection points, a manufacturing firm, and a CHP plant. The adversary targeted RTUs, HMIs, protection relays, serial port servers, modems, routers, switches, and related industrial automation devices. After gaining internal access, the attacker conducted reconnaissance and prepared destructive actions including firmware damage, system-file deletion, and custom wiper execution. (cert.pl)

ESET named the malware DynoWiper and attributed the activity to Sandworm with medium confidence, citing overlap with previous Sandworm wiper activity. ESET also notes that in 2025 it investigated more than ten destructive malware incidents attributed to Sandworm, almost all in Ukraine. (WeLiveSecurity)

The analytic caveat remains important. AP reporting on Polish official and expert views noted Russian linkage, but also discussed possible Dragonfly/Static Tundra/FSB Center 16 infrastructure overlap alongside Sandworm malware-pattern attribution. The proper report language is therefore: Russian state-linked destructive attack against Polish energy infrastructure, with Sandworm assessed by ESET at medium confidence and other Russian-service overlaps remaining relevant. (AP News)

Why Ukraine Should Teach Europe

Ukraine’s defensive value is not theoretical. It has defended under simultaneous cyber, kinetic, political, and information pressure. That experience maps directly to Europe’s present gaps. Europe has regulatory and institutional frameworks: NIS2, ENISA, EU-CyCLONe, the Cyber Blueprint, the Cybersecurity Reserve, NATO CCDCOE exercises, and national CSIRTs. Ukraine has the applied experience of keeping a state functional while power, telecoms, registries, government services, military networks, civil messaging, and public trust are under sustained attack.

The EU’s June 2026 inclusion of Ukraine in the Cybersecurity Reserve is strategically positive, but it still frames support as EU-to-Ukraine emergency capacity. The required inversion is Ukraine-to-EU doctrine transfer: Ukrainian responders should shape exercise scenarios, OT incident playbooks, telecom continuity plans, backup-restoration standards, public-communications templates, and joint cyber-kinetic crisis assumptions. (Digital Strategy EU)

Defensive Implications

For EU and NATO critical infrastructure, the Ukraine lesson is blunt: Russian operators do not need exotic zero-days if the defender leaves exposed VPNs, unmanaged third-party software, default OT credentials, weak MFA, flat IT/OT trust paths, fragile backups, and untested manual operations.

Priority defensive actions:

1. Treat unmanaged utilities as national-security exposure. Inventory and centrally patch WinRAR, 7-Zip, PDF tools, remote-access tools, file-transfer clients, and engineering utilities. CVE-2025-8088 demonstrates that desktop software can become wartime access infrastructure.
2. Reduce edge-device compromise paths. Enforce MFA on VPN, webmail, and privileged remote access. Remove exposed management interfaces. Log and inspect remote access into energy, telecom, and government environments.
3. Segment IT and OT with recovery in mind. The goal is not only prevention. It is limiting the blast radius of destructive actions and preserving operator visibility when HMIs, RTUs, domain controllers, and engineering workstations are attacked.
4. Exercise wiper recovery under degraded communications. Ukraine’s experience shows that incident response cannot assume clean networks, functioning telecoms, intact registries, or stable public messaging channels.
5. Integrate cyber defense with civil defense. Telecom continuity, public alerting, energy restoration, registry recovery, and emergency communications must be part of cyber exercise design.
6. Embed Ukrainian practitioners in EU/NATO exercises. Ukraine should not only brief lessons learned. Ukrainian responders should write injects, red-team assumptions, recovery constraints, and after-action criteria.

CERT Polska’s Poland report makes clear that distributed renewable energy infrastructure, grid-connection substations, RTUs, HMIs, relays, serial port servers, modems, routers, and switches are now inside the Russian targeting envelope. (cert.pl)

Conclusion:

Ukraine has already fought the cyberwar Europe is now preparing for. For more than a decade, Russia has used Ukraine as a live target range for destructive cyber operations against power, telecoms, registries, government services, and public trust. These attacks were not isolated events. They were iterations in a campaign designed to test access, disruption, recovery denial, and coercive pressure.

That experience gives Ukraine operational knowledge most EU and NATO states still only exercise in theory. Ukrainian defenders have had to restore services under attack, defend critical infrastructure during wartime, and sustain national continuity while cyber operations were paired with kinetic strikes and information warfare.

Russia has refined a repeatable model in Ukraine: gain access through the cheapest reliable path, convert access into espionage or sabotage, damage recovery capacity, and use disruption to pressure the state and its allies. That model is now moving westward through attacks on the infrastructure that supports Ukraine, including energy, logistics, telecoms, and allied government systems.

Europe should therefore treat Ukraine not only as a partner to defend, but as a source of doctrine. Ukrainian cyber defenders should help shape EU and NATO exercises, critical-infrastructure planning, incident-response models, and wartime resilience standards. Europe can learn from Ukraine now, or learn later through its own destructive incidents.