A decade of cyber warfare: the operations of Russian APT groups in Ukraine (2014-2024)
Kuusela, Jere (2026)
2026
All rights reserved. This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2026052014683
https://urn.fi/URN:NBN:fi:amk-2026052014683
Tiivistelmä
One of the longest running cyber operations during wartime is the Russo-Ukrainian conflict,
that started with the annexation of Crimea in 2014. Much of the existing research examines
individual incidents, shorter timeframes, or specific threat groups. This thesis examines how
Russian Advanced Persistent Threat (APT) operations against Ukraine evolved between 2014 and 2024.
The research uses a longitudinal multiple case study design that combines quantitative
analysis with qualitative interpretation. The analysis is based on a dataset of 58 publicly
documented incidents. The dataset was built from government and CERT advisories, MITRE
ATT&CK entries, and reports from established threat intelligence companies.
The incidents are divided into three phases: the Early Escalation Phase from 2014 to 2017,
the Persistent Access and Espionage Phase from 2018 to 2021, and the Full-Scale Invasion
Era from 2022 to 2024. The study compares the incidents by tactics, techniques, operational
objectives, and target sectors. Also, the connection to hybrid warfare and information warfare elements is analyzed.
Russian APT activity against Ukraine changed clearly over the decade. Early operations
focused mainly on espionage and disruption. After the full-scale invasion there was an
increase in destructive attacks, access preparation, and influence-operations. The target
sectors also expanded, and the cyber operations showed more hybrid-warfare elements.
that started with the annexation of Crimea in 2014. Much of the existing research examines
individual incidents, shorter timeframes, or specific threat groups. This thesis examines how
Russian Advanced Persistent Threat (APT) operations against Ukraine evolved between 2014 and 2024.
The research uses a longitudinal multiple case study design that combines quantitative
analysis with qualitative interpretation. The analysis is based on a dataset of 58 publicly
documented incidents. The dataset was built from government and CERT advisories, MITRE
ATT&CK entries, and reports from established threat intelligence companies.
The incidents are divided into three phases: the Early Escalation Phase from 2014 to 2017,
the Persistent Access and Espionage Phase from 2018 to 2021, and the Full-Scale Invasion
Era from 2022 to 2024. The study compares the incidents by tactics, techniques, operational
objectives, and target sectors. Also, the connection to hybrid warfare and information warfare elements is analyzed.
Russian APT activity against Ukraine changed clearly over the decade. Early operations
focused mainly on espionage and disruption. After the full-scale invasion there was an
increase in destructive attacks, access preparation, and influence-operations. The target
sectors also expanded, and the cyber operations showed more hybrid-warfare elements.