Gartner Research

Quick Answer: What Does the Russian Invasion of Ukraine Mean for Cybersecurity Leaders?

Published: 28 February 2022


This analysis covers reported known and likely cybersecurity attacks related to the Russian invasion of Ukraine. It also includes recommendations for immediate, short-term and midterm actions that cybersecurity leaders should prioritize to mitigate potential impacts on their organization.

More Detail

On 24 February, 2022 the Russian invasion of Ukraine escalated with the use of conventional warfare, but coordinated cyber conflict has been underway for much longer. All organizations, particularly ones in critical infrastructure sectors, could be impacted directly or indirectly. Security and risk management leaders can learn from attacks currently unfolding to prepare for future crises.

Reported attacks already underway:

  • Volumetric distributed denial of service (DDoS) attacks on media companies, banks and government websites.

  • Increased malware activity such as data wiping.

  • Targeted and persistent phishing attacks by groups such as Gamaredon.

  • Disinformation campaign via SMS messages to induce panic.

Attacks likely to happen:

  • Exploitation of dormant exploits and access, such as BlackEnergy, which was used to target Ukraine’s electric grid in 2014 and 2015.

  • Cyber-physical systems (CPS) running operations in critical infrastructure are attractive targets.

  • Cloud providers and undersea cables that underpin internet connectivity are also targets due to the potential for large-scale international disruption. In 2019, Russia successfully tested the capability of its internet infrastructure at being isolated from the rest of the world.

  • Automated exploits on security infrastructure, especially firewalls and public-facing remote access gateways. For example, researchers have warned that the Sandworm group has developed a new Cyclops Blink hacking tool using botnets to target firewalls.

  • Exploitation of the crisis for phishing by impersonating “figures of authority” such as government agencies or humanitarian help during mass evacuations.

  • DDoS to generate chaos or as a “smoke screen” to hide lower and slower attacks.

  • With these geopolitical topics, activism runs high and insider threats might rise for organizations working in defense and critical infrastructure

Longer-term, economic damage in Russia resulting from sanctions may increaseransomware activity, as a retaliatory measure, to provide income for the state and the tech savvy newly unemployed. Geo-fencing will have little effect as most attacks are delivered via U.S. proxies.

In the initial phases of the crisis, the “fog of war” will also challenge situational awareness and panic will increase the risk of mistakes. As soon as the intent of the invasion was announced by the U.S. and EU, organizations with staff, operations, data processing and suppliers in Ukraine should have readied their crisis management teams. It is too late after the invasion to invoke business, disaster and third-party recovery plans. The benefits of invoking early include the ability to shift operations to other operating locations as well as sending in personnel evacuation services to extract employees. These plans along with cyberattack incident response plans should have been tested in advance, there is no time during a crisis to develop and test something new.

Business disruption, particularly supply chain disruption, are likely. Expect that some of your partners may be incapacitated if they become targets of cyberattacks or are impacted by sanctions. Also expect lead times to be even more impacted for suppliers in high risk regions.


Cybersecurity leaders should ensure they or their team is represented on the cross-organizational crisis management team. Many stakeholders are required to establish situational awareness and to give their approval for decisions made.

Immediate response:

  • Demonstrate calm and control in the communication about threats and incidents. Ensure everyone in the security and risk management teams do the same and avoid adding to the FUD.

  • Show discipline when setting up the list of “immediate” actions. Favor an “immediate,” “short-term” and “midterm” program to help with planning, workload and stress management.

  • Assess and strengthen, if necessary, primary and out-of-band communication channels with your security, IT staff, business stakeholder, employees and supply chain staff providers. Consider use cases where the core communication services (email, corporate internet, telephony) are down. Ensure that everyone knows about them.

  • Review your crisis management, business continuity, disaster recovery, downtime procedures and supply chain/third-party contingency plans associated with Ukraine operations to ensure they align to current business and IT activities.

  • Work with the team for immediate additional due diligence to prevent user mistakes, starting with changes on critical security and IT infrastructure (eg., select use of the four-eyes principles).

  • Prepare for incident response, as there might still be time to get/increase some threat detection, incident response retainer and services capabilities.Structure IR personnel schedules to avoid burnout and develop comprehensive shift handover and communication processes.

  • Implement the “in case of emergency” feature of DDoS providers to blunt sudden volumetric attacks on public-facing assets.

  • Prepare an executive presentation/one page report template as these types of crises trigger update requests from board members or C-level executives.

Short-term (days/one to two weeks):

  • Establish/maintain a governance and legal process that includes the CEO, the board and key operational staff. Decide who will take the lead should an incident occur.

  • Update inventory to identify missing security controls, detection signature and threat intelligence updates.

  • Invoke your supply chain/third-party contingency plans for Ukraine-based providers.

  • Review government agency recommendations for preventative actions.

  • Communicate about the risk of multichannel phishing (i.e., email, voicemail, IM, Teams/Slack, SMS etc.) and social engineering related to the ongoing events. Don’t run phishing tests targeted at this scenario. Employees are your allies in this. Encourage virtuous behaviors such as reporting anomalies.

  • Set up a task force to monitor the peak of vulnerabilities and advisories to be released in the coming days. Prioritize patches for public-facing infrastructure. Use resources such as CISA’s Known Exploited Vulnerability Catalog to focus efforts and scarce resources on actively targeted vulnerabilities such as Zabbix.

  • Prioritize threat intelligence analysis toward most-likely threat actors and threat vectors.

  • Implement threat hunting processes as if an incident recently happened: monitor and hunt for specific tactics, techniques and procedures (TTPs) by following government agencies recommandation. Scrutinize alerts related to C2 communication and credential access.

  • Analyze existing DDoS protections not only for critical public-facing assets but also for any ingress or egress internet point of presence.

  • Review network segmentation enforcement strength and zoning based on potential change in relative trust between segments and offices impacted by the crisis.

  • Look to manage burnout/fatigue in your team. Provide resources for alleviation of stress in collaboration with HR, for example mindfulness exercises, recharge breaks or focus time.

Midterm (two to four weeks):

  • Reevaluate risks of single-point-of-failure providers — actively prepare for redundancies, especially when the providers operate in the region impacted by the crisis.

  • Strengthen crisis communications by using emergency/mass notifications services (EMNS).

  • Identify “single-region/point of presence (POP)” infrastructure and smaller regional SaaS that might be at higher risk of disruption, and evaluate backup options.

  • Revise your security plans to account for safety and operational resilience considerations. As cyber-physical systems (CPS) have emerged due to operational technology (OT)/IT system integration and new automation efforts, human safety and resilience are as important as information security.

  • Remain available for cross-organizational workforce meetings when they start feeling less crucial. Business disruption might take more time but then require immediate involvement from security teams.

  • Cross-train IT security personnel in the inner workings of CPS to increase security in mission-critical environments.

What to ignore for the next weeks:

  • Attribution. There will be opportunistic activities from multiple nation states and cybercriminal organizations.Targeted assets, attack techniques and available threat intelligence are helpful, attribution might be useful much later.

  • Non-critical business operations and activities.

  • Macro business disruption. Some industries will be directly impacted by the Russian invasion of Ukraine but there are no immediate actions that can change that. Watch for pivots, rebudgeting and reprioritization of projects.

Recommended by the Authors


Throwback Attack: BlackEnergy Attacks the Ukrainian Power Grid, Industrial Cybersecurity Pulse, 11 November 2021.

Four Eyes Principle, European Commission.

Shields Up, CISA.

Access Research

Already a Gartner client?

To view this research and much more, become a client.

Speak with a Gartner specialist to learn how you can access peer and practitioner research backed by proprietary data, insights, advice and tools to help you achieve stronger performance.

By clicking the "Continue" button, you are agreeing to the Gartner Terms of Use and Privacy Policy.

Gartner research: Trusted insight for executives and their teams

What is Gartner research?

Gartner research, which includes in-depth proprietary studies, peer and industry best practices, trend analysis and quantitative modeling, enables us to offer innovative approaches that can help you drive stronger, more sustainable business performance.

Gartner research is unique, thanks to:

Independence and objectivity

Our independence as a research firm enables our experts to provide unbiased advice you can trust.

Actionable insights

Not only is Gartner research unbiased, it also contains key take-aways and recommendations for impactful next steps.

Proprietary methodologies

Our research practices and procedures distill large volumes of data into clear, precise recommendations.

Gartner research is just one of our many offerings.

We provide actionable, objective insight to help organizations make smarter, faster decisions to stay ahead of disruption and accelerate growth.

Tap into our experts

We offer one-on-one guidance tailored to your mission-critical priorities.

Pick the right tools and providers

We work with you to select the best-fit providers and tools, so you avoid the costly repercussions of a poor decision.

Create a network

Connect directly with peers to discuss common issues and initiatives and accelerate, validate and solidify your strategy.

Experience Information Technology conferences

Join your peers for the unveiling of the latest insights at Gartner conferences.

©2022 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form without Gartner’s prior written permission. It consists of the opinions of Gartner’s research organization, which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or influence from any third party. For further information, see Guiding Principles on Independence and Objectivity.