Today at 12:23
A decade of repelling continuous Russian cyberattacks has transformed Ukraine into the unique carrier of full-scale expertise in digital state defence.
In December 2025, Poland experienced what Ukraine has lived with every day since 2014. The Russian group Sandworm, operationally linked to the Main Directorate of the General Staff of the Russian Armed Forces, carried out an attack on Poland’s energy infrastructure using a new strain of destructive malware called DynoWiper.
ESET, which identified the malicious code, directly attributed the operation to the same unit that has been disabling Ukrainian transformer substations, power grids, and digital registries for decades.
In January 2026, it became definitively clear that the collective cybersecurity architecture declared by the European Union had hit the wall of reality that Ukraine had been thrust against organically a decade earlier. The paradox is that the EU continues to build programmes to support Ukrainian cyber defence, while it is Ukraine itself that holds the only full-scale operational experience in Europe of sustained digital state defence during wartime. This gap in the logic of partnership must be broken.
Read the FULL article on The Gaze by Dmytro Levus, foreign policy expert, analyst at kyiv-based United Ukraine Think Tank.
The expert argues that the attribution of Sandworm in the Polish case should not be viewed as an isolated incident. The same GRU-linked unit was responsible for the first successful cyberattack on a civilian power grid in history in December 2015, when the BlackEnergy 3 malware disrupted operations at three Ukrainian regional energy companies and left around 230,000 residents of Ivano-Frankivsk Oblast without electricity.
The analyst notes that Sandworm continued to refine its capabilities in subsequent years. In 2016, the group targeted a transmission substation in Kyiv with the Industroyer malware, specifically designed to manipulate industrial control systems. He further points out that in October 2022, cybersecurity researchers at Mandiant documented a sophisticated attack against a Ukrainian substation involving living-off-the-land techniques aimed at a MicroSCADA system.
According to Levus, the operation was accompanied by the deployment of a new version of CADDYWIPER and deliberately synchronized with large-scale Russian missile strikes.
The author emphasizes that alongside conventional military operations, Russia is systematically expanding its infrastructure for cyber warfare and influence campaigns. He refers to an investigation published in May 2026 by an international consortium of journalists, based on more than 2,000 internal documents from Bauman Moscow State Technical University, which exposed the existence of a covert academic structure known as Department 4.
The foreign policy expert explains that the department is directly integrated into the GRU and headed by Lieutenant Colonel Kirill Stupakov. One of its instructors is Major General Viktor Netyksho, formerly the commander of Unit 26165, widely known as Fancy Bear. Students are required not only to develop their own malware and conduct penetration testing exercises, but also to internalize ideological narratives portraying war against Ukraine as inevitable.
He highlights that 69 graduates joined GRU operational units in 2024 alone and adds that similar recruitment and training mechanisms reportedly operate at MIREA University as well.
The analyst points out that institutional cooperation between Ukraine and European cybersecurity structures has already begun to develop. ENISA signed a cooperation agreement with Ukraine’s NCCC and SSSCIP in November 2023, formalizing exchanges of expertise and improving situational awareness.
At the same time, the expert argues that existing frameworks remain largely one-directional. While EU CyberNet supported the Tallinn Mechanism Project Office and expanded cooperation with Ukrainian institutions, Kyiv continues to be treated primarily as a recipient rather than a provider of expertise.
The author highlights that a seminar organized by EUISS and EU Cyber Direct in Brussels in March 2026 recognized Ukraine’s frontline role in confronting cyber and hybrid threats. Nevertheless, he contends that current institutional arrangements still do not allow Ukrainian specialists to regularly shape training programs for European CSIRTs, share expertise on protecting critical infrastructure during kinetic attacks, or advise European energy operators on realistic threat scenarios.
The researcher stresses that Europe should view Ukraine as a laboratory for the survival of a digital state under constant attack. For more than a decade, Ukrainian specialists have been developing practical expertise in detecting, containing, and recovering from operations conducted by the same GRU structures that are now targeting Poland, preparing activities against Germany, and experimenting with AI-driven disinformation campaigns in the United States.
The expert concludes that the most rational strategy would be to transform existing partnerships and integrate Ukrainian institutions as equal contributors within European cybersecurity frameworks. In his view, Ukrainian structures should become co-authors of EU CyberNet training programs, active participants in ENISA working arrangements, and providers of stress-testing scenarios for organizations operating under the NIS2 framework.
Finally, the analyst warns that Europe faces a clear choice. It can either wait until it experiences a comparable cyber catastrophe and learn through costly disruption and losses, or it can recognize the lessons already available from Ukraine’s experience and invest in transferring this expertise before another major cyberattack forces a much more painful adaptation.
Read the FULL article on The Gaze: Europe’s Cyber Front Runs Through Kyiv. Why Ukraine Should Teach the EU Digital Defence
Read also: Why Ukrainian Weapons Head West: the War Created a New DefTech Market for NATO
