From frontlines to online: examining target preferences in the Russia-Ukraine conflict

Official URL: https://dx.doi.org/10.1007/s10207-025-00981-w

Distributed denial of service (DDoS) attacks have become a prominent threat in the digital landscape, with their frequency and impact magnifying during geopolitical conflicts. The Ukraine-Russia conflict, which commenced in February 2022, witnessed a surge in DDoS attacks, becoming the most common type of cyber assault during this period. This study examines the frequency and patterns of DDoS attacks throughout the Russo-Ukraine cyberwarfare, identifying the sectors most affected. By analyzing messages from Telegram channels containing IP addresses and URLs, we identified 4,612 unique victim domain names, with 3,090 targeted by Ukrainian hacktivist groups (pro-Ukrainian) and 1,522 by Russian hacktivist groups (pro-Russian). We observed distinct DDoS attack patterns between pro-Ukrainian and pro-Russian collectives. Ukrainian groups exhibited peak activity during May, June, and July, with a noticeable decline towards the end of 2022. In contrast, the pro-Russian group’s activities intensified in late 2022. Our investigation highlights that pro-Ukrainian collectives, particularly ‘IT Army of Ukraine 2022’, were the most active in conducting DDoS attacks and operated with higher synchronicity. Our findings also indicate that crucial portals for information and services, particularly those related to news, government, business, finance, and travel, were consistently targeted by DDoS attacks. The majority of these victim domains lacked adequate DDoS protection during the assaults, with few improving their security measures post-attack. The study also reveals that DDoS attacks predominantly occurred on Saturdays, Sundays, and Mondays. Our results underscore the necessity for enhanced cybersecurity measures in vulnerable sectors to mitigate the impact of DDoS attacks during times of conflict.