Ukraine's Digital Front Line: The War That's Already Here

The Cloudflare 2026 Threat Report is different. This is not a corporate brochure designed to sell a product. It is a detailed intelligence map on which Ukraine is marked in red — not as a victim, but as the epicenter of the most technologically sophisticated hybrid war in human history.

Mykhailo Fedorov — a man who once sold Crimean onions at a Zaporizhzhia market, then ran Facebook ad campaigns for Zelensky's entertainment company, and now serves as Ukraine's Minister of Defence — has long made his position clear: cyber threats are overstated, panic is harmful, Ukraine is holding. Back in 2019, he said it plainly: "The role of cybersecurity is slightly exaggerated." That particular confidence is partly why, on 24 February 2022, Ukraine's only available response was to physically unplug its entire state database infrastructure — because three years of his tenure had produced no real protection. The LIFT project — Zelenskyy's flagship "social elevator" promising meritocracy and fresh faces in government — got stuck, as these things tend to, somewhere between cronyism and loyalty. But that is a separate story.

Fedorov, for his part, has never hidden his self-image. «Ministerial work is divine work», he told an interviewer, «because you design the rules of the game. What other job lets you create the rules for millions of people? That's where God is, and I'm not sure who else.» Fine words when the game is a government app. Rather weightier when the rules govern artillery.

The Cloudflare report asks a fundamentally different question: what happens when digital weapons stop being auxiliary tools and become targeting systems for kinetic strikes? That is the chapter the new Defence Minister should read first.

Not Espionage — Coordinates for Artillery

The threat group RottenShrew — also known as UAC-0185 — is described in the Cloudflare report not as a classic intelligence operation but as a specialised targeting unit. Their objective is not to steal documents. It is to establish the precise location of Ukrainian soldiers.

In 2025, the group ran a campaign against the Signal accounts of Ukrainian military personnel, impersonating "Kropiva" — the Ukrainian Armed Forces' own artillery targeting application. Victims effectively handed over access to their communications and metadata themselves. Simultaneously, the group targeted Delta, Teneta, Diia and e-Queue — the entire digital architecture that had been sold to the world as Ukraine's proudest achievement.

Cloudflare states directly that these operations showed "temporal correlation with Russian kinetic military operations." Translated from diplomatic language: the digital breach preceded the missile strike. This is not a metaphor. It is a documented sequence of events.

The tool used by RottenShrew — PINPOINT — is a lightweight JavaScript payload that extracts precise GPS coordinates via the browser's Geolocation API. Not a city. Not a region. Exact coordinates. Then MESHAGENT, a legitimate remote monitoring tool, takes over for live screen surveillance. This is not espionage for its own sake. This is fire correction.

Anyone still inclined to describe the cyber threat as "exaggerated" is welcome to explain that to the artillery crews whose positions were struck after their phones were compromised.

Gamaredon: An Endurance Factory Across Thousands of Machines

NastyShrew — also known as Gamaredon, or Primitive Bear — is described in the report as "one of the most active and persistent Russian threats." Their strategy requires no sophistication: they operate through sheer volume. Thousands of infected machines across Ukraine, constant rotation of command-and-control infrastructure through legitimate paste sites, VPS servers that filter traffic exclusively from Ukrainian IP ranges.

In February and November 2025, several members of the group were arrested in Thailand in a joint US-Thai operation. Cloudflare is under no illusions: the arrests did not stop the operations. The machine keeps running.

For Ukraine, the implication is stark: Gamaredon is not a hacker group that can be "neutralised." It is permanent background radiation in the digital environment — and it never reaches zero.

Iran Is Watching Through the Cameras

A separate thread in the report concerns the Iranian group MuddyKrill. In June 2025, they gained access to a network of CCTV cameras across Israel and streamed live footage for damage assessment during active missile exchanges. Not after the strike. Not via satellite imagery. In real time, while the rockets were still in the air.

This is not an Israeli problem. It is a methodology equally applicable to Ukraine — particularly given that Russia and Iran have long shared tactical innovations. The question of how well Ukraine's surveillance networks, industrial sensors and cameras are protected remains publicly unanswered. It does not feature in Diia Summit presentations, and it does not appear in donor briefings.

Where "Government in a Smartphone" Ends and the Battlefield Begins

Fedorov built a coherent philosophy: Russia spends enormous resources on cyberattacks, and Ukraine endures. Kyivstar recovered. Ukrenergo recovered. State registries recovered. The resilience is real.

But behind that facade lie several inconvenient stories that never make it onto the presentation slides. Payments through Diia ran for years via "Yedynyy Prostir" — a company linked to the Pin-Up online casino, whose owner turned out to have ties to Russia and was eventually arrested by Ukraine's State Bureau of Investigations. Drone procurement through the State Special Communications Service — a body subordinate to the Ministry of Digital Transformation — became mired in a price-inflation scandal, with front-line invoices bearing no resemblance to the contracted figures. The LIFT project — launched to fanfare as a symbol of meritocracy — became the familiar vertical of loyalists. Laptop tenders for teachers, equipment for the New Ukrainian School, IT infrastructure — everywhere the same anatomy: a good idea, opaque implementation, and no meaningful accountability.

The Cloudflare report describes a paradigm shift that renders this entire framework obsolete. The question is no longer whether a system will fail — it is that attacks have ceased to be ends in themselves. They have become instruments of kinetic warfare. When RottenShrew geolocates a soldier, the objective is not to compromise his phone. It is to kill him.

"Resilience" in the classical sense — restoring service after an attack — is no longer enough. What is required is zero-window resilience: a system must be protected before the attack, because after it, there may be no one left to restore.

The second argument from Fedorov's arsenal — the democratisation of cyber defence through the IT Army, volunteers and international assistance — is real and it matters. But Cloudflare documents an identical democratisation on the aggressor's side: AI has lowered the barrier to sophisticated attacks to the price of an LLM subscription. A mid-tier hacker can now auto-generate phishing campaigns, identify code vulnerabilities and navigate unfamiliar systems. The symmetry has broken — and not in our favour.

What Needs to Be Built — and What Is Missing

Read through the lens of Ukrainian realities, the Cloudflare report produces several uncomfortable conclusions.

First: the application problem. Kropiva, Delta, Diia, e-Queue — all were targeted. This is not coincidence. The systems being attacked are precisely those that serve as entry points to the most sensitive data. Ukraine should be proud of having digitalised its state faster than most countries in the world. But every digitalised service is a new attack surface. For years, the pace of deployment outran the pace of security auditing — and that is not a technical failure. It is a management philosophy that consistently placed coverage metrics above protection metrics.

Second: identity as the primary front. Cloudflare documents a global shift from network intrusion to identity compromise — session token theft, MFA bypass, account takeover through trusted channels. For Ukraine, this means that protecting critical systems cannot be reduced to firewalls and patches. It must begin with zero trust at every point of entry, including the phones of ordinary soldiers.

Third: DDoS as the new normal. In 2025, Cloudflare recorded 47.1 million DDoS attacks — double the previous year. The record attack reached 31.4 terabits per second. Most attacks lasted under ten minutes — faster than any human response is possible. Ukraine is simultaneously a target and a testing ground, where Russia is developing methods it will later deploy against the entire West.

Fourth: the software supply chain. The SaaS-to-SaaS attacks documented in the report threaten any organisation using cloud service integrations. Ukrainian state bodies that have migrated to the cloud require systematic audits of API permissions — and those audits must be continuous processes, not one-time exercises.

Fifth: the human factor. The Cloudflare chapter on insider threats focuses primarily on North Korean schemes. But the logic is universal: a trusted person inside a system is more dangerous than any external breach. Under prolonged war, social stress and financial strain, that vulnerability only grows.

Is Ukraine Ready?

The honest answer is no.

Ukraine possesses a depth of combat experience in cyber defence that neither NATO nor Israel can match. CERT-UA functions. International support is real. Public awareness of threats is higher here than in most European countries.

But Cloudflare describes a landscape where attacks evolve faster than defences, where AI multiplies the aggressor's capacity, where a compromised phone can get a soldier killed before a system alert is even generated. In that landscape, "we are holding" is not a strategy. It is a description of yesterday.

Panic, it is true, is harmful. But the Cloudflare report is not panic. It is technical documentation of how Russia — and others — are converting digital space into an extension of the battlefield. That documentation does not call for reassurance. It calls for a fundamental shift in posture: one in which cyber defence is not a support service but a critical combat function, integrated into the command chain with the same weight as artillery or intelligence.

The front line has long run through every smartphone in the hands of a Ukrainian soldier. The question is not whether the new Defence Minister understands that. The question is whether that understanding is enough to break his own operational logic — and whether there is time left to find out.