Kyiv: The 21st Century’s Espionage and Cyberwarfare Capital
Photo. Алесь Усцінаў/Pexels
„Kyiv and all of Ukraine have become the new frontier between NATO and Russia,” writesSmall Wars Journal in its 22 July 2025 analysis, comparing the Ukrainian capital to Cold War-era Berlin. Back then, Berlin was cut by checkpoints, listening posts, and tunnel networks like Operation Gold — a living lab for intelligence operations. Today, the same publication notes, fiber-optic cables have replaced tunnels, and Russian spyware has taken the place of analog bugs — with GRU malware now doing the listening.
HUMINT 2.0: Hunting a Mole at the Heart of Anti-Corruption
With hundreds of Russian diplomats expelled from NATO states, Moscow’s intelligence services have shifted tactics — from embassy-based spying to recruitinginsiders, individuals with privileged access to classified data. On 21 July 2025, Ukraine’s Security Service (SBU) arrested an officer of the National Anti-Corruption Bureau (NABU) for allegedly passing sensitive information to Russia. According to Reuters, a second NABU officer had reportedly been assisting Russian businesses. SBU claims the mole leaked over 60 classified documents to the GRU, including reports on arms deliveries. This signals that Russian intelligence is now targeting not only military institutions, but also the guardians of Ukraine’s European reforms. The Jamestown Foundation highlights that similar Russian networks have been uncovered in Poland, where 49 individuals have been arrested on charges of sabotage or espionage since 2021. In both countries, recruitment efforts have increasingly shifted from ethnic Russians to refugees and migrants — lured by promises of quick income or legal residency.
The Cyber Front
According to the „APT Activity Report Q4 2024 – Q1 2025,” Ukraine was the primary target of advanced Russian cyberattacks. Between October 2024 and March 2025, the most heavily hit sectors were government institutions and the energy grid, with a notable spike in attacks after New Year’s, as detailed by ESET Research.
The Russian group Sandworm played a central role, deploying a new data-wiping malware named ZEROLOT. Using Group Policy vulnerabilities in Active Directory, ZEROLOT can simultaneously infect hundreds of machines — a tactic highlighted by Help Net Security in its breakdown of the ESET report. Experts at Immersive Labs note that the malware targeted energy companies, underscoring the urgent need to physically separate Ukraine’s IT and OT infrastructure.
Meanwhile, the Gamaredon group remains the most active Russian cyber actor targeting Ukraine. In its latest campaign, it deployed a tool calledPteroBox to steal files and upload them to Dropbox accounts, while also refining its code obfuscation techniques, according to official statements from ESET Research. The scope of the offensive is confirmed byDark Reading, which reports Gamaredon’s use of aggressive spear-phishing and open network drives to penetrate government offices and military units in Kyiv.
Separately, Sednit (APT28) expanded its known RoundPress operation, exploiting vulnerabilities in MDaemon mail servers (CVE-2024-11182) as well as flaws in Horde and Zimbra groupware to target Ukrainian defence-sector companies, according to ESET’s full report. The RomCom group also struck Ukraine using simultaneous zero-day exploits in Mozilla Firefox (CVE-2024-9680) and Windows (CVE-2024-49039).
These findings confirm that, since autumn 2024, Ukraine has become the most intensively targeted cyber battlefield by Russian APTs. The nature of the operations is also evolving — shifting from classical espionage to destructive sabotage of critical infrastructure. At the same time, maritime threats are rising. A July policy brief by NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE) warns that APT28 is conducting reconnaissance on ports and logistics firms in 11 NATO member states. The brief calls for formalized telemetry-sharing between civilian and military operators, as ports are now considered key nodes in forward defence.
Read more
Intelligence Integration with the West
On 21 July 2025, during the 29th meeting of the Ukraine Defence Contact Group, NATO Secretary General Mark Rutte announced a new real-time data-sharing channel with Ukraine’s general staff. According to an official NATO release, the initiative aligns with decisions made at the recent Hague Summit to increase defence production and better coordinate support to Ukraine — aiming to deliver weapons and intelligence „not in months, but in days.”
Ukrinform reports that the system will operate in parallel with the NSATU hub in Wiesbaden, giving Ukraine access to select U.S. capabilities in real time. Ukraine Today highlights the technical breakthrough: with a U.S.-approved licence for CSI software signed in June, Ukraine’s command networkDelta can now exchange data in Link 16 format. This allows Patriots, F-16s, and Mirage launchers to operate on a unified NATO „military Wi-Fi” system.
In practical terms, Ukrainian forces will gain a common air-land picture — integrating radar, drones, and battlefield intelligence into the same data framework used by NATO allies on the eastern flank. Kyiv is no longer just a recipient of aid packets, but an active digital node in the alliance. Frontline data will now feed directly into European commands, while targeting coordinates, risk alerts, and tactical maps return to Ukrainian terminals in near real time. Ukrainian signals officers say this could compress the „detect-decide-strike” cycle from hours to minutes — or even seconds in some scenarios.
In parallel, Atlantic Council experts are advocating for a Black Sea data fusion center, integrating sensors from Turkey, Romania, and Ukraine. With the Bosporus under military control and Bayraktar drone production expanding, Ankara is being positioned as a central guardian of NATO’s supply lines in the region.
Narrative Warfare
Recent intelligence battles around Ukraine reveal several key patterns. First, human intelligence remains irreplaceable: the arrest of NABU officers accused of working with the FSB shows that Russia continues to gain leverage by penetrating high-trust institutions. AsSmall Wars Journal notes, Kyiv has become a „hunting ground” for Russian insider recruitment, and the West must expand its protective measures for personnel with access to sensitive data.
Second, the „tunnels” of the digital age run through servers: as shown in ESET’s latest report, the Sandworm group’s ZEROLOT malware has destroyed data systems in Ukrainian power stations, making Active Directory hardening and OT network segmentation a top strategic priority.
Third, Black Sea logistics are now decisive. A NATO CCDCOE analysis warns that, without unified port visibility, the region will remain vulnerable to grey-zone Russian operations. Civil–military data sharing has become a defence imperative.
Fourth, this is also a war of narratives. According to the Atlantic Council, Russia is flooding the infosphere with fake reports of „corruption” and „extremism” in Ukraine. Countering this requires a unified, compelling message about the benefits of Euro-Atlantic integration.
For all these reasons, the Berlin analogy is more than historical metaphor. Just as the fall of the Wall marked the end of an era, today’s defence of Kyiv —Small Wars Journal argues — may define Europe’s security architecture for decades to come.
Author: Adam Jawor
