ukraine tank
Image: Roman Skrypnyk via Unsplash

Ukraine’s cyber chief on Russian hackers’ shifting tactics, US cyber aid

When Oleksandr Potii took the helm of Ukraine’s cybersecurity agency last November, his to-do list exploded. Once responsible for only a handful of policy areas, the brigadier general saw his remit expand to more than a dozen — from protecting critical infrastructure to coordinating cyberdefense in the midst of a full-scale war.

Potii’s promotion to lead the State Service of Special Communications and Information Protection (SSSCIP) came as Ukraine faced relentless Russian attacks on both the battlefield and in cyberspace. He is the third person to run the agency since the Kremlin’s invasion in 2022.

A former information security professor with more than 25 years in the Ukrainian armed forces, Potii is blunt about Moscow’s capabilities: “We see that Russia’s technical level is high and its potential is strong. We cannot underestimate them,” he said in an interview. 

“Russia has not only the capabilities but also the motivation and political will to use them. Their intellectual resources are not directed at building something for their own country, but at destruction.”

In an interview at the SSSCIP office in Kyiv, Potii spoke with Recorded Future News about Ukraine’s evolving cyber capabilities and cooperation with Western allies — while warning that Moscow’s hackers remain well-resourced, motivated and politically driven even in the third year of the war.

Russia’s shifting cyber strategy

According to Potii, the number of “critical” cyberattacks — large-scale operations aimed at paralyzing key infrastructure — has decreased compared to the early months of the war, a change he attributes to Ukraine’s stronger defenses and the higher costs of mounting such operations.

“Every large-scale critical attack requires careful preparation, resources, tools, planning, and coordination with other operations,” he explained. “It may be that Russia no longer has enough resources for such attacks, as Ukraine continues to strengthen its defenses, reducing the chances of a successful cyberattack while increasing the time and effort needed to carry one out.”

In 2024, Ukraine’s Computer Emergency Response Team (CERT-UA) detected 59 critical and high-level cyber incidents, compared with 367 in 2023 and 1,048 in 2022, according to a report by SSSCIP.

At the same time, non-critical cyber operations — from espionage to distributed denial-of-service attacks — have increased. “Perhaps Russia is saving resources. Perhaps it still has potential but is waiting. Or perhaps Ukraine is effectively preventing these attacks,” Potii said. 

potii

"We see that cyber activity depends directly on Russia’s political goals and strategies," Oleksandr Potii said. Image: SSSCIP

Russia’s cyber activity, according to Potii, mirrors shifts in its political strategy. At first, Moscow tried to destabilize Ukrainian society and discredit institutions. When that failed, it pivoted to espionage, data theft and large-scale disruptions. 

“We see that cyber activity depends directly on Russia’s political goals and strategies. The focus and vector of attacks change accordingly,” he said. “By predicting shifts in Russia’s political priorities, we can also forecast what types of attacks to expect in the near future.”

As winter approaches, he expects the Kremlin to return to targeting Ukraine’s energy grid and other vital services. “We expect them to launch conventional strikes as well as attempts to disable systems that keep critical infrastructure running,” he said.

Ukraine’s defense and partnerships

To meet the threat, Ukraine has leaned on tight cooperation between its cyber defense forces, as well as international partners. CERT-UA is currently tracking around 80 hacker groups targeting Ukraine — each with a code name and signature tactics. 

“Since we maintain a database of their tactics, we can anticipate next steps, inform partners and develop countermeasures,” Potii said. “Continuous technical study of these groups allows us to detect attacks early and respond in time.”

Information sharing with Europe and the U.S. remains central to Ukraine’s cyberdefense, according to Potii. Thus, Kyiv grew concerned during recent U.S. leadership changes over whether American support would be affected.

Potii said that despite political changes in Washington, Ukraine’s technical ties with the U.S. have remained steady. “Our cooperation with the U.S. continues at nearly the same level,” he said. “At the technical level, nothing has changed: we share information, they help us and we help them.”

Ukraine is seeking to reassure partners, including the U.S, that their assistance benefits their own security. “Is not just aid — it is an investment in our shared security,” Potii said. “We give partners access to our platforms, and they give us access to theirs.”

For example, Ukrainian specialists have been trained in the U.S. with the newest Cybersecurity and Infrastructure Security Agency (CISA) tools, which are now actively deployed in Ukraine. Data from Ukraine’s digital battlefield also helps allies better understand Russian hacking techniques that could later be used against Western networks.

The cooperation extends beyond the U.S., with Ukraine also working with European partners through bilateral security agreements and memorandums. “These memorandums aren’t just paper — they’re concrete plans,” Potii said.

Looking ahead

Potii joined SSSCIP in 2020 and was appointed head of the agency last year after a series of leadership changes. The former chief, Yury Myronenko, stepped down after just a year in the post to become a deputy defense minister.

Myronenko's predecessor, Yurii Shchyhol and his deputy, Viktor Zhora, were dismissed in 2023 amid an investigation into the suspected embezzlement of state funds. They were accused of involvement in a software procurement scheme in which they allegedly stole $1.7 million between 2020 and 2022.

Potii said leadership changes haven’t affected the agency’s efficiency because it has “institutional memory” — procedures, culture and expertise embedded in the institution, not just in individual people.

“A new head may shift priorities somewhat, but over the years SSSCIP has only expanded its capabilities,” he said. “Leadership changes are not a revolution but adjustments to align with the functions set by the president and prime minister.”

According to Potii, Ukraine’s success in cyberspace rests on three pillars — people, technology and processes — that must continually adapt as the war drags on. Building trust among partners, he added, is equally important. “We have partners we trust and partners we don’t. We need to expand the circle of trusted partners — and ensure they trust us too,” he said.

That trust will be tested as Russia continues to experiment with new tools and tactics. Potii pointed to the attack on Ukrzaliznytsia, the national railway, as a reminder of the stakes. “Serious attacks such as the one on Ukrzaliznytsia showed us that Russia carried out thorough preparation and developed entirely new tools. That’s why the attack caused significant disruption.”

Even as the number of critical incidents falls, Potii notes that the threat remains. “Russia’s motivation will not go away,” he said. “What we can do is hinder them technically and complicate their operations.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
Recorded Future
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.