On January 25th, 2024, a major Distributed Denial-of-Service (DDoS) attack temporarily disabled the digital infrastructure of Naftogaz Group, Ukraine’s largest state-owned energy company. On the same day, an attack took other major companies offline—including the national postal service provider Ukrposhta, transport safety agency DSBT, and Ukrainian state railway Ukrazaliznytsia. Nevertheless, Ukrainian companies were able to restore access to their digital infrastructure rapidly, reaching full access within a few days.
Behind Ukraine’s rapid recoveries lies Ukraine’s cyber resilience, supported by a early investments and a complex network of private-sector aid coordination. As Valeriya Ionan, Minister of Digital Transformation of Ukraine on Innovations, Digitalization, and Global Partnerships, said, “Cyber resilience is the foundation of Ukraine’s national security in the context of the most technologically advanced war of our time.”
This case study examines Naftogaz as an example of cyber resilience in wartime, exploring how Naftogaz built and maintained resilience as well as lessons and warnings for potential future conflicts.
Naftogaz’s Resilience: Rooted in Pre-War Groundwork
A representative of Naftogaz stated that—for Naftogaz— resilience is “ensuring the uninterrupted delivery of energy to Ukrainian citizens.” While Naftogaz can’t ensure uninterrupted delivery 100% of the time, it achieved a high level of resilience, largely due to intentional pre-war investment. According to this representative, Naftogaz contained the January 2024 DDoS attack within an hour, with most of that time spent restoring website services connected to external partners due to the pre-war preparation against similar attacks long before February 2022.
Preparations began in 2020 when Naftogaz established a centralized Security Operations Center (SOC), covering roughly 15 subsidiaries and 25,000 endpoints. The SOC provided the first comprehensive view of the company’s digital environment, allowing security teams to detect anomalies across the enterprise rather than reacting to incidents in isolation.
By February 2022, Naftogaz had already identified its vulnerabilities: websites could be compromised, remote access points could be overexposed, and incident response communication could be unclear. As described by the Naftogaz representative, when the full-scale reinvasion began, their first task was to harden these weak points: restricting external logins, establishing secure remote work arrangements, and monitoring the infrastructure for signs of intrusion. The early investment in SOC infrastructure provided the company with a unified view of its digital environment and reduced its response time once cyberattacks began.
Yet, as cyber operations intensified with the onset of full-scale war, internal capacity alone was no longer sufficient. Naftogaz, and Ukraine more broadly, required an external architecture of support capable of scaling cyber defense and maintaining resilience at the pace and intensity of the conflict.
The Architecture of Assistance: Delivery & Trust
From the onset of the war, Western governments and companies chose to help Ukraine digitally defend its government and critical infrastructure. These efforts, mounting to billions of dollars in aid, helped the establishment of Ukrainian cyber resilience. Cyber Defense Assistance Collaborative (CDAC) started facilitating support to Ukraine as early as March 2022 and has helped deliver assistance to nearly 30 Ukrainian agencies—Nafotgaz is among the earliest and most continuous beneficiaries. In the first six months of war, CDAC donors provided a structured three-step support model to Naftogaz:
- Initial assessment to understand Naftogaz’s cybersecurity maturity and gaps
- Playbook development to uplift processes
- Tabletop exercises (TTX) to test the incident response process and decision-making.
A donor highlighted that this three-step process provided a holistic view and that “without one of the components, [the recipient] wouldn’t get the full picture.” Naftogaz noted that the procedures and documentation produced through the TTX engagement with the CDAC provider company are still in use today—nearly 3 years after the collaboration.
“[The CDAC donor] helped expand the investigation, gathered extra data, and showed us which other computers could potentially be infected… [This] was indeed a tangible, significant contribution.”
– Naftogaz Representative
Behind every assistance delivered in this ecosystem lies a diplomatic foundation. Volodymyr Povenko, head of Ukraine’s Government Cyber Coordination Center (GC3), emphasized that the ability to mobilize external support in 2022 stemmed from relationships built well before the re-invasion. Since 2019, Ukrainian actors such as GC3 engaged with foreign organizations, establishing professional and personal trust that became critical once emergency assistance coordination began.
Nevertheless, it took weeks from the start of the re-invasion before those channels matured into assistance deliver, and further relationships required time: “From America, there were many skeptics,” Volodymyr recalls. “Even though I was known in law enforcement and cybersecurity circles, establishing rapport still took time.”
Early evolution of such networks is central to what Volodymyr from GC3 calls “cyber-diplomacy”—the development of durable international ties that allow for rapid activation in crisis.
Naftogaz in 2025
Today, Naftogaz continues to seek assistance at an enterprise-scale. The Naftogaz representative explained, “We are discussing a new round of tabletop exercises, but this time I want about a hundred people involved, with representatives from every enterprise, both cybersecurity and IT.” The company has also outgrown its original infrastructure: “At first, we bought a 100 MB/day license. Now we need around 2 TB. And that’s still not the limit.” The era of “any help is good help” has given way to one where sustained partnership and institutionalized capacity building define the next stage of Ukraine’s cyber defense. A critical challenge ahead, however, is competing priorities.
Ukrainian companies are now partially self-funding cyber defense, but kinetic attacks on infrastructure force them to divert resources to reconstruction. The Naftogaz representative highlighted that “We ask for continued support because two nights ago there was a missile attack on gas infrastructure. We’re going to [have to] spend the money on restoring wells [and] refineries.”
Similarly, while international partners can conduct assessments and offer strategic guidance, long-term cyber resilience cannot be outsourced. Providers note that there is no substitute for an in-house expert who will implement, build, and maintain the defensive ecosystems daily. As one observed, “There is capacity to assess cyber-risk, but unless boards are willing to own and sustain the implementation, resilience will not follow.” Ukrainian companies’ corporate boards have to prioritize and invest in the in-house teams and long-term capacity required to sustain resilience.
From the donors’ perspective, the long duration of the war has led donor companies to prioritize profit, business, and commercial engagements. CDAC notes that the level of assistance involvement has declined, and Volodymyr noted, “the main constraint now is the capacity to provide aid, not the demand in Ukraine.”
Final Remarks
For Ukraine, cyber resilience has become a matter of national security; for others, it remains a warning. The Naftogaz case study demonstrates two lessons for cyber resilience:
- Cyber resilience is a long-term investment, not a wartime reaction: Pre-conflict preparation, such as Naftogaz’s pre-war SOC and established international networks of trust, helped Naftogaz develop its cyber resilience.
- Continued cyber resilience in a conflict requires sustained partnership and institutionalized capacity building: A dual commitment in which recipient organizations prioritize cyber defense and capacity building and donor organizations prioritize sustained partnerships are critical to continued cyber resilience.
“My advice to other countries is to start preparing now. Cyber warfare is an additional dimension of modern conflict.”
– Naftogaz Representative
Naftogaz’s experience represents a microcosm of Ukraine’s broader cyber resilience, created by a blend of domestic initiative and international assistance. Yet, Naftogaz’s success also reveals the limits of the current model: the challenges in sustaining resilience at scale. The question is no longer whether Ukraine is resilient, but how far that resilience can stretch before the gaps begin to show.
This piece is a part of CDAC’s Blue Force Tracker and Conflict Analysis Initiative. Much of the following analysis draws on interviews with Naftogaz’s cybersecurity leadership, other engaged Ukrainian and international actors, and CDAC staff.
Written By Yevheniia Yefymoya
