After Russia invaded Ukraine, many observers initially expected cyberattacks to steal the limelight as a major instrument in Russia’s arsenal. But after a month of fighting, a host of prominent scholars and analysts of cyberconflict have reached the opposite conclusion. Russia’s activities in cyberspace, they claim, have been paltry or even nonexistent. They have dismissed the role of cyber-operations, variously proposing that digital preparations for the invasion in Ukraine never occurred, were haphazard or lacked any real impact, or were mere continuations of Russia’s long-term cyber-activity against Ukraine that fell below the threshold of outright war.
This is a dangerous misdiagnosis. All available evidence indicates that Russia has employed a coordinated cyber-campaign intended to provide its forces with an early advantage during its war in Ukraine. The apparent disconnect between these observed incidents, on the one hand, and the public analysis that Russian cyber-operations have been minimal, on the other, is jarring. Preconceived notions of the role of cyberattacks on the battlefield have made it hard for analysts to see cyber-operations in Ukraine for what they are and for the role they play within Russia’s military campaign. Leaning on these preconceptions will only lead to future policy and intelligence failures. Cyberspace is still a nascent domain of operations, and events in Ukraine will have outsized implications not just for any appreciation of Russian cyberpower but for an understanding of the nature of cyberconflict itself.
The belief that cyber-operations have played no role in Ukraine does not stem from a lack of real-world impact. To the contrary, the magnitude of Moscow’s pre-kinetic destructive cyber-operations was unprecedented. On the day the invasion began, Russian cyber-units successfully deployed more destructive malware—including against conventional military targets such as civilian communications infrastructure and military command and control centers—than the rest of the world’s cyberpowers combined typically use in a given year.
The cumulative effects of these attacks were striking. In the hours prior to invasion, Russia hit a range of important targets in Ukraine, rendering the computer systems of multiple government, military, and critical infrastructure sectors inoperable. Forensic analysis by Microsoft, the cybersecurity company Symantec, and the Slovak firm ESET has found that these attacks affected numerous government agencies, military institutions, civil emergency services, and a range of other critical infrastructure sectors such as defense industrial base manufacturers, information technology services, and energy companies directly relevant to Ukraine’s military capacity.
Cyber-enabled sabotage also knocked offline the satellite Internet provider KA-SAT, which Ukraine’s military, intelligence, and police units depend on. Victor Zhora, the deputy chief of Ukraine’s State Service of Special Communication and Information Protection, has characterized the satellite outage as “a really huge loss in communications in the very beginning of war”. U.S. defensive cyberspace operations prevented further Russian attacks from disrupting the railway networks that were being used to transport military supplies and help millions of Ukrainian citizens evacuate.
Russia continues to draw from its wartime arsenal of cybertools, deploying additional destructive malware on a weekly basis. Cities under siege from Russian shelling, including Kharkiv and Kyiv, have experienced cyber-enabled disruptions to Internet services. Ukraine’s national cyber-authorities continue to expose intrusion attempts by Russian and Belarussian cyber-units. All of this has occurred against the backdrop of a series of website defacements, denial-of-service attacks, and other destabilizing cyber-operations intended to produce chaos and further exhaust Ukraine’s cyberdefenses.
If observers see this cyber-offensive as a series of isolated events, its scale and strategic significance get lost in the conventional violence unfolding in Ukraine. But a full accounting of the cyber-operations reveals the proactive and persistent use of cyberattacks to support Russian military objectives. The misperception that Russia has been restrained or ineffective in the prosecution of its cyberwar on Ukraine likely stems from the fact that Russia’s cyber-operations have not had the standalone, debilitating effects that assessments before the war imagined they would have. But those assessments pose an unrealistic test of strategic value. No single domain of operations has an independent, decisive effect on the course of war. Nevertheless, the lack of overwhelming “shock and awe” in cyberspace has led to the flawed presumption that Russia’s cyber-units are incapable, and even worse, that cyber-operations have offered Russia no strategic value in its invasion of Ukraine.
Analysts should assess the use of cyberpower in its proper context. Evaluating Russia’s cyber-operations in Ukraine is impossible without accounting for the multiple tactical and strategic errors that have bedeviled other aspects of Moscow’s military campaign. Russian planners expected a swift victory in Ukraine, but their strategy failed for multiple reasons: inadequate coordination and preparation, the underestimation of the strength and resilience of Ukraine’s military, and various intelligence lapses. Russia’s missteps and struggles have almost certainly hurt its ability to fully employ its cyber-program in support of its conventional forces.
But even with those limitations, Russian cyber-units successfully attacked a range of targets in accordance with Russia’s war plans. Russian cyberattacks on government and military command and control centers, logistics, emergency services, and other critical services such as border control stations were entirely consistent with a so-called thunder run strategy intended to stoke chaos, confusion, and uncertainty, and ultimately avoid a costly and protracted war in Ukraine. Indeed, Russian cyber-units have demonstrated their ability to succeed without a great deal of advance warning and direction, and despite the overarching difficulties hampering Russia’s military effort.
The reason for this relative success lies in the unique nature of competition and conflict in cyberspace. Unlike troop buildups or other forms of military mobilization that are infrequent and highly visible, cyber-operations are the result of operational cycles that occur covertly and continuously through peacetime and wartime. The targeting of sensitive networks during peacetime lets attackers lay the groundwork for malware intended for wartime use. The methods attackers use to establish initial footholds for espionage activities are indistinguishable from those that precede cyberattacks. For cyber-units, war does not fundamentally change the way they prepare or start to fight.
Russia’s cyberattacks prior to the invasion suggest methodical preparations, with the attackers likely gaining access to Ukrainian networks months ago. This stands in stark contrast to the evident lack of preparation across Moscow’s other military instruments, including on the ground, in the air, and in its frequently used influence operations through media and social media. Russian cyber-units did not need direct military orders to prepare for the invasion or to generate new capabilities for the war. The operational realities of cyberspace required them to be ready well in advance. Russian cyber-units will probably continue to be in a state of permanent readiness and capable of supporting tactical and strategic objectives on short notice, either in Ukraine or beyond, as the war persists.
The emerging consensus that claims Russian cyber-operations were ineffective misses the bigger picture. Russia’s strategy failed to capitalize on the full capabilities and numerous operational successes of its cyber-units. For instance, Russian cyber-units have not yet shut down electricity or Internet connectivity on a massive scale in Ukraine. That does not mean Russia is incapable of such attacks, as some observers have suggested, but that it envisioned a swift victory and did not see the need for such widespread, indiscriminate disruptions. In all likelihood, Russian military units were reliant on Ukrainian civil infrastructure for their planned seizure of Kyiv and could not risk blowback to their own operations. Russia is almost certainly capable of cyberattacks of greater scale and consequence than events in Ukraine would have one believe. Moscow has significantly improved its ability to conduct comprehensive cyber-operations in recent years and has actively invested in its cyber-capabilities, developing new and harder-to-detect variants of its more advanced malware and operational infrastructure.
The war in Ukraine is not over. Russia has been forced to change its operational approach, and Western intelligence points to Moscow shifting toward a strategy of attrition. With the likelihood that the conflict will become a protracted war, Russia will probably not exercise restraint in its use of additional disruptive and destructive cyber-actions. Russian President Vladimir Putin is most likely to double down on early cyber-successes and seek to further disrupt and undermine government, military, and civilian infrastructure, as well as defense industrial base enterprises. Russia’s recent attempts to strike the same targets it hit on the day of the invasion with additional destructive malware indicate this new phase of the conflict is well underway.
Although less visible than cyberattacks, cyber-enabled espionage—the theft of sensitive information, in this case from Ukrainian networks—is also likely to play a grisly role in the Russian offensive. Russia’s Federal Security Service has allegedly used personal information stolen from Ukrainian federal databases to draw up kill lists of people who could lead a Ukrainian resistance movement in the event of a Russian victory. And as the war carries on, Russia may be increasingly tempted to tap into the latent strategic potential of hacking collectives aligned with the Kremlin that specialize in ransomware and can unleash chaos at a moment’s notice.
Western policymakers should also be prepared for cyber-operations to spread beyond the confines of Ukraine. Several Russian cyber-operations since the invasion have already had spillover effects into NATO countries, affecting critical sectors and civilian Internet connectivity across Europe. Russia knowingly accepted the risk that its cyberattacks would cause collateral damage and has a history of similar reckless behavior. The U.S. Office of the Director of National Intelligence’s Annual Threat Assessment released in March judged that “Russia is particularly focused on improving its ability to target critical infrastructure … in the United States as well as in allied and partner countries”. Active Russian preparations for future cyber-operations indicate that this not an idle threat.
Cyber-operations have been Russia’s biggest military success to date in the war in Ukraine. They will continue to provide Moscow a flexible tool capable of hitting a range of targets in Ukraine and beyond. Disregarding their unprecedented use will only leave policymakers and analysts unprepared for what’s next. A clear-eyed view of the role cyberwarfare has played so far in Ukraine and a better understanding of its place in modern warfare are imperatives for NATO’s collective security and for managing the risks of escalation looming in cyberspace.
David Cattler is Assistant Secretary General for Intelligence and Security at NATO. Daniel Black is Principal Analyst in the Cyber Threat Analysis Branch at NATO.