Espionage, Disruption, Degradation, and Destruction: An Analysis of Cyber (In)security during the Russia-Ukraine War

The Russian invasion of Ukraine on 24 February 2022 is the fourth time Russia has used its military might against a neighbor since the end of the Cold War. Ironically, this was also the seventh time that Russia resorted to cyber operations as part of the invasion, or as a standalone instrument of aggression against a neighboring state. Historically, Russia has a significant track record of cyberattacks/interference in other countries, against near neighbors and around the globe. Estonia stands out as a stark example of a Russian full-scale cyber offensive. These (mostly) DDoS (Distributed Denial of Services) attacks against Estonia (a pioneer of European e-governance) included the presidency, ministries, political parties, six of the biggest news organizations, and two of the largest banks. The entire country was brought to an economic halt for five days.

Russia repeated these attacks against Georgia in 2008 over the issue of South Ossetia. However, this time the attacks were targeted against social media such as Facebook and Twitter, etc. The attacks did not cause much economic loss; however, a psychological impact of cyber terrorism was experienced by the Georgians. Others on the list of the Russian global cyber victims are countries such as France in 2017; Germany in 2015; Kyrgyzstan in 2009; Poland in 2019; Romania in 2022; South Korea in 2018; Ukraine in 2014, 2016, and 2021 to 2023; the UK in 2016; and the US in 1999, 2008, and 2015 to 2021.


The causus belli in case of the Russian invasion was explained by Putin’s pre-war essay, On the Historical Unity of the Russians and Ukrainians. With the Russian invasion of Ukraine, there existed expectations that kinetic and non-kinetic means of warfare would be combined and applied in unison by the Russians. However, playing by the propaganda handbook, Russians made analysts/researchers believe that the non-kinetic dimension was either not applied or was not yielding the desired results. Towing this line of thinking, James Lewis argued that “cyber operations have provided little benefit”, to Russia and “failed to advance Russian goals”. Kostyuk and Brantly, in the Journal of Contemporary Security Policy, argued that Russian cyberwar “did not have any strategic impact on Ukraine’s warfighting capabilities”, and “do not appear to have impacted the course of the war”. In this vein, the CyberPeace Institute added that Russian cyber operations against Ukraine were not playing a major role in tactical advances. Similarly, Microsoft described Russia’s cyberwarfare as voluminous, skillful, militarily innovative, and historically important, however, downgraded the operations achieving limited operational impact, and failed to put a dent in the Ukrainian defenses.

Quite to the contrary, DDoS operations by Moscow against Kyiv targets included military command and control centers, communication infrastructure, civil emergency services, the defense industry, IT services, energy services, and, most significantly, the satellite internet provider KA-SAT – a vital source of information and communication for Ukrainian military, intelligence and police services. David and Daniel estimated that the pre-kinetic Russian cyber operations surpassed the sum of all such operations conducted by the rest of the world’s cyber powers in a year.  Geremy Fleming, the director of the UK’s General Communication Headquarters (GCHQ) called it “a fallacy to say that cyber has not been a factor in the war in Ukraine”. Similarly, Matt Olsen, US attorney general for national security claimed that we are effectively witnessing a “hot cyberwar in Ukraine” carried out by the Russians.

The second noteworthy aspect is the magnitude and frequency of these attacks used in this ongoing war. The reports regarding the cyber attacks were shrouded by the classic “fog of war” as postulated by Clausewitz, and his claim that “war is a realm of uncertainty; three-quarters of the factors on which actions in war is based are wrapped in the fog of greater or lesser uncertainty”. This is an accurate depiction of the Russian cyber warfare in Ukraine. These operations have mostly focused on a dovetailing of the kinetic and non-kinetic operations, conducting more than 2,194 cyberattacks against Ukraine since the inception of the war almost 18 months ago, with 1,123 attacks during the first six months alone. These cyberattacks are mostly aimed at espionage (intelligence gathering), disruption (DDoS), degradation (critical infrastructure), and destruction (of data). The CyberPeace Institute estimated that these attacks have mostly targeted public administration, the financial sector, media, ICT, transportation, and energy sectors, both in Ukraine as well as in Russia as part of the counterattacks by the former. The institute further claims that a large number of cyberattacks have also targeted Ukrainian allies such as Poland, Latvia, Japan, and the US, besides a host of EU countries. This observation leads us to believe that not only the target country (Ukraine in this case) but also the allies, neighbors near and far, are equally vulnerable to cyber warfare. The cyber counteroffensives by the Ukrainians also exposed many weaknesses in the Russian cyber defense systems, subjecting this nuclear nation to an onslaught from both state-sponsored and civilian cyber warriors. The interest of cyber peace scholars is to prevent any escalation of hostilities, especially in the nuclear domain. The issue is conceptually elusive as there are a host of factors relevant to such escalation, and history is full of dependent variables in search of competing explanations. Relatedly, military cyberwar has been used in the past to attack nuclear production facilities – Duqu, Stuxnet, and Flame, used in the 2010 attacks against Iran, were successful in the destruction of almost one-fifth of the Iranian centrifuges.

Cyber-nuclear overlap also merits serious attention in light of the lessons learned in the Russo-Ukraine war. There is one school of thought that favors adopting “redundancy”, both for data and physical protection of the critical materials, followed by a “retreat to analogue” option. A combination of these two could make it difficult for cyber attackers to undertake any (mis)adventure escalating to a possible nuclear catastrophe. Another school of thought advocates an AI technological intervention to resolve the cyber–nuclear overlap by outsourcing the nuclear warning systems, attack assessment, and response parameters to the AI machines. These functions may not be solely outsourced to AI, however, the speed and accuracy of AI options might prevent human delays and error, resulting in an inadvertent nuclear escalation.

The Russo-Ukrainian war also brings these important lessons for nuclear-armed adversaries such as India and Pakistan. Although the cyber and nuclear domains remain relatively illusive for the most part, both nations need to prepare for any unforeseen and accidental escalation. Referring to the limitations of cyberwarfare, Martin C. Libicki in his treatise Cyberdeterrence and Cyberwar notes that in meeting the objectives of war, cyberwar cannot disarm an enemy, “much less destroy” it. Additionally, in isolation, it cannot result in territorial gains, and the offensive forces will need to couple these operations with kinetic military operations. Finally, in fulfillment of the famous Clausewitzian purpose of war, it is hard to template an adversary’s will by cyberwar alone. Cyberattacks are difficult to manage as part of a strategy orchestrated against thousands of systems controlling the services and social functions in modern societies. An indiscriminate use of cyberwar could up the ante and take the war closer to the nuclear threshold.


About Dr. Waseem Iftikhar Janjua 1 Article
Dr. Waseem I. Janjua holds a PhD in Peace and Conflict Studies from the Center for International Peace and Stability (CIPS), National University of Sciences and Technology (NUST), Islamabad.

Be the first to comment

Leave a Reply

Your email address will not be published.