Direkt zum Seiteninhalt springen

Cyber Operations in Russia’s War against Ukraine

Uses, limitations, and lessons learned so far

SWP Comment 2023/C 23, 17.04.2023, 8 Seiten



One year after Russia’s invasion of Ukraine, certain assumptions about the utility of cyber operations during wartime can now be put to the test. Russian cyber salvos opened this war, but they failed to achieve their objectives in the face of a resilient cyber defender. Joint cyber/conventional warfighting is still hard to implement due to its uncertain effects, the potential for spill-over, malware development cycles, and differing operational tempos. Cyber operations against Ukraine have not (yet) achieved major strategic effects in reducing Ukraine’s capacity to resist. Additionally, Russian information operations targeting Ukrainian and Western audiences fell on deaf ears. The greatest value of cyber operations therefore still appears to lie in their intelligence and reconnaissance functions.

Since the early 1990s, cyber warfare has been heralded by its proponents as a revo­lution in military affairs or a perfect weapon of war. Most of these discussions have been theoretical, often focusing on questions of how the application of cyber capa­bilities might meet or exceed the threshold of an armed attack and thus lead to conventional war. Yet few empirical studies examine the military operational utility of cyber capa­bilities during war. Over the past year of war in Ukraine cyber capabilities have been employed in the midst of a conventional war, allowing us to draw pre­liminary con­clusions about the potential game-changing nature of cyber capabilities when used as an instrument of war.

Three Western schools of thought

Cyber capabilities and wartime strategy

Literature on ‘cyber warfare’ is usually concerned with the application of cyber capabilities for politico-strategic or even criminal purposes rather than military operational ones. The strategic cyber war nar­rative of the 1990s saw cyber warfare as a next-generation front that would threaten modern society. One of the guiding frames of reference was the “Cyber Pearl Harbor” metaphor: With digital decapitation strikes, the power grid could be shut down, critical infrastructure destroyed, and entire econo­mies brought to a halt all without the need for physical military force. Within this nar­rative, cyber operations were seen as a stra­tegic counter-value capability that would target societies with the aim of affecting state behaviour during peacetime. In a nut­shell, cyber operations were expected to alter the balance of power in the inter­national system because they were per­ceived to be superior to conventional force.

As the field matured, however, expectations scaled down. Scholars like Martin C. Libicki pointed out that when it comes to the objectives of war, cyber war cannot disarm, “much less destroy”, the enemy. Moreover, in the absence of physical com­bat and violence, cyber warfare cannot result in territorial gains, which can still be considered one of the primary objectives of most modern wars. Furthermore, it is hard to bend an adversary to one’s will – the famous Clausewitzian purpose of war – by relying on digital means alone. Research has also shown that strategic attacks against civilians rarely contribute to war-winning objectives, and secondly, are difficult to orchestrate against thousands of different systems that control critical functions of modern societies. Unlike conventional weaponry, many cyber operations are tar­get-dependent, meaning they cannot be used indiscriminately against any system, which complicates operational planning. Furthermore, with such complex attack chains, there is always the risk of failure and unintended cascade effects that could actually backfire on the attacker.

Cyber capabilities on the battlefield

Since the mid-2000s, cyber warfare has not been seen as a standalone capability that elicits effects independent of kinetic con­flict, but rather as a compliment to conven­tional capabilities. In other words, cyber operations can serve as a force enabler/multi­plier for conventional capabilities when used in a joint and combined fashion. Here, cyber operations in war are not necessarily measured by their strategic effects but are rather seen as a counter-force capability that can be directed against enemy armies. One example is the X-Agent malware that infil­trates targeting equipment that guides artil­lery fire and then leaks the geolocation of artillery positions to enemy forces, which then directs counter-battery fire. Within this conceptualisation of cyber capabilities, the application of cyber means matches well with the ideals of manoeuvre warfare and paralysing the enemy with surgical or acupunctural strikes.

While studies show that military hardware has plenty of vulnerabilities that can be exploited by cyber operations in theory, in practice, this is hard to operationalise. A study by Nadiya Kostyuk and Yuri M. Zhukov on the use of Distributed Denial-of-Service attacks and kinetic military operations in Syria (2013) and eastern Ukraine (2014) shows that timing is often off in joint opera­tions. Conventional attacks and disruptive cyber operations have different planning times and different operational tempos, which makes it hard to achieve joint effects. Malware, for example, has lifecycles: It must first be developed, tested, and then deployed toward adversary IT to produce effects until it is discovered and mitigated. This takes time, often weeks or months. In principle, a single software update or change in con­figurations on the part of the defender has the potential to nullify the effect of mal­ware. Malware is much more target-specific than bullets. Lastly, to synchronise its effects with ground operations, malware might need live command and control connections to the outside world, which might be in­feasible in a combat environment that em­ploys active electronic warfare inter­ference. Therefore, a cyber operation might be use­ful in the early stages of war as a type of first strike, but the longer that hostilities last, the harder it is to keep operational stock­piles of functional malware and to main­tain backdoor access to adversary systems.

Additionally, it is difficult to coordinate manoeuvres between conventional and cyber forces. First, conflicting goals are an issue: intelligence-oriented actors tend to favour hidden long term access to a system (cyber espionage or presence-based opera­tions) over short-term disruptions of sys­tems (so-called cyber-effect operations), which will likely lead to the discovery of the used backdoor and thus burn the capa­bility. Second, the geographies of the digi­tal and conventional battlefields rarely align. The US learned this with Operation Glowing Symphony as it targeted ISIS’s digital infrastructure. ISIS relied on digital services in dozens of countries and the take­down/takeover of these assets by way of cyber operations needed to be coordinated with allies and third-party countries. Furthermore, ISIS proved to be cyber resil­ient; it quickly rebuilt its disabled infrastructure. Operation Glowing Symphony showed that not ad hoc, but continuous cyber engagement is more effective, and that the utility of cyber operations in war lies less in their disruptive or destructive effects, but more in their intelligence col­lection and psychological capabilities. If an adver­sary fears that their network is com­promised and someone is listening to them, they will switch to other means of com­munication, thus slowing and complicating their operational planning. Erica D. Borg­hard and Shawn W. Lonergan conclude that another utility of cyber operations in war might be their ability to target logistic systems, as these are often civil and less secure than military systems. Still, many conclude that cyber capabilities work best for intelligence and reconnaissance func­tions and do not replace conventional weapons. In many instances, it is quicker, simpler, and less costly – and more effec­tive – to neutralise a target with airstrikes or artillery fire, rather than by way of a cyber-effect operation.

Cyber capabilities between peace and war

Since around 2014, much emphasis has been placed on the hybrid or grey zone nature of cyber capabilities. Within this understanding, cyber activity is perceived not as a destructive force of war, but as an intelligence contest or strategic competition in which the primary goal is not to disable armies but to subvert, exploit, and shape the cyber and information environment. More so, the main utility of cyber operations is the theft or manipulation of infor­mation for political, economic, or even criminal purposes. The effect of these oper­ations on the balance of power within this narrative is twofold: First, they can be used to influence political discourse and pro­cesses, for example, weakening Western democracies in peacetime; and second, they can allow attackers to reap strategic gains in the form of long-term cyber espionage, as seen in the Chinese or North-Korean model of cyber-statecraft.

This reading of cyber operations is heavi­ly inspired by two trends: Firstly, under international law, most cyber operations are not seen to meet the legal criteria of use of force or an armed-attack, and thus can­not be used to justify the self-defence clause under Article 51 of the UN Charter. In many cases, cyber operations are intentionally designed to fall below the threshold of war, not risking escalation of armed or violent retaliation, much less war proper. Similarly, the defender might also have an interest in not escalating its response to such activity. Secondly, the normative narrative sur­rounding cyber activity has been shaped by Russia’s application of such capabilities since its 2014 annexation of Crimea, and through to its attempts to meddle in the 2016 US presidential elections.

Expectations before the Russia-Ukraine war

Before Russia’s physical invasion of Ukraine, many intelligence agencies expected some sort of digital first strike. In its invasion of Georgia in 2008, Russia used large-scale Distributed Denial-of-Service attacks to temporarily overload and disrupt the Geor­gian government and media websites as Russian troops crossed the border. One goal of this approach was to thwart Georgian communication with the wider world, and thereby to shroud the situation in the pro­verbial fog of war. Over the years, Russia has cultivated its image as a “larger than life” cyber power that has dramatically beefed up its game. Russian Advanced Persistent Threat (APT) actors seemed to infiltrate net­works everywhere, from government agen­cies and electoral processes through to criti­cal infrastructure, the latter of which caused two power outages in Ukraine (via the Black­energy and Industroyer malwares). In this context, many in the intelligence community expected cyber operations to lay the groundwork for Rus­sia’s conventional invasion by, for example, disabling the power grid, communications systems, or government ministries. Indeed, “all of those systems have been Russian tar­gets in the past six years”, as David Sanger wrote in the New York Times in February 2022, basing his evaluation on a secret intelligence assess­ment. Suddenly, the Cyber Pearl Harbor meta­phor was back on the table. Disabling these essential systems en masse would make military sense as it would hamper Ukraine’s ability to coordinate its defences. Some also feared unintentional spill-over effects from indiscriminate malware – as seen with Not-Petya a few years earlier – which could accidentally draw other parties into the con­flict. Still, CrowdStrike’s Dimitri Alperovitch scaled-down expectations, arguing, “Russia is likely to conduct three types of campaigns in cyberspace to support its military objec­tives: intelligence gathering operations, operations aimed at disrupting or deceiving the Ukrainian military, and psychological operations against the Ukrainian public.”

Russia’s application of cyber and information warfare capabilities against Ukraine in 2022

The total number of operations within the Russia-Ukraine war may not be known, but in August 2022, the Computer Emergency Response Team of Ukraine (CERT-UA) re­ported over 1,123 cyberattacks in the first half of the war. This represents a three-fold increase in cyber activity to the pre-war period. In January 2023 CERT-UA reported that it responded to more than 2,194 attacks. Still, the estimated number of unreported or unpublished cases remains unclear. Within the framework of the European Repository of Cyber Incidents project, we tracked numerous incidents as well. There are lessons to be learned from the way Russia has employed cyber and information means – and the way Ukraine has man­aged to avert or rein in the attacks.

Cyber operations require preparation

As was expected by researchers, intelligence gathering seems to be the primary utility of cyber operations (also) in war. Russian intel­ligence’s preparation of the battlefield started well before the February 2022 offen­sive commenced. Intelligence informing either conventional or digital strikes was collected in advance, likely assisting the Russian federal military intelligence agen­cies and armed forces in identifying targets. Russian network reconnaissance increased in quality and quantity in late 2021. Linked to the Russian Foreign Intelligence Service (SVR), the APT group Nobelium was identi­fied as one rather active actor in this regard since May 2021. Also, during this time, Rus­sian state actors and affiliated threat actors made continual attempts to compromise Ukrainian communication, transportation, energy, defence, administrative, and diplo­matic systems and services. Also, Russia’s Federal Security Service (FSB) groups have been involved in cyberattacks and intelligence activities targeting Ukraine.

Prebunking and open-source intelligence

Before hostilities broke out, Russia made numerous attempts to fabricate a casus belli. This includes multiple Russian information operations on Telegram and Twitter that tried to paint Ukraine as an attacker while Russia merely tried to defend itself. Across traditional and social media, Ukraine and the US have been accused of manufacturing biological weapons in secret laboratories, a recycled story from the 1980s that was also regurgitated when Russia invaded Georgia in 2008. Moreover, videos displaying alleged Ukrainian sabotage of Russian targets and Ukraine’s supposed shelling of a Kinder­garten surfaced online just days before Rus­sia’s invasion. Nonetheless, these attempts to shape public perception were quickly debunked by the Open Source Intelligence community as it conducted forensic ana­lyses of the material. The US intelligence community also engaged in efforts to “pre-bunk” Russian narratives, countering them in advance.

A cyber-opening salvo

On 23 February 2022, one day before the invasion, the Russian military intelligence agency (GRU) launched several destructive data-wiping cyberattacks against the Ukrai­nian government and other IT, energy, and financial organisations. These attacks were meant to support the coming land and air strikes. By deleting data on government systems, Russia was likely attempting to slow the coordination of Ukrainian defence forces and government services. It was ex­pected that cyber capabilities could be used in this way in the run-up to the war, but this use of highly-destructive wiper malware in multiple iterations had a new quality to it. The wiper malware capabilities also showed how far cyber warcraft had evolved since the war in Georgia 2008.

Even for successful hacks, results are uncertain

Moreover, Russia’s 24 February 2022 attack on Viasat satellite communications provides some interesting lessons. This cyber opera­tion shut down satellite communication over Ukraine and Europe, creating un­intended spill-over effects by deactivating the satellite modems of German wind turbines. Although the cyber operation was technically successful, it did not manage to hamper Ukrainian command and control and intelligence operations. Ukrainian officials later claimed that it actually had a negligible operational impact, as satellite communications were never the primary means of communication for the Ukrainian military but rather a redundancy option. Although Ukraine has a vested interest in belittling the effects of this attack, the Viasat example still leads us to conclude that:


it is hard to contain cyber operations against widely used systems without creating the risk of unintended spill-over when third parties are involved;


even a technically successful cyber opera­tion might not achieve its goal, creating significant uncertainty for military plan­ners who are relying on these effects in joint operations; and


in cyber warfare, defenders would do well to practice redundancy and have an analogue fall-back option that cannot be accessed by cyber operations.

Joint manoeuvre/cyber operations are difficult

Another finding of this analysis relates to the joint use of cyber and conventional operations towards common goals. For some, the Russian approach during the early stages of the war seemed chaotic. Russia’s conventional military attacks have indiscriminately targeted civilian and socie­tal targets that had no direct significance to ongoing tactical or operational manoeuvres. Moreover, an April 2022 Microsoft report observed that Russian state APT actors conducted cyber intrusions together with kinetic military action but the different types of attacks did not appear to function well in concert. Indeed, Russian cyber­attacks targeted the same organisations and services that the conventional military fire, missiles, rockets, and bombs did, so as government data was hit by missiles, government on-premises computer networks were targeted by destructive data-wiping cyberattacks. While Microsoft noticed that Russian cyber­attacks managed to disrupt technical ser­vices and to create a “chaotic information environment”, it claims to be unable to evaluate the broader strategic impact of Russian cyber and information operations, for example, those pushing for the erosion of public confidence and deterio­ration of the capacity of Ukrainian military defence.

Still, this reading of events is contested by many observers, such as security expert James A. Lewis, who bluntly commented that “all these hacking efforts [...] seem to have been poorly coordinated with Russian military actions in Ukraine.” Gavin Wilde notes that the most advanced military cyber forces are still wrestling with how to effec­tively integrate cyber capabilities into con­ventional military operations, pointing out that “Russia doesn’t appear to have done so thus far.” Jon Bateman also concludes that “Russia seems unwilling or unable to plan and wage war in the precise, intelligence-driven manner that is optimal for cyber operations.”

There are multiple reasons for this, such as poor strategy, insufficient intelligence preparation as well as over-burdening secrecy and mistrust that made inter-agency planning difficult. Like ground troops that did not know they were going to attack, Russian cyber and conventional forces seemed to lack the same joint preparation. The lesson to be learned is that cyber and conventional operations are hard – but not impossible – to coordinate.

Achieving physical effects with cyber means is difficult

In April 2022 researchers discovered Indus­troyer2, a malware designed to affect in­dustrial control systems within Ukraine’s energy grid. It represented an evolution of the same malware that knocked out Kyiv’s power grid in 2016 for a few hours. So far, this is the only publicly known reference to malware that could potentially be designed to cause a physical impact in Ukraine (ob­servers should keep in mind that many potentially impactful cyber incidents remain unknown due to secrecy). Incident respond­ers were able to deactivate the Industroyer2 malware before its programmed timer was initiated. This malware shows cyber opera­tions’ potential to cause physical damage, but also their limitations. The effect was mitigated before it could do anything, un­doing probably years of malware development. Conversely, conventional bombings were able to shut down more than 40 per cent of Ukraine’s power grid. The finding is clear: In war, conventional means are often quicker, cheaper, and more precise, their outcomes more certain and – usually – more destructive than cyber operations.

Cyber operations did not produce strategic effects

Regardless of the type of attack, the main purpose of Russian cyberattacks seems to have been to cripple the Ukrainian state and society on a strategic level. Rather than destroying or inhibiting the Ukrainian mili­tary forces or weapon systems, Russian cyber operations targeted the overall will of the Ukrainian people and their capacity to defend themselves. Still, there is little evidence that these operations produced strategic effects such as Ukrainians’ dimin­ished will to resist. On the contrary, research shows that strategic attacks on civil infra­structure don’t reduce an enemy’s will to resist, but rather spark a rally around the flag effect that generates strong support for the defending country’s leadership. This holds true for Ukraine: The early volleys of Russian cyber and conventional attacks on broadband internet access in the first days of the war were likely intended to isolate the Ukrainian government in the very moment of a major military offensive. While successful in Georgia in 2008, Russia failed this time.

The lack of strategic and military operational significance of Russia’s cyber opera­tions surprised many observers. According to James A. Lewis, Russia has been unable to disrupt “finance, energy, transportation, and government services to overwhelm defenders’ decisionmaking and create social turmoil.” After observing four months of the war, he went so far as to declare that “[c]yberattacks are overrated. While invalu­able for espionage and crime, they are far from decisive in armed conflict.” One of the likely reasons for this is that Ukraine learned from and adapted to previous Russian cyber operations. It built capacities and a cyber workforce, streamlined interagency coordi­nation, including the urgent reduction of bureaucratic barriers, and conducted cyber-range exercises to glean from Russian activi­ty. As in all domains of warfare, constant learning, adaptation, and innovation are key.

Information operations win hearts and minds

Shot amid Russia’s first cyber and conventional strikes that tried to neutralise Ukrai­nian leadership, President Volodymyr Zelensky’s February 25 “we are all here” video message became one of the most im­pactful information operations in history. In these 37 seconds, the world realised that the Russians had not succeeded, and that the fight had just begun. Since then, the Ukrainian government has skillfully navi­gated the information environment, pur­suing multiple goals whether by (successfully) rallying for international military and humani­tarian aid or by mocking Russian incompetence online. It can be stated that, at least in the Western infosphere, Ukraine has won the battle for the hearts and minds – one of the primary psychological goals in any major war. This also led to an outpouring of support by international hacktivists communities that quickly joined the ranks of the IT Army of Ukraine, hacking into all sorts of Russian government and busi­ness infrastructure. As a result, there is now an unprecedented amount of leaked mate­rial on the notoriously secretive Russian state.

Nonetheless, the Russian state’s oppressive information security practices have managed to insulate the domestic informa­tion sphere from Western influence. More­over, despite being condemned by certain UN General Assembly resolutions, Russian diplomacy, anti-Western messaging, and military presence have all prevented many developing countries from expressing their resistance to the Russian invasion let alone offering their active support to Ukraine.

Cyber resilience is key

Ukraine’s cyber defenders have shown skill and flexibility in fighting off Russian cyber operations. It is reported that some govern­mental networks were back in operation a mere hours after they had been deleted by wiper malware. This essentially nullified some of the strategic effects of the wiper operations. A few key takeaways observed in Ukraine’s wartime cyber efforts include:


moving government data to faraway cloud storage creates resilience and en­hances threat detection speeds;


Western threat intelligence sharing and threat-hunting activities were likely in­fluential in uncovering many operations before they could trigger effects – Ukraine has been operating at a high tempo to pre-emptively use this knowl­edge to defend against coming attacks;


cyber operations seem to work best when they are unexpected, but when defenders are agile and proactively anticipate the coming moves, it becomes harder for the attacker.

Lessons learned

Russian cyber activities have primarily focused on intelligence gathering, data destruction, and Denial-of-Service attacks on critical infrastructure. Surprisingly, thanks to Ukraine’s proactive cyber defence and societal resilience, this kind of cyber war­fare has not produced significant strategic, operational, or tactical benefits for Russia, at least as far as we know publicly.

Still, just because Russia wasn’t able to align its digital and analogue manoeuvres this time doesn’t mean that others cannot learn from this failure and do so in the next major war. Nonetheless, better algorithms alone will not balance the inherent weak­nesses of offensive cyber operations: they require excessive time, are target-dependent, and might simply fail against an agile, pro­active defender. Although imperfect, cyber-defence is not futile, even against prolific attackers. To be successful, it requires flexi­bility, speed, forward-thinking, useful threat intelligence, and streamlined inter-ministerial processes to reduce information silos, as well as exercises and training. De­fence planning in the cyber domain requires a whole-of-government-and-industry ap­proach. When it comes to offensive war­time cyber operations, the uncertainty of war makes significant cyber-effects hard to achieve. One possible line of action may be to better align network operations with electronic warfare, information operations, intelligence operations, and physical destruc­tion of key adversary nodes of communica­tion, command and control, and logistics. This course would require extensive joint exercises. Policy and joint operations plan­ners should also be modest in their plan­ning: Cyber operations are useful for intel­ligence gathering, subversion and shaping information spheres, but they are not a sub­stitution for decisive military force. Since the effects of cyber operations are target-dependent, military planners would do well to establish contingency plans in case they fail. Planners should also avoid overly com­plex attack chains wherein downstream conventional operations depend heavily on upstream cyber opera­tions. For NATO, this means more joint training, and potentially the integration of cyber-ranges into operational planning.

Lastly, the full picture won’t be known until after the war, when we can evaluate the significance of Russian information war­fare in light of Russia and Ukraine’s depen­dencies, intentions, and priorities, as well as their conventional and covert manoeuvres and counter-manoeuvres.

Dr Matthias Schulze is Deputy Head of the Security Research Division at SWP. Dr Mika Kerttunen is a Visiting Fellow at SWP. This paper is based on research conducted by the European Repository of Cyber Incidents (EuRepoC) Project, of which both authors are members.
The authors are grateful for valuable comments by James Lewis, Martin Libicki, Martin Müller, Tuomo Rusila, and Max Smeets, and the researchers at SWP’s Security & Eurasia Research Divisions.

© Stiftung Wissenschaft und Politik, 2023


Stiftung Wissenschaft und Politik

ISSN (Print) 1861-1761

ISSN (Online) 2747-5107