December 13, 2022

Bits versus Bombs: Observations on Russian Offensive Cyber Operations in Ukraine


When Russian tanks rolled across the Ukrainian border on 24 February and reports surfaced of a parallel attack against the satellite provider Viasat, an ominous signal was given that the war had also escalated in cyberspace.

Since the invasion, however, the Viasat incident—which triggered outages in satellite communications but turned out to have limited tactical effects—remains one of the most notable destructive cyber operations so far in the ongoing war. The lack of large-scale destructive cyber operations that would have a long-term impact and significantly influence the military campaign has surprised many observers. Exploring why destructive cyber operations thus far have seemingly been of limited use or success allows for a better understanding of the role of cyber operations in modern conflicts and raises awareness of the threat posed by Russia.

First and foremost, the reasons for the limited nature of destructive cyber conflict are undeniably rooted in effective defences. The resilience of Ukrainians on the physical battleground is reflected in their capabilities in cyberspace. Since the Maidan Revolution, Ukraine has been forced to harden its defences by going through tough and unique ‘training’, as it became a testbed for advanced Russian cyber operations, including two somewhat successful attacks against its energy infrastructure in 2015 and 2016. Strong ties with Western governmental agencies and the tech sector have also proven to be remarkably effective and an important success factor since the invasion. Russian military failures on the ground provide a relevant signal as well: the lack of coordination and overestimation of capabilities based on the first phases of the invasion likely correlates with the level of preparedness and effectiveness of its ‘cyber forces.’

Second, the initial phases of the invasion show yet again that the idea of cyber operations being a competitive alternative to kinetic measures to cause decisive, large-scale, long-lasting, and destructive effects has been exaggerated. Such cyber operations tend to be resource-heavy, require a highly talented workforce, and take an extended time to prepare. Furthermore, once they are triggered, achieving effects over a meaningful timeframe is complicated. Simply put, it is still more efficient for a human operator to physically sabotage a power plant or for military forces to openly shoot missiles to terrorize the civilian population than to develop a covert sophisticated cyber weapon that may use vulnerabilities that can be patched relatively quickly. Up to now, offensive cyber operations have instead supplemented other domains of warfighting.

Third, Russian activities in cyberspace have really been about information—both in terms of obtaining information for espionage and producing information to support influence operations. Having access to actionable intelligence whilst staying undetected for as long as possible can provide a significant strategic advantage. In the balancing act of causing destruction versus gaining intelligence, the latter usually prevails. As for conducting influence operations that are supported by cyber offensive activities, recent history leaves no doubt that Russia is a cunning actor, and activities of such nature should not come as a surprise. Furthermore, in most cases, even if an attack’s immediate effect can be qualified as destructive—be it data wiping, denial of service, or even causing a short-term blackout—the actual goal for these operations appears to be cognitive in its nature: the (often limited) value lies in sending a certain message or causing distress and confusion.

Even though Hollywood-like scenarios of a ‘cyber Armageddon’ have not been realised, it is undeniable that Ukraine is facing an unprecedented level of offensive cyber activities. It is also undeniable that Russian behaviour is increasingly opportunistic and unpredictable. The apparent lack of cyber operations with large-scale destructive effects should not be taken as an excuse to disregard the Russian cyber threat or the importance of western assistance to Ukraine to support all military domains. Whatever the course of the war, cyber operations will remain a viable vector for Russia to pursue its objectives. Ukraine and its allies need to stay vigilant by building upon the already established international cooperation arrangements to make sure these are sustained and able to adapt to any sudden changes in the adversary’s behaviour.

Views expressed in ICDS publications are those of the author(s).