top of page

Cyber Operations in Armed Conflict

In today's post, we're going to delve deep into the dynamic landscape of cyber operations within the context of armed conflict.

My insights are primarily drawn from the enlightening report by FP Analytics. While I will be using the report as a foundation, I have added on top my own analysis and interpretations

For a comprehensive understanding, you can access the full report here:

Let's dive in and unravel the complexities of this digital battleground

The digital domain is increasingly a battleground for state and non-state actors who are leveraging capabilities in cyberspace to advance strategic geopolitical goals.

As we step into this digital era, the battleground is no longer confined to the physical realm; it has expanded into the digital domain. State and non-state actors alike are harnessing the power of cyberspace to achieve strategic geopolitical goals, changing the face of warfare as we know it.

In this article, we'll navigate this complex and ever-changing landscape, analyzing the key insights and revelations from the FP Analytics report on 'The Evolution of Cyber Operations in Armed Conflict'.

Hybrid Warfare and the Increasing Use of Cyber Operations

Hybrid warfare represents a blend of conventional military tactics and non-military strategies employed to accomplish foreign policy objectives. Though it's not a new concept, the nature and extent of Russia's hybrid warfare techniques used in Ukraine, particularly cyber operations, are without precedence. Cyber operations, using digital technology to surveil, disrupt, corrupt, or destroy government, civilian, and information infrastructure, are rapidly growing in sophistication and frequency. These operations are emerging as a critical domain of hybrid warfare.

The ongoing war in Ukraine has demonstrated an urgent need for a comprehensive understanding of these operations. It's crucial that we not only understand the numerous manifestations of cyber operations but also devise effective strategies to mitigate their devastating impacts.

The issue brief I'll be discussing here was produced by FP Analytics, supported by Microsoft + I added few of my own insights. It dives deep into the evolution of cyber operations in modern armed conflicts, offering a robust examination of how this battlefield is transforming. This brief is part of a larger research project, the Digital Front Lines, that blends data visualization and expert analysis from luminaries across public, private, and nonprofit sectors worldwide.

The Digital Front Lines project casts a focused light on the escalating risks, the emerging implications, and the crucial opportunities tied to the challenge of hybrid warfare. It highlights the pressing need for cooperative action and innovative solutions in a world where the digital landscape is increasingly becoming a theatre of conflict

Actors and Tactics in Cyber Operations

Over the past decade, states have been selectively deploying cyber operations as an integral part of their geopolitical strategy to advance their foreign policy goals. A classic example of this strategic deployment is the alleged use of the Stuxnet malware by the United States and Israel in 2010, which successfully destroyed about 20% of Iranian nuclear centrifuges. One primary advantage that governments find in the use of cyber tactics is the element of plausible deniability, a stark contrast to conventional military actions. This deniability enables states to assert their influence and compel their adversaries without necessarily triggering an all-out war. However, an evolving trend has been observed recently, particularly in the Ukraine crisis, where cyber operations are increasingly being used as a prelude to, or concurrently with, military operations.

Across Ukraine and beyond, various threat actors have been unleashing a barrage of cyber operations with an intent to immobilize government services, sabotage crucial infrastructure, disrupt electoral processes, and achieve other covert objectives. In the backdrop of armed conflicts, these threat actors leverage cyber tactics to amplify the effects of kinetic operations. More alarmingly, cyber operations are increasingly being deployed to generate and amplify disinformation, thereby undermining social cohesion and exacerbating political fragmentation.

Different Categories of Cyber Threat Actors:

Cyber operations can be orchestrated by a diverse range of threat actors, which include organizations, individuals, or groups that facilitate or direct a cyber attack intending to cause harm to a specific target. These targets may range from state to nonstate entities. Within these targeted organizations, a threat actor might even recruit 'insider' agents driven by motivations like financial gain, personal grievances, or political sympathy.

States: State operatives include governmental organizations, military, and intelligence agencies conducting cyber operations as an integral part of their foreign policy.

Cybercriminals: These nonstate actors, which can be individuals or groups, primarily engage in cyber operations for profit.

Hacktivists: These nonstate actors with political motivations limit their activism to the cyber domain. Their allegiance may or may not lie with a specific state.

Terrorist groups: Nonstate actors with ideological motivations often leverage cyber operations to sow discord or spread influence campaigns alongside physical attacks.

Cyber mercenaries: These are professional, private cyber operatives for hire, contracted by a state or nonstate actor for a specific operation or for the acquisition of specific technology.

Data Source: FP analytics report

In the recent past, cyber operations have significantly contributed to the rise of 'gray zone' tactics. These tactics refer to a state of affairs where states engaged in a dispute maintain high-level diplomatic relations, while simultaneously interacting antagonistically beneath the threshold of overt war. Nonstate threat actors, who may operate independently or be affiliated with and supported by governments, often resort to these gray zone tactics.

As the aforementioned examples suggest, various threat actors wield cyber operations for an array of purposes. These can range from information warfare and high-publicity diplomatic statements to surveillance activities and other undisclosed objectives.

The information on these operations is gathered from a variety of sources, which includes Defense One, Middle East Eye, The White House, Acronis, BBC News, Canadian Medical Association Journal, Sky News, U.S. GAO, TechTarget, Reuters, Politico, Amnesty International, Business & Human Rights Resource Centre, The Washington Post, Insider, Council on Foreign Relations, and Microsoft. These diverse sources highlight the global, cross-sectoral nature of the issue at hand.

In an era where cyber operations have grown in complexity and reach, it becomes increasingly important for all stakeholders — policymakers, business leaders, technical experts, civil society groups, and others — to perceive and understand these tactics within the context of hybrid warfare.

Hybrid warfare represents the combined use of conventional and unconventional, often covert, military tactics, such as cyber operations. Recognizing the role of cyber operations in this broader context is crucial to keep pace with the latest developments in cyber tactics and strategies. Furthermore, this understanding is key to fostering collaborations aimed at countering threat actors who deliberately and indiscriminately harm civilians and civilian infrastructures for geopolitical advantage.

Understanding and adapting to the evolution of cyber operations demands concerted efforts. By recognizing the strategic patterns, tactics, and the changing nature of threat actors involved in hybrid warfare, stakeholders can create effective strategies to prevent, mitigate, and respond to these threats. Such awareness and collaborative actions are crucial in enhancing global cybersecurity and maintaining international stability in an era increasingly marked by digital conflicts and cyber threats.

The Far-Reaching Impacts of Russia's Satellite Hack (Data sources: CSO, Council of the European Union, CyberPeace Institute, La Depeche, Wired, Reuters, Zero Day)

Disruptions across Europe from Russian satellite hack Cyberattack on the Viasat satellite network just hours before the Russian invasion of Ukraine had a cascading effect across the region.

Cyberattack On Feb. 24, 2022, one hour before the invasion of UKRAINE, Russia launched an attack using “AcidRain” wiper malware to remotely erase modems and routers on Viasat Inc’s KA-SAT satellite network.

Impact on military infrastructure Satellite military communications in UKRAINE were disrupted.

Impact on energy sector GERMAN energy company Enercon reported losing remote monitoring and control of 5,800 wind turbines across central Europe.

Impact on civilian internet access Tens of thousands of civilians in UKRAINE lost internet signal for up to two weeks, impeding access to reliable information.

At least 27,000 users were impacted by the internet outages in the CZECH REPUBLIC, FRANCE, GERMANY, POLAND, THE UNITED KINGDOM, and OTHER EU COUNTRIES. In France alone, 9,000 subscribers lost internet.

The groundwork for Russia's hybrid warfare model was laid long before its full-scale ground invasion of Ukraine in February 2022. Since at least 2013, the Kremlin has been strategically leveraging cyber tactics to prime, destabilize, and coerce Ukraine, blending cyberattacks with conventional warfare to shape the geopolitical landscape.

Sparked by the Maidan Revolution in 2013, which moved Ukraine into closer political alignment with the European Union and NATO, Russia commenced a series of cyberattacks aimed to paralyze, discredit, and distract political opponents. Examples include the deployment of distributed denial-of-service (DDoS) attacks to disrupt the digital presence of the Maidan movement in 2013, and subsequent attacks on Ukraine's government computer networks and communication systems in 2014, likely intended to deflect attention from Russian military activity in Crimea.

Further illustrating their cyber prowess, Russian operatives breached Ukraine's electronic vote-counting system, leading to delays in the announcement of the October 2014 parliamentary election results. These actions were far from isolated incidents. They were part of a broader, sustained campaign that, combined with ground and air operations, exemplified Russia’s hybrid warfare strategy.

Simultaneously, Russia orchestrated information campaigns across mainstream and social media platforms. This propaganda machine capitalized on historical anxieties and societal divisions to garner local support for annexation and present Russia as the protector of all ethnic Russians and Russian speakers. Internationally, Russia manipulated narratives to portray Russian-backed separatists in Eastern Ukraine and Crimea as home-grown freedom fighters, further distorting reality and stalling responses from the Ukrainian government and the international community.

Even as ground operations in Eastern Ukraine and Crimea slowed after 2014, Russia persisted in its cyber efforts to destabilize Ukraine and discredit its democratically elected government. This extended campaign progressively shifted towards sabotaging critical infrastructure. In 2015 and 2016, Russian hackers targeted distribution substations near Kyiv, disrupting power supply to hundreds of thousands of residents. This impacted emergency services, communications, and other infrastructure, marking a turning point in cyber warfare – the first publicly acknowledged digital attack causing a power outage.

Another major attack targeted Ukraine's financial systems in 2017, inflicting an estimated $10 billion in global damage. This underscored the catastrophic potential of cyber operations that exploit vulnerabilities in the digital networks of critical infrastructures. As we approached Russia’s full-scale invasion, cyber operations escalated both in frequency and scale. Microsoft reported that between July 2020 and July 2021, Ukraine was the second most frequent target of nation-state threat activity warnings, trailing only behind the United States.

Data sources: Microsoft, Microsoft, CNN

On February 24, 2022, when Russia launched its military invasion of Ukraine, a simultaneous cyberattack on satellite modems was initiated, disrupting Ukrainian military communications.

Since then, Russia has employed an array of coercive cyber tactics — DDoS attacks, wipers, defacements, deepfakes, scam emails — to discredit the Ukrainian government, erode public trust, and demoralize Ukrainian society. At times, these cyberattacks were synchronized with kinetic actions, such as the coordinated military strikes and cyberattacks on government agencies in Dnipro on March 11, 2022.

Meanwhile, cyber operations continued to target civilian critical infrastructure. From February to October 2022, 55 percent of Ukrainian entities targeted by Russian wiper malware were critical infrastructure organizations, impacting sectors such as energy, water, emergency services, and healthcare.

Ukraine managed to thwart an attempt by Russia in April 2022 to take control of electrical industrial control systems, which could have potentially resulted in a power outage for two million residents. All these cyber campaigns unfolded against a backdrop of ongoing disinformation campaigns aimed at diminishing Western support for

The Complex Challenge of Attribution in Cyberattacks and its Diplomatic Implications

The intricacies of attributing cyber operations accurately and in a timely manner have been highlighted through Russia's operations in Ukraine. The stealthy nature of some attacks, especially those intended for surveillance, can render them undetected or unreported for extended periods. This not only complicates the process of timely identification but also hinders the development and execution of effective counter strategies.

To further cloud attribution, governments may resort to using proxies such as cyber mercenaries to execute cyber operations. This strategy provides them with a layer of plausible deniability, deflecting attention and responsibility. Additionally, the sharing of vital intelligence information between nations may be constrained due to strict protocols. Even within the private sector, organizations might be reluctant to reveal shortcomings in their cyber defense capabilities, which could further obstruct the process of attribution.

These attribution barriers, encountered by both public and private sector actors, can potentially compromise the speed, proportionality, and efficacy of diplomatic or military responses. The delay or inaccuracy in attributing cyberattacks can undermine international consensus and hinder decisive, unified action against the perpetrators.

International humanitarian law, which governs conduct in armed conflict, was established before the advent and subsequent proliferation of cyber operations. Therefore, even when cyberattacks are accurately identified and attributed, the lack of established international norms and legal frameworks that specifically address cyber warfare present a significant challenge.

Efforts to address this gap include the Tallinn Manual, an initiative led by academics and practitioners to elucidate concerns and codify approaches to cyberspace norms. Other noteworthy initiatives are the multistakeholder dialogues and working groups that have been established at regional, national, and supranational levels. This includes the United Nations' long-standing Group of Governmental Experts and the more recently formed Open-Ended Working Group, which is supported by Russia. Both groups aim to define norms of behavior and the application of humanitarian law in cyberspace.

Furthermore, the UN Department of Economic and Social Affairs' Internet Governance Forum (IGF) fosters discussions on public policy issues related to the internet. These collective efforts underscore the need for increased international engagement and cross-sectoral collaboration. Developing practicable approaches to mitigate and counteract cyber operations and hybrid warfare is a crucial step forward in establishing an effective global response to these ever-evolving threats.

Looking Ahead: A Whole-of-Society Approach to Deterrence

Digital tactics have become a powerful tool for both governmental and non-governmental entities across the globe. Their appeal often lies in their elusive nature, making it hard to pinpoint responsibility and gauge appropriate reactions. These digital strikes can intensify the repercussions of traditional warfare. Hence, it's essential for public and private sectors to maintain open dialogues to predict, recognize, and counteract such tactics, especially since many attacks exploit online platforms, devices, and widespread internet access.

Addressing the comprehensive effects of digital actions requires a collective societal effort. This means stakeholders from government, business, and the community need to collaborate, not just in Ukraine but globally. Crafting universal rules and standards regarding responsibility, retaliation, deterrence, and accountability in the realm of digital warfare is essential to ensure safety, maintain national security, and foster international harmony amid the challenges of evolving conflict dynamics.


The official brief was produced by FP Analytics, the independent research division of The FP Group, with financial support from Microsoft. FP Analytics retained control of the research direction and findings of this issue brief. Foreign Policy’s editorial team was not involved in the creation of this content.

And written written by

By Avery Parsons Grayson (Senior Policy and Risk Analyst), Isabel Schmidt (Senior Research and Policy Analyst), and Dr. Mayesha Alam (Vice President of Research).


bottom of page