Online Commentary

Mar 16, 2022

Deciphering Russia’s Wartime Cyber Campaign

What It Is, What It Isn’t, and What Europe Can Do About It
Photo of someone watching Ukraine's President Zelensky speak about Russian shelling of Ukrainian territory on their cell phone
All rights reserved

In the wake of Russia’s invasion of Ukraine, the cyber threat landscape is quickly evolving. Now, Europe, the United States, and like-minded democracies must prepare for persistent “gray zone” conflict in their own cyberspaces. The defenders of an Internet whole, secure, and free must use anticipation, risk mitigation, and creativity to shift the balance of power in cyberspace in their favor. Europe urgently needs step up its efforts.


In the context of Russia’s war against Ukraine, a great deal of attention, logically enough, has been paid to cyber operations and the threat of massive disruption. After all, the Kremlin and Russian military thinking sees cyberattacks and targeted disinformation campaigns as part of a continuum of warfare that spans from fake news to nuclear assault.

This has been particularly meaningful in low intensity conflict environments where, over the past decade, Russia has used cyber operations to exploit the gray zone between peace and war. Some of these operations disrupted the global economy, for example the 2017 NotPetya wiper that indiscriminately wrought a swath of destruction across systems globally. Others involved espionage, for example the SolarWinds supply chain attack, a sophisticated operation that targeted a key gateway serving US and European national security and critical infrastructure. Yet none of them rose to the level that would constitute crossing the threshold into armed conflict.

During previous wars, Russia has used cyber operations as an add-on. It employed cyber methods to disrupt Georgia’s strategic communications when it invaded in 2008. In 2015 and 2016, it conducted cyber operations on Ukraine’s critical infrastructure, successfully knocking out parts of the Ukrainian electrical grid.

But this use of cyber as a tool of war has been largely absent in its current war on Ukraine. In the run-up to this military assault, Russia attempted to soften Ukraine with disruption and defacing attacks on Ukraine’s Ministry of Defense, banks, and public administration. Through its proxies in Belarus, Russia also tried – without success – to disrupt Ukrainian rail communications in February 2022. When satellite communications were likely hacked by Russia during the invasion, the issue was repaired quickly.

The fact that Russia has not yet conducted a major military grade cyberattack on the battlefield or in the broader theater of the current conflict is a puzzle for some. This could be due to Ukraine’s cyber defenses, which have unquestionably been strengthened since Russia’s annexation of Crimea in 2014 – in part aided by US Cyber Command and European IT specialists. Perhaps Russian troops are too reliant on Ukraine’s own 3/4G networks for their own communication devices.

The simple explanation is that cyber operations are primarily useful to Russia as an instrument of disruption below the threshold of armed conflict. In the frontline of a hot war, Russia’s calculations are different. Kinetic attacks are relatively low cost. Therefore, if Russia can destroy, why would it bother to disrupt? Cyberattacks are often intended to hide the enemy’s hand. They foster plausible deniability. But Russia is beyond that. In the current environment, why would it disrupt Ukraine’s air traffic control system when it could just bomb the country’s airports? Bombing critical infrastructure is more effective than cyber disruptions that can be costly and reveal methods and IT vulnerabilities.

The Collapse of Russia’s Information Warfare Campaign

One true change in the current threat landscape has been Russia’s abject failure thus far in the information war. In some ways, Russia’s information operations have become a victim of their own success. In 2014, Russia conducted effective hack-and-leak operations on phone conversations between the Estonian foreign minister and EU foreign policy chief, as well as between US officials. It used online disinformation to interfere in the Netherlands’ referendum on an EU Association Agreement for Ukraine and the UK’s Brexit vote in 2016 and in Catalonia’s independence movement in 2017. In 2016, Russia also hacked the Democratic National Committee in the United States. These high-profile attacks – combined with other persistent low intensity operations around the LGBT community, coronavirus pandemic, European Union, and refugees – created an exaggerated sense of Russia’s “disinformation industrial complex.”

Against this background, the Kremlin’s weakness in 2022 is all the more marked. This time, Russia’s internet propaganda machine was crushed by a combination of the United States’ “pre-bunking” strategy of intelligence disclosure and the wildly successful campaign for information superiority by Ukraine, which has saturated the internet. On the one hand, authentic on-the-ground content is generated and live streamed by ordinary Ukrainians: tractors towing enemy tanks, a 50-kilometer Russian military convoy stuck in the mud on its way to Kyiv, a Ukrainian babushka taking down a Russian drone with a jar of tomatoes, and Russia’s targeting of schools and hospitals. On the other, Ukraine’s President Volodymyr Zelensky has become the conflict’s prime social media influencer. Zelensky has been able to Zoom into key discussions in the European Council, Westminster, European Parliament, US Congress, and German Bundestag, bringing translators to tears and focusing the minds of European leaders on concerted action. Meanwhile, a fear of leaks had forced Russia’s President Vladimir Putin to keep his plans for war secret, even to his own agencies, disrupting planning processes and creating a reality that is hard to deny – a disastrous war.

A New Digital Iron Curtain

Ukraine’s information campaign has been so successful that the Kremlin has been forced to move quickly to seal off the Russian information environment. The level of disinformation spread in Russia about Ukraine is now unprecedented. Through the “landing law” and other draconian measures designed to force social media to become organs of the state, the Kremlin has choked platforms like Twitter and Facebook, effectively forcing them out of Russia. Now, Russia has instituted a prison sentence of 15 years for those spreading what the Kremlin sees as “false information.” As such, free information has been forced to migrate to closed messaging services such as TikTok and Telegram –whose ties to the Kremlin are well documented.

Sanctions, moreover, are accelerating the fall of a digital iron curtain. They have forced Apple, Samsung, PayPal, and others to pull out of Russia. They have also led to the collapse of the ruble, even making purchases from Chinese alternatives such as Huawei, Xiaomi, and Oppo prohibitively expensive. Russia is moving toward violently severing itself from the rest of the global internet. Putin’s formula is simple: Cyber and disinformation aggression abroad, repression at home. Both fronts are intensifying with equal ferocity as Russia’s war in Ukraine also engulfs both countries in the information technology domain.

Time for a Cyber-Wende

Even as the Kremlin attempts to close the space for a thriving, free internet in Russia, the gray zone of Putin’s war could expand outward. The West and its allies, as well as other actors in East Asia, Latin America, and the Global South, are all likely to get pulled into the conflict. Russia could not only unleash wiper software designed to erase data, web defacements, Distributed Denial of Service (DDoS) attacks, and ransomware; but it could also attempt to disrupt industrial control systems running critical manufacturing and infrastructure. Given these risks, the mentality shift in foreign and security policy currently happening in Germany, the EU, NATO, and the democratic world must include a Cyber-Wende – a change in policy approach to gray zone conflict in hot war contexts.

Here are three places to start:

First and most immediately, the West must prepare for even more aggressive persistent low intensity war across the domain of information and communications technology (ICT). Putin already sees the West’s imposition of crushing sanctions – on its Central Bank, financial sector, technology use, and kleptocratic elites – as a declaration of non-kinetic war. For Russia, one instrument of retaliatory response will be cyber and information operations. The West must be ready for a more permissive environment for Kremlin-aligned cyber criminals to unleash ransomware on the core infrastructure of democracies, including banks, news outlets, and local governments.

Second, Europe must support means for getting digital connectivity infrastructure to Ukrainians and Russians. The EU, NATO, and like-minded countries should fund encrypted digital communication tools and virtual private networks (VPNs) that can avoid detection and provide links to the outside world in Russia’s increasingly autarkic internet, RuNet. They should also develop Very Small Aperture Terminals (VSAT) and Low Earth Orbit (LOE) satellite capabilities to provide coverage and connectivity to the global internet. Tech entrepreneur Elon Musk has already answered the call by Ukrainian officials to open Starlink satellite internet services for the country, where ground telecommunication infrastructure is getting increasingly destroyed by heavy bombing. This could become part of a global doctrine to both promote open information in conflict zones and counter authoritarian-driven internet shutdowns. Current logic should follow that of the use of shortwave radio in the Cold War. The goal is to pierce the propaganda bubble that the Kremlin – and other authoritarian regimes – are attempting to create by providing citizens a wormhole to the digital world outside Russia’s borders. Perhaps even the use of shortwave radio itself should come back. The BBC literally began shortwave radio broadcasting in Russia when access to its websites was restricted.

Third, and this is a novel element, the EU – and the wider West – must better address the threat of state-sponsored “war propaganda” in the digital age. The West’s recent move to de-platform Russia’s propaganda machines demonstrates its strengths and its weaknesses. The response was motivated by political pressure, but it has little to no basis in law. Appeals from Zelensky and the EU to block content generated by Russian outlets such as RT and Sputnik from Western social media platforms led to a response that was swift but extremely uneven. Some platforms throttled specific content. Others blocked Kremlin propaganda entirely. Some limited their efforts geographically to Ukraine and the EU – leaving up content in other contested places like Moldova and across Putin-friendly states in Latin America.

EU leaders have called for platforms to revise their community rules and terms of service to account for “war propaganda.” The European Union should look at revising its Code of Practice on disinformation to include rules on how war propaganda from adversarial actors should be treated. If it were, the Digital Services Act – Europe’s sweeping platform rule book – could activate enforcement by force of law. This would require the EU to establish definitions and thresholds for designated state-sponsored content as war propaganda by adversaries. While those thresholds would need to be extremely high, creating them could arm the EU and its allies with another instrument to impose costs on authoritarians. More broadly, the EU should work through the Trade and Technology Council (TTC) with the United States and G7 to come up with common definitions and thresholds that could also be adopted by other states as a voluntary framework for content moderation of “war propaganda.”


Bibliographic data

Barker, Tyson, and Heli Tiirmaa-Klaar . “Deciphering Russia’s Wartime Cyber Campaign.” German Council on Foreign Relations. March 2022.

This online commentary was published on March 17, 2022.