Lessons From the World’s First Full-Scale Cyberwar

When Russia launched its full-scale invasion of Ukraine in February 2022, it also ushered in a new era of warfare – one where cyberattacks were no longer a supporting act but a core component of battlefield operations. This was the world’s first full-scale cyberwar, where digital operations were synchronized with kinetic strikes to disrupt, disable, and disorient the enemy. For three years, Ukraine has defended itself not only on the battlefield but also in cyberspace, repelling relentless Russian cyberattacks targeting critical infrastructure, telecommunications, and military systems.

From the outset, Russia’s cyber offensive sought to cripple Ukraine’s essential services and disrupt military communications. Russian hackers launched large-scale attacks against Ukraine’s power grid, government networks, and telecom providers. One of the most damaging strikes came in the early hours of the invasion, when they targeted Viasat’s KA-SAT satellite network, aiming to disrupt Ukraine’s command and control systems. The attack had a spillover effect, impacting thousands of civilians across Ukraine and Europe, knocking out internet access.

However, Russia’s cyberwar did not begin in 2022 – it started in 2014, when Moscow used Ukraine as a test lab for cyber weapons following its first invasion of Ukraine. Yet, much like its ground forces, Ukraine’s cyber defenses were hardened through experience, and Russia underestimated Ukraine’s resilience both in the digital and physical battlespaces once the full-scale invasion began.

Other Topics of Interest

Did Trump Get an ‘Important Letter’ Before Congressional Speech? Or Just Quote Zelensky Tweet?

The US president read from a “letter” he said he received from the Ukrainian president on Tuesday – but his quotes are identical to a social media post Zelensky made earlier in the day.

Paul Chichester, Director of Operations at the UK’s National Cyber Security Centre (NCSC), described the cyberwar between Russia and Ukraine as “the most sustained set of cyber operations coming up against the best collective defense we have seen.” Ukrainian cyber defenders have successfully repelled what could have been “cyber Pearl Harbor” – a large-scale offensive designed to cripple the nation’s digital infrastructure.

Ukraine’s response has drawn on years of digital reforms, while Russia’s aggression has raised cybersecurity awareness among ordinary Ukrainians. Civil society, too, has played a crucial role in resilience. Despite Russian’s cyber offensives, Ukraine’s defenses have held firm, reinforced by support from major Western tech firms and allied governments. Yet Ukraine has not merely defended itself – it took the cyber fight to Russia.

Despite Russia’s initial cyber offensives that attempted to overwhelm, Ukraine’s defenses have held firm, strengthened by support from major Western tech firms, NATO, and allied governments. But Ukraine has not just defended itself – it took the cyber fight to Russia.

The IT Army of Ukraine, a decentralized network of volunteer hackers, has disrupted Russian military logistics, disabled surveillance networks, and even played a role in supporting battlefield strikes. This war has shown that cyber defense and offense are no longer the domain of states alone. Warfare itself is becoming more decentralized, with civilians taking on a greater role in cyber conflicts.

Cyberattacks can sow chaos in civilian life by hitting power grids, communication networks, and media outlets—undermining public confidence in an attempt to create societal chaos. In December 2023, Russian hackers launched one of the most devastating cyberattack of the war, taking down Kyivstar, Ukraine’s largest mobile and internet provider. The attack crippled telecommunications infrastructure, leaving millions without mobile service, internet access, and emergency alerts for several days.

In 2024, Russian hackers also targeted thousands of British flights with attacks on plane navigation systems. These cyberattacks involved jamming and spoofing aviation systems, rendering aircraft GPS unreliable and forcing planes to reroute to avoid non-existent obstacles.

As modern armies and societies become more dependent on digital systems, cyberwarfare will play an increasingly critical role. Attacks on transportation, energy grids, and communication networks will escalate, posing growing risks to national security and public safety.

Furthermore, as battlefield technology continues to evolve, autonomous weapons will soon become prime cyber targets – an efficient and cost-effective way to disrupt an adversary. Just as cyberattacks have undermined Ukraine’s battlefield communications, future wars will soon see adversaries hacking, disabling, or even hijacking military artificial intelligence (AI) and autonomous systems.

The cyberwar between Russia and Ukraine offers a glimpse into the future of warfare, where conflicts will not only be waged with drones, soldiers, tanks, and missiles but also in the unseen battlespace of algorithms and code.

As Ukraine enters its fourth year of cyberwarfare with Russia, we asked experts to share key lessons from the conflict and what NATO can learn from Ukraine’s experience.

Dr. Vasileios Karagiannopoulos is an Associate Professor in Cybercrime and Cybersecurity and the co-director of the Centre for Cybercrime and Economic Crime at the University of Portsmouth.

We are unfortunately reaching a three-year anniversary from the beginning of the war in Ukraine. Despite the extensive engagement of physical forces in traditional kinetic war, this conflict has also demonstrated a very intense and diverse online dimension that has helped us develop a more in-depth understanding of how cyberwarfare can manifest at the moment and how it could develop further in the future.

The cyberconflict has demonstrated a very large amount of diverse attacks on both sides. Although we have not seen a “black swan” event of major global magnitude, we have seen some significant attacks on serious targets in both countries and beyond. A characteristic example is the attack on the Viasat satellite system, just as the invasion was starting to unfold.

This attack demonstrated how strategically cyberattacks can be deployed in order to facilitate the kinetic side of the war. Of course, the cyberwar arsenal does not just involve direct debilitating cyberattacks, but also hybrid efforts that include targeting organizations with malware, stealing important information to be used to reinforce kinetic operations or spreading misinformation using botnets and deepfaked content.

Perhaps one of the most original developments early in the war was the open call from Deputy Prime Minister Fedorov to hackers across the globe to create an IT army that would be helping Ukraine defend and counterattack against Russia in cyberspace. Although we were seeing hacktivists already contributing to Ukraine’s defense with hacks, such as the hacking of the train ticketing system by the Cyberpartisans in Belarus in order to slow down troop deployment prior to the start of the war, the birth of the IT Army was probably one of the first times a government official was issuing a call to arms to hackers in relation to an unfolding war. The IT Army has played a significant role in the war and has also raised important questions regarding the implications of civilians taking part in hostilities through such initiatives.

We also learned that it is inevitable for large hacker groups not to get caught up in conflicts of this magnitude and we have seen many hacker groups on both sides exchanging cyberattacks of a variety of targets. The consequent militarization of ransomware gangs based in Russia also highlights how organized crime groups might opt to actively get involved in a hybrid set of activities combining criminal and war/nationalist motivations.

One of the major concerns for NATO allies, especially at the start of the war, had been whether the retaliation hacks from Russia would spill over beyond Ukrainian cyberspace, resulting in a wider escalation of the conflict, something which did not happen to the extent expected. This lack of severe escalation also highlighted how the cyber capabilities of Russian forces to effect catastrophic attacks might have been overestimated to begin with, but also underlined how the multistakeholder security approach adopted in Ukraine by NATO allies and major tech companies potentially tackled any major attacks with escalating potential.

It appears that the war in Ukraine led NATO allies to devise and implement a concrete and complex plan for protecting not just the Ukrainian networks targeted, but also help thwart attacks going beyond the cyberspace of Ukraine and targeting public and private organizations in the West. The future challenge would be for public institutions to find more effective and efficient ways to collaborate with private sector organizations that manage what are quickly becoming technologies of intrinsic importance to cyberwar and security efforts, from social media giants to satellite communications, software and open source intelligence providers.

The above is further reinforced by the realization that cyberwarfare is fragmented and multifaceted and never really takes the form of an explicit cyberattack by a country’s military cyber forces. Instead, it involves a very diverse mix of undercover cyber forces, government affiliated hacker groups and potentially even unaffiliated nationalist hackers/hacktivists or ransomware gangs. In that sense, the decentralized and constantly evolving nature of cyberwarfare poses ongoing challenges for cybersecurity forces.

The multifaceted nature of attacks as well as the increasing range of targets and tools means that future efforts will need to involve not just technical safeguards and more engagement with technological developments such as AI, but also a wider campaign of education for employees and citizens more widely so that resilience to attacks can be built bidirectionally, from the top down, but also from the ground up.

Dr. Treston Wheat is the Chief Geopolitical Officer at Insight Forward, Special Advisor for Geopolitics at Riley Risk, and an adjunct professor at Georgetown University.

For the first time in history, cyberwarfare has played a central role in a kinetic conflict between state actors. The Russo-Ukrainian war has demonstrated that cyber operations are not mere tools of espionage, theft, or psychological operations—they are integral to modern warfare, capable of shaping the battlefield, disrupting supply chains, and undermining an adversary’s will to fight.

Importantly, the case of the Russo-Ukrainian war shows that Carl von Clausewitz’s theories remain as relevant as ever in this new domain of war. First, his concept of the center(s) of gravity – the source(s) of a belligerent’s strength, which must be targeted to break its resistance – has taken on a digital dimension. Similarly, the fog of war, traditionally referring to the uncertainty and chaos of combat, now extends into cyberspace, where misinformation, deception, and unintended consequences shape the course of conflict.

Clausewitz argued that an army, its leadership, and the national will are often the most critical centers of gravity in warfare. In Ukraine, Russia has targeted all three through cyber means. The Kremlin’s initial strategy included cyberattacks on energy infrastructure, banking systems, and communications networks, aiming to paralyze Ukraine’s decision-making processes and erode public confidence. However, Ukraine quickly adapted, demonstrating that a strong cyber defense can mitigate the impact of such attacks.

Clausewitz also warned that war is marked by uncertainty, ambiguity, and friction – the fog of war. In Ukraine, cyberwarfare has deepened this fog, introducing new layers of deception and unpredictability. Disinformation campaigns, deepfakes, and cyber-enabled psychological operations have been used to obscure battlefield realities, manipulate public opinion, and sow doubt among decision-makers. Russia has sought to spread confusion by fabricating narratives of Ukrainian military collapses, while Ukraine has weaponized information warfare to rally international support and undermine Russian morale.

This new cyber-induced fog of war presents a challenge for NATO. While conventional conflicts are shaped by intelligence reports, satellite imagery, and battlefield assessments, cyberwarfare operates in an arena where the truth itself can be contested in real time. As cyber deception becomes more sophisticated, NATO must refine its ability to distinguish fact from fiction, strengthen information security, and counter adversarial influence operations with speed and precision.

Because of the novel ways in which cyberwarfare applies to Clausewitzian dogma, NATO will need to rethink the challenges. NATO has made cyber defense a priority, declaring cyberattacks as potential triggers for collective defense under Article 5. However, Ukraine’s experience suggests that NATO’s approach remains too reactive. A full-scale cyber and kinetic war – one that simultaneously targets military networks, battlefield troops, critical infrastructure, civil populations, and public opinion – would stretch NATO’s defenses.

To prepare for such a scenario, NATO must:

• Identify and protect cyber centers of gravity, including working with corporations to protect critical infrastructure.
• Develop countermeasures for the cyber fog of war through better threat intelligence and counter-disinformation efforts.
• Integrate cyber operations into overall military strategy rather than just viewing it as a separate domain.
• Clarify the role of non-state actors, including technology companies and “patriotic hackers” who could become part of the offensive effort.

Clausewitz’s insights remind us that war – whether fought with tanks or algorithms – revolves around striking at an adversary’s center of gravity while managing the fog of uncertainty. The Russo-Ukrainian war is a harbinger of conflicts to come, where cyber operations will be as decisive as airpower or artillery. If NATO fails to absorb these lessons, it risks being caught unprepared in the next great war – one that may be fought as much in cyberspace as on the battlefield.

Fedir Martynov is a Ukrainian cyber volunteer and a partner at Trident Forward, a consultancy firm with offices in Ukraine and the US.

The ongoing war in Ukraine isn’t just being fought on the front lines with tanks and artillery; it’s a conflict unfolding in the digital trenches, a realm where code is the weapon and information the battlefield. As we approach the three-year mark of this unprecedented conflict, it’s critical to examine what we’ve learned from the world’s first full-scale cyberwar, how it has evolved, and what it means for the future of global cybersecurity, particularly for NATO.

Initially, many predicted a Russian cyber blitzkrieg – a rapid, crippling digital assault that would paralyze Ukraine’s critical infrastructure and government. While Russia certainly attempted this, launching sophisticated attacks like the BlackEnergy and Industroyer malware attacks on Ukraine’s power grid in 2015 and 2016, and the devastating NotPetya attack in 2017, Ukraine did not crumble. Instead, a remarkable story of resilience and adaptation emerged.

The Russo-Ukrainian war has illuminated a key evolution in cyberwarfare: the seamless integration of cyber operations with electronic warfare (EW) and kinetic military actions. Russia’s “triple-lock” strategy – disabling communications, disrupting command systems, and advancing ground forces – has demonstrated a new level of hybrid warfare. This isn’t just about hacking; it’s about using cyber tools to directly enhance battlefield effectiveness, blurring the lines between the digital and physical realms of conflict. We’ve seen this in the deployment of Leer-3 EW complexes to jam Ukrainian drones alongside cyberattacks on logistics systems, and even in the chilling combination of ICS-targeting malware with precision missile strikes on Ukrainian railway repair crews.

Ukraine’s response has been equally innovative. The creation of the “IT Army of Ukraine,” a vast, fully independent, and crowdsourced volunteer force, represents a novel approach to decentralized cyber defense. This unique structure allows for rapid mobilization and adaptation, harnessing the skills of a diverse range of cybersecurity professionals and enthusiasts.

The IT Army’s impact has been significant; estimates suggest its cyber offensive operations have caused between $2-5 billion in direct and indirect economic damage to Russia over the past three years. This level of impact is comparable to the effects of strong economic sanctions, making it a crucial element in efforts to constrain the aggressor’s capabilities in a war of attrition. This crowdsourced model, combined with strategic partnerships and rapid data migration to distributed cloud servers, has allowed Ukraine to withstand relentless attacks. The use of blockchain-based verification systems for military procurement and aid distribution further highlights Ukraine’s ingenuity in leveraging technology to overcome wartime challenges.

But what about NATO? Is the Alliance truly prepared for a full-scale cyberwar? While NATO has made progress, informed by the Ukrainian experience, significant vulnerabilities remain. The establishment of the Cyber Operations Center (CyOC) and exercises like Dynamic Messenger are positive steps, but challenges persist in areas like interoperability between national CERTs and the rapid certification of new cybersecurity solutions. The reliance on proprietary cybersecurity solutions, unlike Ukraine’s open-source collaborative approach, hinders standardization and adaptability.

Ukraine’s experience provides critical lessons. The importance of public-private partnerships, as seen in Microsoft’s “digital shields” protecting Ukrainian government clouds, cannot be overstated. The success of decentralized, adaptable infrastructure, like Ukraine’s distributed data architecture, demonstrates a path to greater resilience against cyberattacks. The mobilization of civilian cyber expertise, exemplified by the IT Army, offers a potent model for rapidly scaling up defensive capabilities, and must be carefully studied and potentially adapted with respect for operational security and national contexts.

NATO must prioritize several key actions to enhance its cyber preparedness. A NATO Cyber Reserve Force, modeled on Ukraine’s volunteer approach is crucial. Adaptive certification standards for cybersecurity solutions are needed to keep pace with evolving threats. Cross-domain response teams, integrating cyber, EW, and kinetic capabilities, are essential for countering hybrid warfare tactics. And critically, a deeper investment in defensive AI, particularly for real-time threat analysis, is vital to close the detection gap exposed by advanced Russian cyber operations. Hardening industrial control systems, drawing on best practices in simulation and response should be made a matter of national security importance.

The cyber conflict in Ukraine is a wake-up call. It demonstrates that the future of warfare is here, and it is hybrid. NATO must learn from Ukraine’s resilience, innovation, and adaptability. The window for preparation is closing. The next major cyber conflict may not originate in the steppes of Donbas, but could target the heart of Europe or North America. Proactive, bold adaptation, embracing the lessons forged in the digital trenches of Ukraine, is the only way to ensure the Alliance’s security in this new era of warfare.