The Washington PostDemocracy Dies in Darkness

Cyberattacks Are Just One Part of Hybrid Warfare

Russia’s invasion of Ukraine on Feb. 24, 2022, was immediate top news worldwide due to eyewitness accounts and images of missile strikes shared on television and social media. By contrast, a near-simultaneous cyberattack on satellite systems that Ukraine relied on to coordinate troop and drone movements — systems that also provided broadband service to more than 100,000 internet users in at least 13 countries across Europe and North Africa — was cloaked in mystery for weeks, and to this day Russia’s government denies any involvement in it. Such is the nature of the modern form of combat known as hybrid warfare, which marries unambiguous brute force with stealth, subterfuge and heaps of plausible deniability.

1. What is hybrid warfare?

It’s a term for the mixing of conventional and unconventional tactics — violent and nonviolent, virtual and real-world, overt and covert — that countries can deploy against each other. They include state-on-state cyberattacks — cyberwarfare — as well as disinformation, economic pressure, propaganda, sabotage and the use of irregular forces, such as uniformed soldiers without identifying insignia. Hybrid warfare is “used to blur the lines between war and peace and attempt to sow doubt in the minds of target populations,” according to the North Atlantic Treaty Organization. Ambiguity and plausible deniability are hallmarks of hybrid warfare. 

2. How has it been used in the Russia-Ukraine war?

Since hybrid warfare is intentionally difficult to attribute, that’s hard to say. But a few episodes stand out. In the days prior to Russia’s February 2022 invasion, an automated wave of internet traffic slammed Ukrainian banks and government agencies, knocking websites offline and creating the false impression that Ukrainians would be unable to access their money. In September 2022, underwater explosions damaged the Russian-controlled Nord Stream 1 and 2 pipelines carrying natural gas to Germany. In the immediate aftermath, Russia blamed the US, Ukraine and Poland, while the US and its allies suggested Russia may have sabotaged its own pipelines, thus assuring Europe would have to survive the winter without significant Russian gas flows. The New York Times reported in March 2023 that new intelligence pointed at a pro-Ukrainian group as having been responsible.

3. What are the hallmarks of cyberwarfare?

A cyberattack that wipes out data centers, scrambles bank records to cause financial panic or disables essential services such as telecommunications or electricity might raise suspicions that a state or its proxies was behind it. Even disinformation campaigns, such as Russia’s targeting the 2016 U.S. president election, can be thought of as a softer but still damaging type of cyberwarfare. One incident that’s become public and is generally agreed to be an act of cyberwarfare was the so-called Stuxnet attack, which was discovered in 2010 and involved computer code that destroyed as many as 1,000 nuclear centrifuges in Iran. The New York Times reported that this was a joint operation between the US and Israel code-named Olympic Games and that, had it failed, the US was ready with a broad cyber battle plan against Iran that would have taken out its power grids.

4. Who are the players in cyberwarfare?

The Council on Foreign Relations says 34 nations are suspected of sponsoring cyberattacks since 2005, with China, Russia, Iran and North Korea behind more than three-quarters of them. While the US is on the list of cyberattack sponsors, it’s also by far the biggest target of significant cyberattacks — including those on government agencies, defense contractors or high-tech companies — followed by the UK and India, according to a review of data kept by the Center for Strategic & International Studies.

5. Aren’t attacks on civilians supposed to be off-limits?

Real-world military confrontations are guided by rules of war that date back centuries and are meant to reduce civilian suffering. The Tallinn Manual, published in 2013 by a think tank affiliated with the North Atlantic Treaty Organization, was an attempt to apply those rules to cyberwarfare — defining which targets are off-limits (schools and hospitals, for example) and under what circumstances a country can respond to a hack attack with military force. But the manual carries no official weight.

6. What can be done?

Dozens of European countries plus the US, the UK and Canada support the European Center of Excellence for Countering Hybrid Threats, which opened in Helsinki in 2017. It conducts simulations and other exercises and recommends ways that member states can become less vulnerable and more resilient to hybrid attacks. Ukrainian officials say some Russian cyberattacks meant to hurt civilians constitute war crimes and should be prosecuted by the International Criminal Court in the Hague. A 2022 US law aims to expedite and centralize reporting of cyberattacks that target critical infrastructure.

--With assistance from Katrina Manson.

More stories like this are available on

©2023 Bloomberg L.P.