When Russia invaded Ukraine last month, many security analysts were expecting a level of cyberwar never seen before, because of Russia’s history of such aggression.

There has been low-level activity. Cyberattacks were under way in Ukraine even before Russian forces invaded on 24 February. Hours prior, a type of malware called a wiper circulated on Ukrainian government computing systems, corrupting data. Earlier that week, a massive distributed denial of service (DDoS) attack, widely attributed to Russia, had flooded Ukrainian bank websites with traffic, making them inaccessible.

Such assaults were unsurprising; Ukraine has faced a barrage of cyberattacks since conflict flared with Russia in 2014. But despite the slew of low-level cyberattacks, Ukraine’s critical infrastructures—such as telephone, Internet, power and health-care systems—remain intact.

Nature spoke to researchers about the role of cyberwarfare in the conflict, and why it is surprising them.

Why did analysts expect cyberwarfare to play a significant part in Russia’s invasion of Ukraine?

Russia has deployed cyberattacks in its most recent conflicts, including its invasions of Georgia in 2008 and Crimea in 2014. Since then, Ukraine has become a “training ground” for Russian cyberoperations, says Lauren Zabierek, a specialist in cybersecurity in international conflict at the Harvard Kennedy School in Cambridge, Massachusetts. In 2015 and 2016, Russia-attributed strikes disabled Ukraine’s power for hours, she says.

Russia has the capability to use cyberwarfare to disrupt enemy communications, organization and supplies, leading many to expect that it would deploy such tactics in this war, says Trey Herr, a cybersecurity-policy researcher at the Atlantic Council, a think-tank in Washington DC.

So why hasn’t Russia used cyberwarfare, as expected?

One theory is that the decision to invade Ukraine was held at the highest level and didn’t trickle down the chain of command until it became too late to deploy significant cyberattacks, which can take months to organize, says Herr.

Cyberattacks might also be more suitable to skirmishes that fall short of physical war. Cyberweapons are cheaper than boots on the ground, but are still costly, says Mariarosaria Taddeo, a philosopher on the ethics of digital technologies at the Oxford Internet Institute, UK. Cyberattacks are a show of power, inflict damage without engaging in a conventional war and are difficult to attribute with certainty—but these advantages lose relevance once all-out war begins, she says.

If Russia thought it would take Ukraine quickly, preserving parts of Ukraine’s infrastructure, rather than destroying and having to rebuild them, might serve its interests, says Zhanna Malekos Smith, a systems engineer at the Center for Strategic and International Studies, a think-tank in Washington DC. Russia could also have tapped into some networks, such as Ukraine’s telecommunications system, as a source of intelligence, she adds.

Zabierek’s leading hypothesis is that Russia is holding back to avoid escalation or spillover effects beyond Ukraine, which could prompt a response from the West. Cyberattacks can easily spread. In 2017, Russia-linked hackers launched NotPetya, malware targeting financial software used by businesses in Ukraine. But the malware’s use of a common vulnerability allowed it to spread worldwide, destroying access to almost all records at companies such as the Danish shipping giant Maersk—and causing an estimated US$10 billion in damages globally.

And on 24 February, an attack on the European satellite operator Viasat disrupted Internet access in Ukraine and disabled thousands of German wind turbines that used Viasat to communicate.

Could the cyberwar escalate?

Russia might be keeping its more aggressive cyberweapons in reserve, says Malekos Smith. If the ground war stalls and financial sanctions bite, Russia could increase cyberattacks, she says. It could ramp up its assault on Ukraine and target Western nations to inflict on them the same kind of chaos wrought by sanctions, for example by targeting companies and financial markets, she says.

Health-care systems and power networks could be vulnerable. In 2021, non-state hackers, possibly in Russia, used ransomware to shut down the US Colonial oil pipeline for days. “This is the kind of thing we can expect—an attack that’s enough to cripple infrastructure for a while and create disruption,” says Taddeo. On 12 February, before the invasion, the US Cyber Security and Infrastructure Agency warned organizations to prepare for cyber-attack.

How likely is that to happen?

Non-state actors who have joined both sides of the cyberconflict could trigger escalation. A Russian hacker group called Conti said it would retaliate against cyberthreats on the Russian government. Meanwhile, the international hacker collective Anonymous and an ‘IT army’ of civilians are pursuing Russian targets. And a pro-Ukrainian group calling itself the Belarusian Cyber-Partisans claimed to have hacked the train system in Belarus—which has supported Russia’s war—to prevent its government from moving Russian troops. However, that claim hasn’t been rigorously verified.

Many of these attacks include defacing or taking down Russian government websites—low-hanging fruit in the cyberworld. But they increase the chance that the cyberwar could escalate, says Taddeo. “Targeting the wrong item or doing an out-of-proportion of operation can be problematic and create extra friction,” she says. Herr agrees: vigilante groups might not calculate knock-on effects, and their actions could draw retaliation.

Meanwhile, an unforeseen effect of the West cutting energy, aviation and financial ties with Russia, is that the country might become more prepared to take risks because it would face fewer impacts of any resulting chaos, says Herr. “The downside for them of causing significant disruptive harm goes down,” he says.

What’s the worst-case scenario?

So far, many analysts consider cyberattacks espionage or sabotage, rather than acts of war. Although Russia might want to cause damage to mirror the effects of sanctions, it is unlikely to cross the line that would provoke states’ right to self-defence, says Malekos Smith. This could be any action that causes human casualties or massive physical destruction, for example by targeting a dam or nuclear power plant. “We haven’t seen it yet, and I hope we won’t see it,” says Taddeo.

If physical damage occurred, countries such as the United States have declared that they could respond with every means possible. The National Cyber Power Index by the Belfer Center, where Zabierek works, ranks Russia’s cybercapabilities below those of the United States, China and the United Kingdom. A cyberoperation could trigger Article 5 of the North Atlantic Trade Organization treaty, which states that an attack on one member nation is considered an attack on them all. If that happened, Russia would be outmatched on all fronts, says Zabierek.

This article is reproduced with permission and was first published on March 17 2022.