Analysis of 1,100 cyberattacks and operations linked to the war between Ukraine and the Russian Federation, since the military invasion of 24th February 2022, shows that cyber operations are an integral part of the way this war is waged.
The ongoing international armed conflict raises concerns about harm caused to the civilian population, the protection of civilians and civilian infrastructure. The civilian population is affected by both kinetic and cyberattacks. The impact of this armed conflict affects first and foremost the Ukrainian population, and it is important to highlight the humanitarian impact and needs of the civilian population in Ukraine, where the ongoing armed conflict – primarily through kinetic weapons – has led to an enormous loss of lives, injury, displacement and suffering.
In the context of this international armed conflict, the use of cyber operations in combination with conventional fighting and the targeting of critical infrastructure essential to populations in and beyond the borders of the belligerent countries, has profoundly changed the security environment.
Over the last year, the CyberPeace Institute has been documenting cyberattacks targeting 22 different critical infrastructure sectors, essential for the survival of the civilian population and civilian objects, including attacks in Ukraine, Russia and some 40 other countries. Of the 1,100  As of 21st February 2023. cyberattacks and operations analyzed, Distributed Denial of Service (DDoS) attacks make up the largest number of recorded incidents, amounting to 79% of all incidents. DDoS attacks were also the most documented against entities in Ukraine and non-belligerent countries. 82% of the documented hack and leak operations were carried out in the Russian Federation. The CyberPeace Institute also identified a trend of crowdsourcing DDoS attacks. Several threat actors have created software to crowdsource their DDoS activities amongst a broader public, potentially and functionally involving the general population in attacks and campaigns.
Throughout the year, pro-Russian and pro-Ukrainian threat actors had similar targeting patterns, conducting attacks against Public Administration, Financial, and Media sectors. In its quarterly analytical report, for the period October to December 2022, the CyberPeace Institute has noted a 368% increase in attacks against countries that are not belligerents compared to the previous quarter (July to September 2022). Recent reports and security alerts have raised warnings of an intensification of malicious cyber activities against Ukrainian and European critical infrastructure  Cyber Dimensions_Ukraine Q4 Report, 2023, p.16.
Protection of civilians and the respect for laws and norms
In this ongoing conflict, the belligerents are bound by international law and especially international humanitarian law. Cyberspace is not a lawless world: there are rules applicable to this particular method of warfare that aim to restrain the actions of States and individuals and to protect civilians and critical infrastructure The Law & Policy Section of the Platform provides an overview of the relevant laws and norms. A central tenet of the protection of civilians and of the normative framework put in place to this end is the provision of limits to the ways in which wars are fought, and that military force should be proportionate, not excessive, and not indiscriminate. Thus, avoiding harm to protected persons and objects is paramount.
It is difficult to understand the true scale of the human impact of cyber operations. This can also be true for kinetic operations, but cyber operations lend another layer of uncertainty as the impact on victims can materialize only after a time delay or may be indirect but cause harm. It is also difficult to directly attribute The attribution of responsibility for a cyberattack to a certain attacker or group of attacks must be based on evidence, which may be of a technical and legal nature. The quality of an … Continue reading impact to one cyberattack or operation, as sometimes these operations can take place over a long period of time such as espionage-related endeavors or disinformation campaigns, or they can be one in a series of operations that changes ever so slightly each time to avoid detection, or a threat actor may use techniques to mimic the cyber behavior of others.
In the armed conflict between Ukraine and the Russian Federation, 80% of the cyberattacks analyzed by the Institute are “self attributed” attacks in which threat actors publicly disclose a cyberattack attributing themselves as the actor behind the attack The Institute does not conduct its own attribution of incidents to identify the actor(s) involved but documents the attribution efforts by others to link a particular individual, group or state to a … Continue reading. Of the incidents analyzed, the most notable pro-Russian threat actors were People’s CyberArmy (focusing on Ukrainian entities), KillNet, Anonymous Russia, and NoName057(16). The most notable pro-Ukrainian threat actors were Anonymous and the IT Army of Ukraine.
During armed conflict, attribution of acts to individuals is essential to be able to trace the actions of the belligerents and/or attackers, to assess their compliance with international humanitarian law and/or other legal regime they are bound by and the possible misconducts and violations, and for accountability for violations of the law.
As the war continues to wage, the CyberPeace Institute calls upon all actors to respect international law.
|↑1||As of 21st February 2023.|
|↑2||Cyber Dimensions_Ukraine Q4 Report, 2023, p.16|
|↑3||The Law & Policy Section of the Platform provides an overview of the relevant laws and norms|
|↑4||The attribution of responsibility for a cyberattack to a certain attacker or group of attacks must be based on evidence, which may be of a technical and legal nature. The quality of an attribution is a function of available resources, time, evidence, data, verification means, etc. Speculating about or wrongly attributing an attack may lead to an escalation in hostilities|
|↑5||The Institute does not conduct its own attribution of incidents to identify the actor(s) involved but documents the attribution efforts by others to link a particular individual, group or state to a specific incident. As there is a reliance on publicly available data, the data on documented cyberattacks has been given a classification of certainty based on the reliability of the information source. See the Data and Methodology section of the Platform|