Immediately following Russia’s military invasion of Ukraine in February 2022, the CyberPeace Institute began tracking and analyzing cyber operations linked to the conflict. From the outset, it became evident that the invasion was going to lead us to question everything we knew about escalation in cyberspace.
Beyond our original purpose of tracking cyber operations to enforce accountability, continuous tracking has also given us a solid understanding of the technical and legal challenges associated with analyzing hybrid warfare. Over 16 months, the CyberPeace Institute documented and analyzed 1,998 cyberattacks and operations impacting 25 sectors in 50 countries. Through our online platform and quarterly reports, we have tracked the evolution of the threat landscape, the diversity of threat actors, and, most importantly, the human impact of attacks. We have tracked all types of cyber operations—from the crowdsourced distributed denial-of-service (DDoS) attacks to Viasat, the most sophisticated wiper campaign aimed at destroying infrastructure—and all types of actors, including those performing on behalf of Ukraine.
Since day one, the escalation has been concerning, not just because of the sheer statistical increase in the frequency and variety of attacks and the number of threat actors, but also because the military doctrines of both countries have evolved drastically. We have observed an increase in civilian and crowdsourced efforts alongside the continued presence of centralized and military incidents. Even so-called “hacktivist collectives” have played a significant role in the conflict. For example, the call for a volunteer IT Army of Ukraine attracted civilian threat actors whose DDoS attacks have been heavily impacting Russian online resources. We have also documented the creation of various pro-Russian collectives, such as KillNet, People’s CyberArmy, and NoName057(16), which target not only entities in Ukraine but also nonbelligerent countries. A significant number of NATO member countries that are not necessarily parties to the conflict have been impacted by cyberattacks carried out by hacktivist collectives—seemingly in response to those countries’ public positions on geopolitical, ideological, or economic subjects.
CyberPeace has documented destructive cyberattacks aimed at the permanent deletion of data or rendering systems unrecoverable (e.g., the use of CaddyWiper or the ZeroWipe wiper). We have chronicled DDoS attacks targeting the availability of data or services. We have logged the proliferation of false information and propaganda through defacement operations, and we have recorded incidents of data theft, followed in some cases by the leaking of that information to the public (i.e., hack-and-leak operations).
Tracing cyberattacks involves many challenges, one being attribution—discovering, calling out, and holding responsible parties accountable. Our role is to trace cyber operations so that attribution is properly documented and the data we gather is available for use as evidence. Key to performing a credible and neutral tracing of attacks are transparency and solid data processing. Within the context of the ongoing Russia–Ukraine conflict, we made the decision to trace cyber operations everywhere. We collect data with the aim of facilitating justice and redressing all victims of cyber operations. Another challenge pertains to the participation of civilians in cyber warfare. How do states enforce plausible deniability or craft an attack to stay under the threshold of international law while crowdsourcing cyber operations? And then there is the challenge surrounding recovery efforts. Should Ukraine win the ground war, it will not fully benefit from recovery efforts if its critical infrastructure—including its financial system and its information space—is not stable and secure and free from the presence of malicious actors. Recovery efforts must include a real digital ceasefire and support to clean malicious software from critical infrastructure and to protect the information space from propaganda and disinformation.
Since the invasion, we have learned that these challenges are so interlinked and complex that they cannot be addressed by one entity, organization, or country alone. As we believe that cyberspace is a digital public good, we maintain that tracing attacks, documenting attribution, and helping victims is the path toward accountability—and, hopefully, a de-escalation in cyberspace is a collective effort done for the greater good.
Stéphane Duguin is the CEO of the CyberPeace Institute, a role he has held since 2019. He has spent two decades analyzing how technology is weaponized against vulnerable communities—in particular, the use of disruptive methods such as artificial intelligence in the context of counterterrorism, cybercrime, cyberoperations, hybrid threats, and the online use of disinformation techniques. He previously served for 10 years—between 2009 and 2019—at Europol as Senior Manager in the European Cybercrime Centre, the European Internet Referral Unit, and the Europol Innovation Lab.