top of page
Search

Russia: Cyber-confrontation in a contested age

  • Writer: Matthew Parish
    Matthew Parish
  • 2 minutes ago
  • 6 min read
ree

In recent years the Russian state has made extensive use of cyber tools as part of its broader hybrid-warfare toolkit. Over the past 12-18 months the indicators point to a clear upward shift in both the frequency and the audacity of cyber operations directed at Western countries and institutions. These operations do not stand alone: they complement the kinetic campaign in Ukraine, the influence operations directed at Western democracies, and the broader strategy of strategic coercion. In what follows we trace how cyber-attacks and related sabotage have escalated, interweave major incidents, examine the motives and methods, and assess the broader implications for Western defence and deterrence.


Recent patterns and illustrative incidents


1. Rising volume, expanding geography


Analysts at the Center for Strategic and International Studies (CSIS) report that Russian-linked attacks in Europe nearly tripled between 2023 and 2024. According to a joint advisory from the US Cybersecurity and Infrastructure Security Agency (CISA) in May 2025, a campaign sponsored by Russian state-actors was targeting Western logistics and technology firms. 


One illustrative incident may suffice: in April 2025, Norwegian authorities publicly attributed to pro-Russian cyber actors an operation at a dam in Bremanger, Norway, in which the flood-gates were reportedly opened for four hours, releasing some 500 litres per second of water.  Although the physical damage was limited, the incident is telling: it marks a shift from purely digital intrusion toward disruption of critical infrastructure.


2. Espionage, data-theft, and logistics disruption


Traditionally Russia’s cyber-operations have focused largely on espionage: stealing defence data, government secrets and industrial intelligence. In the past year however there has been an expansion of target sets. For example in May 2025, CISA issued a joint advisory noting that Russia’s military intelligence service (the Main Directorate of the General Staff of the Armed Forces of the Russian Federation, commonly known as the GRU) was pursuing Western logistics providers and technology companies engaged in supplying Ukraine. 


One concrete case is that Western logistics firms supporting Ukrainian ­arms shipments have been probed for network weakness, with malware implantation and persistent access evident in some supply-chain firms. The objective is two-fold — data exfiltration and the disruption of supply chains essential to the Ukrainian war effort.


3. Disruption and sabotage of critical infrastructure


A more alarming shift is into operations aimed at disruption or physical effect. The dam incident in Norway is one case. Another closely-watched domain is attacks on industrial control systems, pipelines, undersea cables and energy grids. CSIS’s database notes that in the broader set of Russian “saboteur and subversion” operations, some 21 per cent of attacks between 2022–24 targeted government infrastructure, 21 per cent industry, 27 per cent transport, and 21 per cent critical infrastructure. 


A further example is that in early 2024, the United Kingdom’s National Cyber Security Centre (NCSC) reported “state-aligned” Russian hacktivist groups targeting small industrial-control systems in North America and Europe. The pattern here suggests probing of weakly-defended infrastructure and a deliberate expansion of the target set beyond traditional government networks.


4. Official attribution and diplomatic signalling


In April 2025 the French government made a landmark statement: for the first time it publicly attributed a series of cyberattacks to the GRU, naming the threat actor APT28 (a cyber-hacking branch of this intelligence agency, also known as Cozy Bear). This marks a shift in attribution policy — from private warnings toward public naming and shaming — which in itself is a reflection of escalation in the cyber-domain.



5. Use of advanced technology and AI-enhanced campaigns


Western analysts have begun to document Russia’s increasing use of artificial intelligence tools to amplify cyber operations: automated spear-phishing, impersonation, social-engineering campaigns and scaled intrusion.  One report notes that what was once “experimentation” in Russian cyber-capabilities now looks operational: “Russia is increasingly leveraging artificial intelligence to refine its cyber espionage and enhance attack precision.” 


6. Hacktivist-proxy blending and supply-chain infiltration


Another trend encountered is the blending of state-directed operations with proxy hacktivist or criminal networks — thus complicating attribution and raising volume. For instance in July 2025, law-enforcement agencies led by Europol disrupted the pro-Russian cyber-group NoName057(16) in an operation codenamed “Eastwood”, which had been executing denial-of-service attacks against Ukraine and her allies. 


Driver analysis: Why now, and what is the logic?


1. Escalation tied to the war in Ukraine


The escalation in cyber operations correlates directly with the intensity of the war in Ukraine. By targeting Western infrastructure, logistics, supply-chain actors and support networks, Russia is expanding the battlefield beyond Ukrainian territory. The cyber domain offers Moscow a way to impose cost and create deterrence without full-scale conventional escalation.


2. Deniability, ambiguity and effect below the threshold of war


Cyber-operations allow Moscow to act in the grey zone: damage inflicted, but plausible deniability retained. The use of proxies, hacktivists, and criminal networks provides layers of obfuscation and complicates Western response. The public attribution from France noted above indicates that Western tolerance for ambiguity is now lessened.


3. Relative low-cost, scalable method


Compared to deployable conventional forces, cyber-attacks are relatively cheap, scalable and lower-risk in terms of casualties. Russia can press a broad series of operations (espionage, sabotage, influence) at modest cost and across multiple domains simultaneously.


4. Psychological impact, coercion and signalling


The objective is not only physical effect but psychological — to erode confidence, to sow fear, to stretch defenders thin, and to signal that Western critical systems are vulnerable. The Norwegian dam incident may have been more a message than a major destructive act.


5. Exploitation of Western vulnerabilities and legacy systems


Many Western states and infrastructure operators continue to rely on legacy systems, fragmented supply-chains, under-resourced cyber-defences, and dispersed governance frameworks. These provide entry points for attackers. In organisations with weak cyber-hygiene, the barrier to entry is low.


6. Technological momentum


Russia is adapting, using AI, automation, cloud vulnerabilities and more sophisticated tooling. The maturation of offensive cyber capabilities means that defenders must not simply harden perimeter walls but race to keep up with a widening domain of threat.


Challenges for Western defence and deterrence


Despite awareness of the threat, Western responses remain constrained and fragmented.


1. Attribution remains difficult


Proving beyond reasonable doubt that a given cyber-incident was directed by a state actor remains difficult. Hackers may route attacks through multiple proxies, or exploit false-flags. This complicates political decision-making about retaliation or sanctions.


2. Fragmented governance and capability gaps


Within the EU and NATO, cyber-defence responsibilities are dispersed among many national agencies, private operators and critical-infrastructure providers. Coordinated frameworks are still evolving. Moreover many key sectors (energy, water, transport) remain under-protected.


3. Deterrence is ambiguous


What response is appropriate to a cyber-attack on a critical infrastructure? The fear of triggering kinetic escalation constrains decision-makers, which may encourage adversaries to view cyber aggression as a lower-risk frontier.


4. Legacy systems and supply-chain exposure


Legacy control systems, interconnected supply-chains, international service providers and third-party vendors represent open doors. Attackers exploit least-protected links and may gain footholds via logistics firms, software vendors or under-resourced peripheral networks.


5. Non-state actors blur the lines


When state-actors outsource operations to civilian criminal organisations or hacktivist networks, responding becomes legally and politically complex. The NoName057(16) disruption (July 2025), where attribution to a specific Russian intelligence agency was uncertain, is one such case. 


Implications and risks ahead


1. Escalation into physical danger and cross-domain conflict


Persistent cyber-strikes on infrastructure risk triggering overt military responses, or leading to cascading physical damage. The line between digital and kinetic war is increasingly blurred.


2. Cascading failures and interdependence


Critical infrastructures are interconnected: consider power grids, data-networks and transport systems. An attack upon one node (for example an energy grid) may cascade into other sectors and across borders.


3. Erosion of norms


If Russian cyber operations succeed without meaningful cost, this weakens the norm that critical civilian infrastructure should not be attacked. Other states may emulate Moscow’s strategy, raising global cyber-instability.


4. Trust, democracy and societal resilience


Cyber-operations that target public services, elections, information systems and democratic institutions undermine trust. That in turn weakens Western societies’ ability to mobilise in response to global threat.


5. Technology arms-race


The use of AI and automation in cyber-operations invites counter-escalation: defenders will deploy automated detection, offensive capabilities may become more sophisticated, and the cycle of innovation may accelerate rapidly.


Conclusion


The past year and a half has witnessed a discernible intensification in Russia’s cyber-offensive posture towards the West. What began as primarily espionage and influence operations has morphed into a multi-domain campaign of logistics intrusion, infrastructure sabotage, supply-chain disruption and public attribution. The examples discussed above – from logistics firms supporting Ukraine, to a Norwegian dam flood-gate incident, to France’s formal naming of the GRU – all point to a richer, more ambiguous, and more dangerous front of conflict.


For Western states the challenge is two-fold: to defend and strengthen infrastructure, supply-chains, and governance; and to craft a credible deterrence and response posture in a domain where escalation thresholds remain hazy. Unless the West closes the gap, Russia’s strategy of “cyber coercion” may increasingly shape the balance of power in the digital age.

 
 

Note from Matthew Parish, Editor-in-Chief. The Lviv Herald is a unique and independent source of analytical journalism about the war in Ukraine and its aftermath, and all the geopolitical and diplomatic consequences of the war as well as the tremendous advances in military technology the war has yielded. To achieve this independence, we rely exclusively on donations. Please donate if you can, either with the buttons at the top of this page or become a subscriber via www.patreon.com/lvivherald.

Copyright (c) Lviv Herald 2024-25. All rights reserved.  Accredited by the Armed Forces of Ukraine after approval by the State Security Service of Ukraine. To view our policy on the anonymity of authors, please click the "About" page.

bottom of page