ArchiveOODA OriginalSecurity and Resiliency

Why Hasn’t Russia Used More Destructive Cyber Attacks Against Ukraine?

Many have questioned why Russia hasn’t executed more catastrophic cyber attacks against Ukraine since its invasion, something that many experts thought feared would happen and a logical course of action for a belligerent Moscow. Russia has long been considered a near-peer to the United States in terms of its cyber capabilities, a belief that has been consistently reinforced in annual U.S. Intelligence Community reporting on worldwide threats. Supporting this assessment, Russia has been associated with some of the most noteworthy attacks both in execution and sophistication.  In addition to manipulating social media platforms to support disinformation and influence campaigns, Russia state cyber actors have exploited industrial control systems, supply chain sources, and other espionage activities that exploit trust. In short, Russia has shown itself to be a well-resourced, full-spectrum cyber threat able to script malware, execute sophisticated surreptitious operations, and exploit any target.

And yet the malware that has surfaced in the Ukraine conflict has not been the most advanced, an odd development that has raised questions among security professionals. Once committed to a kinetic invasion, a logical presumption would be that more robust cyber weaponry would be deployed to match Russia’s military might to quickly subdue Ukraine. But two weeks into the conflict, the attacks that have transpired have been anything but extraordinary. Distributed denial-of-service (DDoS) attacks and wiper malware can certainly make a significant impact on the operations of key organizations, but they do not quite create the impressive “shock and awe” effects people expect when they hear “catastrophic.”

There are many possible reasons for this with explanations ranging from Russia’s desire to hold back its more significant cyber weaponry to an intimation that Russia may not actually have a technologically advanced cyber arsenal at its disposal, a product of “neglecting” to develop them in favor of less expensive alternatives easier to contain. For the former, this may very well apply, as Russia is expecting Western cyber attacks to target its own critical infrastructure in potential preemptive strikes or in response to a Russian cyber attack, and as such, may want to reserve certain weapons for retaliation, and if need be, escalation. While the latter is certainly possible, there is little evidence to support this hypothesis, especially given the sophisticated cyber espionage campaigns Moscow has executed, which require programming skills and a deep understanding of networking, topology, and the processes that run on them. Simply sophisticated cyber attacks cannot be conducted at the spur of the moment, and need extensive prior preparation.

Perhaps the simplest and most reasonable explanation to reconcile is the fact that Moscow, as well as other cyber-capable nation states, is still trying to determine how to marry cyber attacks with its kinetic counterparts to achieve its objectives during periods of military conflict. Russia’s previous experiences during its 2008 failed incursion into Georgia and its successful 2014 annex of Crimea, Russia has experimented using cyber attacks in tandem with military action with varying degrees of success. In both instances, Moscow conducted a series of DDoS attacks and webpage defacements along with robust information-enabled campaigns to accompany its military maneuvers. This latest effort has included those attacks as well as a series of wiper malware designed to destroy data.

As opposed to executing cyber attacks during periods of tension short of war, cyber attacks during actual kinetic conflict need to align with other military operations in order to achieve maximum effect and strategic benefit. This may be a reason that instead of using a cyber attack to take out a power target (like it did in had in 2015 and 2017), Russia recently used conventional military strikes to destroy energy targets in Mariupol and Sumy. The damage caused by kinetic weapons can be more quantifiably measured as they produce visible and permanent effects allowing for more accuratebattle damage assessment. Measuring the effects of cyber attacks is more difficult as myriad of variables need to be considered.

Cyber weapons could possibly achieve the same results, but would require more substantive advanced planning, reconnaissance, gaining and sustaining access into a target environment undetected, and the ability to execute an attack that achieves the desired effect. This certainly is more manageable in the lead up to military conflict, but once the fighting starts, the familiarity of conventional weapons in real time is a more reliable option to achieve tactical objectives.

Moscow may have avoided prepping the Ukraine battlefield in this way because it overestimated its own military capabilities as well as underestimated Ukrainian capabilities and resolve. It can still resort to using more advanced cyber attacks against Ukraine though it has more kinetic weaponry at its disposal to unleash should it decide to do so. More likely, Russia is reserving its advanced cyber tools to respond to potential U.S. or Western cyber attacks. Reporting indicates that Russia may have already tried gaining access into U.S. natural gas suppliers prior to its invasion. With suspicions of Russian cyber actors having gained access into other U.S. critical infrastructures, and already developed destructive industrial Control System malware that would severely impact their operations (should it feel necessary) Moscow is positioned to strike at the “red lines” Biden stated to Putin not to cross in their summit in Geneva in 2021. There is little doubt that Russia has the capability and cyber weapons to deploy.  Should it choose to use them, there is a good chance that Ukraine will likely not be the target.

Related Reading:

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Explore OODA Research and Analysis

Use OODA Loop to improve your decision making in any competitive endeavor. Explore OODA Loop

Decision Intelligence

The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Stratigames, Business Intelligence and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence

Disruptive/Exponential Technology

We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, Space Technology. Explore Disruptive/Exponential Tech

Security and Resiliency

Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation state conflict, non-nation state conflict, global health, international crime, supply chain and terrorism. Explore Security and Resiliency


The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member only video library. Explore The OODA Community

Emilio Iasiello

Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.