Continue your mission
An analysis of how cyber operations integrate with information operations, economic pressure, and kinetic military action in hybrid warfare, covering Russia's doctrine and practice from Crimea through the 2022 full-scale invasion of Ukraine, and the implications for critical infrastructure defenders.
# The Role of Cyber in Hybrid Warfare
Hybrid warfare is a strategy that combines conventional military force, irregular warfare, economic coercion, information operations, and cyber operations to achieve strategic objectives, typically while remaining below the threshold of declared armed conflict. The term is contested in academic and policy circles, but as a descriptor of observed state behavior, it captures something real: the deliberate integration of multiple instruments of national power in ways that blur the traditional boundaries between war and peace, combatant and civilian, and military and political domains.
Cyber operations are a central component of the modern hybrid warfare toolkit. They enable persistent, deniable intrusions into adversary infrastructure; they support information operations by enabling theft and selective release of data to shape narratives; and they create the potential for kinetic effects, such as disruption of power grids or communications systems, without the political costs of conventional military attack. The speed, scalability, and relative cost-efficiency of cyber operations make them attractive as tools for states seeking to achieve strategic effects while managing escalation risk.
Russia is the most studied practitioner of hybrid warfare, and the conflict in Ukraine from 2014 onward provides the most extensively documented case study of how cyber operations integrate with the full spectrum of state instruments. The lessons from Ukraine are not unique to that conflict: the techniques, the doctrine, and the infrastructure that Russia has used against Ukraine have also been deployed against Western democratic institutions, critical infrastructure operators, and allied governments. Within the Planetary Defense Model, this topic sits at the intersection of the Threat Intelligence and Defense (TID) domain, which tracks state-sponsored actors and their capabilities, and the Risk Governance and Assurance (RGA) domain, which must account for combined cyber-physical risk in client governance frameworks.
The intellectual foundation for Russia's modern hybrid warfare doctrine is often traced to an article published in February 2013 by General Valery Gerasimov, the Chief of the Russian General Staff, in the journal of the Russian Military-Industrial Courier. The article, which became known in Western analysis as the "Gerasimov Doctrine," described what Gerasimov characterized as a new form of conflict in which non-military means are primary, the lines between war and peace are blurred, and the ratio of non-military to military measures can be four to one or higher. Gerasimov cited the Arab Spring as an example of how a stable state could be destabilized through a combination of information operations, economic pressure, and popular mobilization, with conventional military force playing a supporting rather than leading role.
Western analysts initially overstated the novelty of Gerasimov's observations: many of the techniques he described have historical precedents in Soviet "active measures" doctrine. But the article was accurate in describing a strategic orientation that Russia would proceed to demonstrate operationally. The hybrid warfare model it described had been rehearsed in Russia's 2008 war with Georgia, where cyber attacks on Georgian government and media websites accompanied the ground invasion, and it would be fully operationalized against Ukraine beginning in 2014.
The background also includes Russia's sustained investment in military cyber capabilities through the GRU's Unit 74455 (known in Western threat intelligence as Sandworm) and Unit 26165 (APT28/Fancy Bear), the FSB's Center for Information Security (Turla), and affiliated contractor and criminal networks. These organizations developed a range of capabilities including custom malware, industrial control system attack tools, and the large-scale destructive wiper malware that would be deployed in Ukraine.
The hybrid warfare model matters to defenders in several ways that directly affect how organizations should think about threat modeling and resilience planning.
First, hybrid warfare erases the comfortable assumption that cyber attacks on private sector critical infrastructure are criminal or espionage events rather than acts of war. The NotPetya malware, deployed in June 2017 ostensibly against Ukrainian targets, was a weapon of warfare. It infected global shipping, pharmaceutical, and logistics companies not through any targeting decision but because their networks connected to Ukrainian infrastructure. The resulting $10 billion in global damages was the costliest cyber attack in history. Organizations that thought of themselves as being outside the conflict were inside it.
Second, the hybrid warfare model reveals that cyber operations are often preparation for later kinetic action rather than standalone events. The pre-positioning of Russian cyber tools in Ukrainian government and military networks before the 2014 annexation of Crimea served intelligence and disruption purposes in support of the following military operation. The AcidRain wiper's destruction of Viasat's KA-SAT satellite modem network on February 24, 2022, the same morning Russian armored columns crossed into Ukraine, was an integral element of the military operation, not a separate cyber event. Defenders who detect intrusions and evict adversaries may be disrupting operational preparation for future kinetic action, not merely responding to espionage.
Third, understanding the hybrid warfare model helps explain why Russia and other state actors pre-position malware in critical infrastructure systems that appear to have no near-term intelligence value. The CISA/NSA advisory on Volt Typhoon, published in February 2024, assessed that the PRC was pre-positioning in U.S. critical infrastructure as preparation for potential hybrid operations in a future conflict scenario.
Russia's hybrid operation to annex Crimea in February-March 2014 is the most cited example of coordinated cyber and information operations preceding military action. In the weeks before and during the annexation, Ukrainian government and military communications networks were disrupted, mobile communications for Ukrainian legislators were jammed during the parliamentary vote to oust President Yanukovych, and pro-Russian information operations across social media and Russian state media created the narrative that Ukrainian Russian-speakers were under threat.
Cyber operations in this phase were primarily disruption and intelligence-collection focused rather than destructive. The goal was to degrade Ukrainian military and government communications, complicate the Ukrainian command-and-control response to the entry of Russian special forces and "little green men," and create information dominance in the narrative space. The cyber operations were not a separate campaign but a coordinated instrument integrated with the information and military operations timeline.
The attacks on Ukraine's power grid in December 2015 and December 2016 represent the first publicly confirmed cyber attacks to cause blackouts affecting civilian populations. The 2015 attack, attributed to Sandworm, used the BlackEnergy malware to compromise the IT networks of three Ukrainian regional power distribution companies, then pivot to the operational technology systems controlling substations. Attackers remotely opened circuit breakers, disconnecting power to approximately 225,000 customers in western Ukraine for several hours. The 2016 Industroyer/CrashOverride attack against a Kyiv transmission substation was more sophisticated: it used modular malware specifically designed to speak the industrial communication protocols used in power grid control systems, enabling direct manipulation of substation equipment.
These attacks established that state-sponsored actors had developed and deployed capabilities specifically designed to attack industrial control systems in the power sector, and that they were willing to use those capabilities against civilian infrastructure in an ongoing hybrid conflict.
The cyber dimension of Russia's February 2022 full-scale invasion of Ukraine was anticipated to be decisive. In the event, it was significant but not strategically determinative, for reasons that carry important lessons.
The AcidRain wiper, deployed on February 24, 2022, targeted Viasat's KA-SAT satellite modem network. The attack took offline tens of thousands of satellite modems across Ukraine and in neighboring European countries, disrupting Ukrainian military communications in the critical opening hours of the invasion and creating collateral damage including the disruption of approximately 5,800 Enercon wind turbines in Germany. The AcidRain attack was among the most sophisticated and consequential cyber operations of the invasion.
HermeticWiper and IsaacWiper were deployed against Ukrainian government and private sector systems beginning February 23-24, 2022. These destructive wipers were designed to render systems inoperable by overwriting the master boot record and partition tables. WhisperGate, a wiper disguised as ransomware, had been deployed beginning January 13, 2022, targeting Ukrainian government ministry websites with defacement while also executing destructive wiper functionality against the underlying systems.
The relative resilience of Ukrainian cyber defenses in 2022, compared with expectations, reflected several factors: extensive preparation by Ukrainian cybersecurity personnel in the years following the 2015-2016 attacks; rapid support from U.S. government agencies including CISA, NSA, and Cyber Command; significant assistance from commercial cybersecurity firms including Microsoft, Google, and others; and the rapid migration of Ukrainian government data and systems to cloud infrastructure in the days before the invasion. The 2022 experience demonstrated that well-prepared defenders, backed by capable allies and commercial partners, can significantly blunt the effectiveness of even sophisticated state cyber operations.
The most consequential form of hybrid warfare cyber activity for Western defenders may not be the dramatic wiper attacks but the quiet, persistent pre-positioning operations that attract less attention. The U.S. government's public exposure of the Volt Typhoon campaign, through a coordinated advisory from CISA, NSA, and FBI in February 2024, revealed that the PRC had been systematically compromising U.S. critical infrastructure including communications, energy, water, and transportation systems. The government's stated assessment was that this pre-positioning was intended to enable disruption of U.S. critical infrastructure in the event of a major conflict, particularly one involving Taiwan.
Volt Typhoon's tradecraft was notable for its emphasis on "living off the land": using built-in operating system tools rather than custom malware, blending with legitimate administrator activity, and maintaining long-term persistent access without triggering typical security monitoring. This approach makes detection extraordinarily difficult and eviction incomplete, since defenders may not find all access paths even when they know a compromise has occurred.
CDA's TID domain, operating through the Predictive Defense Intelligence (PDI) methodology, treats hybrid warfare doctrine as a critical context layer for threat actor analysis. The PDI framework does not analyze cyber threat actors as isolated technical phenomena. It places them in their strategic, operational, and doctrinal context to produce assessments that answer the questions clients actually need answered: Is this intrusion preparatory to something larger? Is this attacker collecting intelligence or pre-positioning for disruption? What does their choice of targets and techniques reveal about their strategic intent?
For critical infrastructure clients, the hybrid warfare context is operationally significant. An intrusion that appears to be intelligence collection in a telecommunications provider or a water treatment facility may be pre-positioning for disruption in a future conflict scenario. PDI assessments for clients in these sectors incorporate hybrid warfare doctrine explicitly, using open-source intelligence on geopolitical tensions, observed attacker TTPs, and sector targeting patterns to assess whether detected activity fits a pre-positioning profile.
CDA's RGA domain addresses hybrid warfare risk through governance frameworks that account for combined cyber-physical scenarios. Traditional risk assessments that treat cyber attacks as data breaches and estimate financial losses from notification and remediation costs are inadequate for critical infrastructure operators. PCA engagements for these clients build resilience scenarios that account for sustained, multi-vector attacks coordinated with broader geopolitical events, including the possibility that the organization's cyber defenses will be under maximum stress precisely when its physical operations are also disrupted.
The practical recommendation CDA draws from the Ukrainian experience is that preparation, allied relationships, and pre-built resilience are the decisive variables in hybrid warfare survival. Ukraine's relative cyber resilience in 2022 was not accidental: it was the product of years of preparation following the 2015-2016 attacks. Western organizations in sectors targeted by state actors should treat the current period as their preparation window.
Hybrid warfare integrates cyber operations with information operations, economic pressure, and conventional military force to achieve strategic objectives below the threshold of declared war. Russia is the primary practitioner, and Ukraine provides the most extensively documented case study.
The Gerasimov article (2013) described a strategic orientation that Russia operationalized in Crimea (2014), through the Ukrainian power grid attacks (2015-2016), and in the full-scale invasion (2022).
The 2022 invasion demonstrated both the ambition of Russian cyber operations (AcidRain, HermeticWiper, IsaacWiper, WhisperGate) and the limits of their effectiveness against well-prepared defenders backed by capable government and commercial partners.
NotPetya (2017) established that cyber weapons intended for specific regional conflicts cause global collateral damage. Organizations connected to targeted infrastructure are inside the conflict whether they intend to be or not.
Volt Typhoon's documented pre-positioning in U.S. critical infrastructure represents the PRC applying hybrid warfare doctrine to the potential Taiwan scenario. CISA assessed this pre-positioning as intended to disrupt U.S. infrastructure during a potential conflict.
CDA's PDI methodology treats hybrid warfare doctrine as a required context layer for threat actor analysis of state-sponsored activity targeting critical infrastructure. CDA's PCA methodology builds combined cyber-physical resilience scenarios into governance frameworks for critical infrastructure clients.
CDA Theater missions that address topics covered in this article.
Lazarus Group is North Korea's primary advanced persistent threat operation, operating under the RGB (Reconnaissance General Bureau), the DPRK's primary foreign intelligence service.
Salt Typhoon is a Chinese state-sponsored advanced persistent threat (APT) group that conducts signals intelligence collection operations against telecommunications infrastructure.
Evidence collection, chain of custody, forensic imaging, and analysis techniques for incident investigations.
Written by Evan Morgan
Found an issue? Help improve this article.