Articles / Analysis

Cyberspace as Another Front of War

Cyberattacks have long been a part of Russia’s war against Ukraine, and their frequency increases every year. In 2025 alone, nearly 6, 000 such attacks were recorded against Ukraine—a 37% increase compared to the previous year.
Maria Krikunenko 02 May 2026UA DE EN ES FR RU

Ілюстративне зображення, © Марія Крікуненко Illustrative image, © Maria Krikunenko Illustration © Maria Krikounenko Иллюстративное изображение, © Мария Крикуненко

Illustrative image, © Maria Krikunenko

The International Criminal Court is already investigating Russian strikes against Ukraine’s civilian infrastructure in cyberspace as potential war crimes.

Ukraine as a Testing Ground for Russian Cyberattacks

Following the Revolution of Dignity and the onset of Russian aggression in 2014, cyberattacks became yet another instrument of war for the Russian Federation in its conflict with Ukraine. Government institutions, the energy sector, media outlets, businesses, and critical infrastructure were all attacked.

One of the first high-profile incidents was the attack on the Central Election Commission (CEC) during the 2014 presidential elections. At that time, hackers attempted to disrupt the system’s operations and display falsified voting results on the CEC website. According to CEPA, the attack was successfully thwarted and, consequently, did not affect the election results. Despite the attack being swiftly neutralized, Russia’s “Channel One” aired a news segment the very next day featuring what it claimed was the “CEC website,” displaying the manipulated results.

The following year, the Sandworm group launched an attack on the Ukrainian power grid, leaving approximately 230,000 consumers without electricity. On December 17, 2016, a second such incident occurred in Ukraine—this time affecting parts of Kyiv. According to a report by the State Service of Special Communications and Information Protection of Ukraine, Sandworm has been linked to 80 cyber intrusions between 2022 and 2024—an average of two per month. In 2017, Russia deployed the NotPetya virus against Ukraine. It began as an attack on Ukrainian systems intended to destabilize the situation within the country. However, it quickly spread globally, inflicting billions in losses upon companies across Europe, Asia, and the United States. At the time, the White House described NotPetya as “the most destructive and costly cyberattack in history.” The UK Foreign Office asserted that the objective of the cyberattack was to disrupt the operations of Ukrainian government institutions and the country’s financial and energy sectors.

That same year, Valentyn Petrov—then the Head of the Information Security Service within the Office of the National Security and Defense Council (NSDC)—stated that Russian intelligence agencies and affiliated hacker groups were using Ukraine as a testing ground for developing new methods to disable critical infrastructure.

How ​​Russia’s Cyberattack Tactics Have Evolved

Following the start of the full-scale invasion, Russia continued to employ cyberattacks, often executing them in parallel with kinetic strikes on the battlefield. On February 24, 2022—approximately one hour before the ground offensive began—an attack was launched against the Viasat satellite network. While its primary target was likely Ukrainian military communications, the repercussions were also felt by civilian users and businesses in other European countries.

According to data from the State Service of Special Communications and Information Protection (SSSCIP), the number of registered cyber incidents has risen annually throughout the full-scale invasion: 1,350 in 2021, 2,194 in 2022, 2,543 in 2023, 4,315 in 2024, and nearly 6,000 in 2025. Furthermore, according to the SSSCIP’s report, Russia’s tactics have been undergoing a gradual shift. Whereas in the early stages of the full-scale invasion the adversary tended to prioritize destructive attacks, it has subsequently begun to focus increasingly on espionage, maintaining a covert presence within target systems, and intelligence gathering. In 2024, the focus shifted to organizations directly involved in military operations and to service providers supporting the war effort.

In 2024, Ukraine was subjected to one of the most massive cyberattacks on state registries in recent memory. As a result of the attack, which has been linked to Russian hackers, the operation of key systems within the Ministry of Justice was temporarily halted. According to Volodymyr Karastelev, Head of the SBU’s Cybersecurity Department, the attack was carried out by a Russian hacker group. The Security Service of Ukraine (SBU) established the group’s ties to the Main Intelligence Directorate of the General Staff of the Russian Armed Forces.

Throughout the war, Ukrainian media outlets have remained a distinct target of Russian cyberattacks. Hacks of TV channels, news agencies, and online platforms are frequently used to disseminate fake stories disguised as news reports from reputable media sources. One such incident occurred in February 2024. According to the Institute of Mass Information, on February 18—19, Russian hackers attacked at least six Ukrainian media resources: the websites “Telegraf”, “Apostrof”, and LIGA.net; the “Ukrainska Pravda” page on the social network X; and the TV channels “Espreso” and “Priamyi”. On the compromised resources, the hackers posted disinformation claiming that Russian forces had supposedly “routed” elite units of the Ukrainian Armed Forces in Avdiivka.

Telecommunications infrastructure has also come under attack. Reliable connectivity is critical for air raid alerts, banking and government services, business operations, and people’s ability to stay in touch during shelling. One of the largest incidents was the cyberattack on Kyivstar on December 12, 2023: due to a technical failure, millions of subscribers were temporarily left without mobile service or internet access.

Can cyberattacks be classified as war crimes?

On June 14, 2024, Reuters reported that International Criminal Court (ICC) prosecutors are investigating Russian cyberattacks targeting Ukrainian civilian infrastructure as potential war crimes. If sufficient evidence is gathered, those accused of these cybercrimes could face arrest warrants.

Such an ICC investigation—in which cyberattacks are examined as potential war crimes—could set a precedent in international law.

In November 2023, Prosecutor General Andriy Kostin told “TIME” magazine that Ukraine is investigating Russian cyberattacks as war crimes. According to him, this is an extremely complex and nearly unprecedented process, in which Palantir and Microsoft are assisting Ukrainian law enforcement agencies.

This investigation is significant not only for Ukraine but for international law as a whole. The Geneva Conventions prohibit attacks on civilian objects; however, in cyberspace, there is still no consensus on exactly what constitutes a “cyber war crime.” For instance, it remains a matter of debate whether data itself can be considered a distinct object of attack, and whether the destruction of such data constitutes a war crime if it results in severe consequences for civilians.

The ICC’s focus may center, particularly, on attacks against energy infrastructure and telecommunications networks. Reuters reported that the Sandworm group, mentioned earlier in this text, is among the suspected perpetrators.

The attack on Kyivstar serves as one example of why cyberattacks may extend beyond the scope of a mere “technical incident.” Michael Schmitt, a professor of international law cited by Reuters, believes that the hack of Kyivstar could meet the criteria for a war crime, given that the perpetrators must have understood the foreseeable consequences of such an attack for civilians.

Share this article