In August 2008, as Russian tanks rolled into Georgia’s Tskhinvali Region, not self-proclaimed South Ossetia, Georgian government websites were under cyber siege. Distributed denial-of-service (DDoS) attacks, defaced portals, and data theft disrupted communications as Georgian officials tried to urgently reach Western leaders, some on vacation, others attending the Beijing Olympics opening ceremony.
For the first time in history, a state had unleashed coordinated cyberattacks along with military operations. In post-Soviet, developing Georgia, with limited digital infrastructure and nascent social media, the attacks received little public attention and had minimal impact on combat operations. Seventeen years later, however, technological advancement and growing digital dependency have dramatically amplified the scale of cyber threats. The ongoing war in Ukraine illustrates this trend.
Russia’s Cyber Experiment in Georgia
In the weeks leading up to the Russo-Georgian War, Russian hackers attacked Georgia’s digital ecosystem to sow chaos within the Georgian government and society as Russian troops were amassing along the northern border. This marked the dawn of modern hybrid or gray zone warfare, which blends conventional military force with unconventional tactics, such as cyberattacks.
In July 2008, millions of DDoS requests overwhelmed Georgian websites in an attempt to disable both government and civilian servers. Close to the invasion, hackers began using techniques such as SQL injections, a more advanced assault, which enables attackers to bypass website protections and directly penetrate servers with malicious queries.
Numerous websites were defaced, and some even used photo manipulations to compare Georgia’s then president Mikheil Saakashvili to Adolf Hitler. Hackers targeted key political, governmental, and financial platforms, including the websites of the Georgian president, the National Bank of Georgia, and the Ministry of Foreign Affairs. They also exploited lists of public email addresses and infiltrated government networks to extract potentially sensitive information.
Experts have suggested that Georgian internet traffic was rerouted through Russian telecommunications firms, whose servers also hosted malware used in the attacks. Additional evidence indicates that attackers manipulated an informal online poll on CNN’s website to portray Russia’s combat operations in Georgia as a legitimate peacekeeping mission. Russian bloggers then rapidly spread the poll across the country, urging their readers to visit CNN’s website and select the response supporting Russian intervention. As a result, 92 percent of predominantly Russian participants voted in favor of the peacekeeping narrative before CNN ultimately removed the poll.
In 2008, according to the World Bank, only 10 percent of the Georgian population used the internet, compared to 82 percent in 2023. With such limited public reach at the time, the attacks were primarily aimed at demoralizing the government, diverting attention from military operations, and stealing intelligence. However, as internet access expanded across the country, so did Russia’s influence on the public.
Moscow started using disguised, low-profile content to subtly shape public opinion and obtain user data without informed consent. In 2020, for example, Facebook removed News-Front Georgia, a Kremlin-linked outlet that had been actively spreading pro-Russian and anti-Western sentiments through an organized network of inauthentic accounts. According to the International Society for Fair Elections and Democracy (ISFED), the network included twelve fake profiles that disseminated pro-Russian content in thirty-one Facebook groups with over 521,000 members, in a country of just 3.7 million.
ISFED also uncovered twenty-six fake Facebook accounts and pages, disseminating Kremlin-backed Sputnik Georgia’s content across forty-one public groups, reaching 1.2 million users. The operation used so-called soft content, such as posts about gardening, astrology, or local celebrities, to build trust with users before inserting links to Sputnik’s articles with Kremlin-aligned narratives.
Russia has been steadily expanding its overt and covert operations since 2008. The annexation of Crimea and the ongoing war in Ukraine further demonstrate Moscow’s continued advancement of its digital arsenal for modern warfare.
Advanced Cyber Operations in Ukraine
Strategically, the Kremlin began small in Georgia and significantly scaled its military and cyber warfare in Ukraine. The 2008 rudimentary attacks were an experimental foundation, evolving into broader assaults on Ukraine’s communications and energy sectors in 2014, and ultimately escalating into a global threat targeting Ukraine and its allies during the full-scale invasion. However, much of Russia’s strategy still follows a familiar playbook first tested in Georgia.
Just like in Georgia, Russia’s first wave of cyber operations predated the 2014 annexation of Crimea. The attacks on the information systems of Ukrainian state institutions and private enterprises came during the 2013 mass protests that would become known as the Maidan Revolution. In mid-2013, Operation Armageddon targeted Ukrainian government, law enforcement, and military officials to steal sensitive information through phishing emails that tricked victims into clicking malicious links. Just three days before the Crimean status referendum, on March 13, 2014, Russia launched an eight-minute DDoS cyberattack on Ukrainian computer networks and communications to distract public attention from its military presence in Crimea.
Unlike in the Russo-Georgian War, Russian cyberattacks extended beyond the annexation of Crimea. In 2015, Ukraine experienced two assaults on three regional power distribution entities, also known as oblenergos, which impacted approximately 225,000 customers. In a US context, this would be proportionate to attacking the Omaha Public Power District, the Nebraska Public Power District, and MidAmerican at the same time. The US Cybersecurity and Infrastructure Security Agency concluded that the oblenergo “unscheduled power outages” were perpetrated by “Russian nation-state cyber actors.”
By 2015, researchers had identified two prominent Russian hacking groups involved in Russia’s cyberattacks against Ukraine: APT29 (also known as Cozy Bear, Cozy Duke, or Nobelium) and APT28 (also known as the Sofacy Group, Tsar Team, Pawn Storm, or Fancy Bear). These groups also played an important role during Ukraine’s full-scale invasion in 2022.
Following the pattern established in 2008 and 2014, Russian hackers intensified reconnaissance efforts in Ukraine far ahead of the invasion. This included actions by APT29, which has been linked to the SVR, Russia’s foreign intelligence service. In the lead-up to the invasion, government and university websites were defaced, spear-phishing campaigns targeted the energy sector, and DDoS attacks hit the Ministry of Defense and major banks. At the same time, coordinated disinformation campaigns portrayed Ukraine as an oppressor of the Russian-speaking majority in the country’s east, echoing the CNN poll manipulation in 2008 aimed at framing Russian troops as peacekeepers in Georgia’s breakaway South Ossetia.
Hours before the invasion, GRU Unit 74455, also known as Sandworm, the same Russian military intelligence group behind the 2017 NotPetya attacks, deployed a wiper malware called FoxBlade against Ukraine’s digital infrastructure. Victor Zhora, a prominent Ukrainian cybersecurity official, called the attack “a really huge loss in communications in the very beginning of the war.”
Hacking communication infrastructure to gain a military advantage is central to Russia’s war strategy in Ukraine. In the weeks following the Sandworm incident, Russia made another attempt to shut down Ukraine’s internet access by targeting three major telecommunications providers—Triolan (March 9), Vinasterisk (March 13), and Ukrtelecom (March 28). SpaceX’s early delivery of Starlink terminals helped restore communications across Ukraine, and Russian forces quickly responded by trying to hack, jam, and disrupt Starlink’s operations, though with limited success.
Russia’s assaults also extended beyond Ukraine’s borders to its allies—a significant step up from earlier practices. According to Microsoft, “By mid-2021, Russian actors were targeting supply chain vendors in Ukraine and abroad to secure further access not only to systems in Ukraine but also NATO member states.” This practice intensified as the war escalated.
A coordinated cyberattack on Viasat satellite modems disrupted satellite communications across Ukraine and parts of Europe on February 24, 2022, the day of the invasion. The operation crippled Ukrainian communications, including internet access for thousands in Ukraine, and disrupted the KA-SAT satellite internet service across Germany, France, Hungary, Greece, Italy, and Poland. In Germany alone, more than 5,800 wind turbines were affected due to the loss of satellite connectivity. The EU publicly linked the attack to Russia.
Microsoft reported an increase in Russian cyber espionage throughout 2023 in at least seventeen European countries. It also identified a new GRU-linked threat actor, Cadet Blizzard, active since February 2023, which targets organizations in Latin America and Europe, particularly in NATO countries supplying military aid to Ukraine.
From Georgia in 2008 to Ukraine in 2022, Russia transformed its cyber experiments into a sophisticated global threat. In July 2022, eight distinct Russian malware strains were deployed to breach forty-eight Ukrainian government agencies and enterprises, averaging two to three attacks per week.
Since the war, Moscow has used nine new families of wiper malware and two new ransomware variants, targeting more than one hundred Ukrainian government and private sector entities, including the Prestige ransomware, deployed in October 2022 in Ukraine and Poland. By late April 2022, Microsoft had recorded 237 cyber operations targeting Ukraine, including destructive attacks, service disruptions, espionage efforts, and coordinated disinformation campaigns.
But this is just the tip of the iceberg. In 2023, Shane Huntley, a senior director of Google’s Threat Analysis Group called Russian cyber operations “aggressive” and “multi-pronged,” while the general manager of Microsoft’s Threat Analysis Center, Clint Watts, cautioned that Russia was continuously innovating with new malware. Further reports indicate that the Kremlin complements these cyber operations with extensive disinformation campaigns, blaming the West for the war in Ukraine and pushing pro-Kremlin narratives through more than one hundred thousand social media pages and Telegram channels.
The ongoing war in Ukraine, so far, represents the most vivid example of how cyber capabilities can complement activities in other warfighting domains. However, the overall impact of cyberattacks on Russia’s ongoing war in Ukraine is still uncertain.
Can Cyberattacks Win Wars?
Despite the significant expansion of Russia’s cyber operations from Georgia to Ukraine—even earning Russia a reputation for having some of the world’s most formidable hackers—cyberattacks have not yet had a decisive impact on the war in Ukraine.
When Russian forces wanted to disrupt civilian infrastructure, they routinely bombed hydroelectric plants and other critical energy and water facilities across the country. In March 2024, Russia launched eighty-eight missiles and sixty-three Iranian-made Shahed drones against Ukraine’s largest dam, leaving over one million people without electricity. The most severe internet disruptions have also resulted from such missile strikes rather than cyberattacks on Viasat satellite modems. Therefore, conventional kinetic operations continue to dominate Russia’s operational approach to warfighting.
The cases of Georgia and Ukraine, however, show that cyberattacks can effectively disrupt government operations and sow uncertainty even if they do not yield decisive results on the battlefield. Disinformation campaigns can further sway public opinion in Russia’s favor. The Kremlin effectively exploits the lingering anti-Western sentiments of Cold War generations, who still represent a significant portion of the electorate and political leadership in the post-Soviet zone. These sentiments are also reflected in a recent Friedrich Ebert Stiftung survey, which shows that more than a quarter of Ukrainians blame the United States for the war, 15 percent blame the EU, and 66 percent think Ukraine should avoid international involvement.
Russia, of course, is not alone in developing advanced cyber capabilities. Other major powers are closely observing and learning. China, for instance, is augmenting its government-based cyber arsenal and hiring a private network of hackers, which can be a growing threat to the United States. The US Justice Department has already charged twelve Chinese contract hackers and law enforcement officers for their involvement in global computer intrusion campaigns in March 2025.
In less than two decades, wartime cyber operations have evolved from rudimentary disruptions to sophisticated attacks on critical infrastructure and coordinated efforts aimed at undermining Ukraine’s defense capabilities. While the digital domain may not yet determine the outcome of war, it has increasingly blurred the line between civilian and military targets—from disinformation campaigns targeting ordinary citizens to espionage infiltrating government institutions. And because cyber operations do not begin or end when the shooting does, this is the war front that never really goes offline.
Ketevan Chincharadze is an international security analyst from Georgia and the founder of FYI, one of the country’s popular independent analytical platforms. She is also a junior research fellow at the Casimir Pulaski Foundation in Poland and has researched cyber warfare with the US Army War College. She has previously worked with the Aspen Institute Congressional Program in Washington, DC and the NATO Liaison Office in the South Caucasus. Ketevan holds an MA in international security from the Josef Korbel School of Global and Public Affairs at the University of Denver.
The views expressed are those of the author and do not reflect the official position of the United States Military Academy, Department of the Army, or Department of Defense.
Image credit: mil.ru