What is cyberwarfare?

What is cyberwarfare? Learn how nation-states and state-sponsored hackers use digital operations to target critical infrastructure, conduct espionage, disrupt services, and spread misinformation as part of broader warfare strategies.

What is cyberwarfare?

Governments and state-sponsored hacking groups use digital warfare to target information networks, infrastructure, or institutions.

Common cyberwarfare tactics center on espionage and the theft of sensitive information to achieve strategic military or political advantage. However, cyberwarfare can also involve attacks on critical infrastructure such as energy systems, financial networks, transportation, and communications.

Nation-states use cyberattacks to disrupt, destabilize, or gain a strategic advantage without deploying conventional troops. These attacks can bolster wartime operations and may also be leveraged covertly during peacetime (e.g., espionage).

Nation-states may also leverage cyber operations to raise funds. By carrying out financial cyberattacks, they can secure funding for traditional (kinetic) warfare. In other cases, cyberattacks are used to undermine democratic processes such as elections.

The global dependence on digital systems means that cybersecurity is central to national security and defense. A successful cyber campaign can cripple critical services, exert political pressure, cause sabotage, and disrupt the economy. It can also be used to undermine public trust through digital propaganda campaigns and the dissemination of disinformation.

Why is cyberwarfare dangerous?

Cyberwarfare is dangerous because of its asymmetric nature. Even aggressors with relatively limited funding can launch attacks that impose enormous costs on global superpowers. This asymmetry makes cyberwarfare a highly effective tool for destabilization.

Cyberwarfare creates a multi-layered threat that can cause impactful social consequences. Cyberattacks conducted by state-sponsored hacking groups can wreak havoc on civilian life. For instance, by targeting critical infrastructure such as power grids, water treatment systems, financial networks, communications services, operational technology (OT), and even transportation systems.

Attacks on public infrastructure could lead to loss of life by disabling critical life-sustaining services. Cyber operations may target hospitals and other healthcare systems (often using ransomware), for example. NATO allies have warned that cyberattacks on critical infrastructure can be treated as acts of war.

Infrastructure attacks can also cause significant disruptions to global supply chains and the economy. This often undermines public confidence and safety more effectively than traditional battlefield tactics: hitting people where it hurts most, without the need for kinetic attacks.

Difficult attribution

Attackers can carry out cyberattacks covertly. This makes attribution difficult. As a result, parties engage in cyberwarfare while shielding themselves from blame, negative sentiment, and the reputational damage associated with traditional kinetic attacks.

Digital attacks can be launched from any distance without any visible buildup of forces. Covert cyber operations also create a risk of escalation between opposing countries, increasing the likelihood of traditional conflict, military intervention, and casualties of war.

Cybercrime as a funding mechanism

Cyberwarfare can also be used to generate revenue for traditional war. Researchers have previously accused government agencies of leveraging fraud schemes, cryptocurrency theft, ransomware, and the sale of illegally acquired data (on the dark web) to finance wartime campaigns.

Analysts often attribute these behaviors to Advanced Persistent Threat (APT) groups. APTs are state-sponsored hacking groups that engage in cyber operations, including espionage, theft, dissinformation, and sabotage. Governments often use APT activity to increase plausible deniability.

For example, the United Nations and US authorities have linked the APT known as Lazarus Group to North Korea. Investigators believe the group carried out several high-profile hacks of cryptocurrency exchanges. Investigators concluded that the stolen funds helped to bolster state programs.

More recently, Western intelligence agencies have linked certain Russian ransomware groups to Russian security services, raising concerns about state-tolerated cybercrime ecosystems operating alongside geopolitical conflict.

Main types of cyberwarfare attacks

These are the main types of cyberattacks usually used in cyberwarfare operations:

DDoS attacks

Distributed denial-of-service (DDoS) attacks overwhelm websites, networks, or online services with massive volumes of traffic, causing outages that can disrupt government systems, media platforms, or financial services.

Botnets

Botnets are networks of compromised computers or devices controlled remotely by attackers and are often used to launch large-scale operations such as DDoS attacks, spam campaigns, or coordinated intrusion attempts.

Malware

Malware refers to malicious software designed to infiltrate systems, steal data, disrupt operations, or damage infrastructure. In cyberwarfare, malware may target government networks, military systems, or critical infrastructure. A dangerous category of malware used in cyber operations is a Remote Access Trojan (RAT), which allows attackers to remotely control infected systems and communicate with command-and-control (C2) servers. Once installed, a RAT can be used to deploy additional payloads such as keyloggers, spyware, ransomware, or other malicious tools.

Spyware

Spyware is malicious software designed to secretly monitor user activity and collect sensitive information such as communications, credentials, or location data. In cyberwarfare operations, spyware may be used to conduct long-term surveillance of government officials, journalists, diplomats, or military personnel.

Ransomware

Ransomware encrypts files or locks systems until a payment is made. While often associated with criminal activity, ransomware groups have sometimes been linked to state interests or used to generate revenue during geopolitical conflicts.

Disinformation and digital propaganda

Cyberwarfare may also involve manipulating information online through coordinated disinformation campaigns designed to influence public opinion, destabilize societies, or interfere with elections.

Phishing and social engineering

Phishing attacks trick users into revealing credentials or installing malware by impersonating trusted entities such as government agencies, companies, or colleagues. These attacks are frequently used as the initial access point for larger cyberwarfare campaigns.

Zero-day exploits

Zero-day exploits target previously unknown software vulnerabilities that have not yet been patched. Nation-state actors often use zero-day exploits to gain covert access to government networks, critical infrastructure, or military systems.

How is AI used to facilitate cyberwarfare?

Artificial intelligence can augment cyberwarfare operations by helping attackers automate reconnaissance, generate convincing phishing messages, and create deepfake media used in disinformation campaigns.

AI can also accelerate vulnerability discovery and enable large-scale social media manipulation through automated bot networks, making it easier to spread propaganda or false narratives quickly.

AI-assisted code generation may also increase the potential for exploit creation, lowering costs and increasing the availability of cyberwarfare tools and operations.

What are the financial implications of cyberwarfare?

Cyberwarfare has the potential to cause serious economic repercussions. According to the International Monetary Fund, cyber incidents have quadrupled since 2017, causing significant losses for victims. In its 2025 Global Financial Stability Report, the IMF warns that these trends pose serious financial stability risks.

Cyberattacks can defraud governments and taxpayers by directly stealing state and private funds. They can also cause broader destabilization of the global economy by targeting interconnected production, logistics, and financial systems.

Attacks on financial services

By attacking critical financial infrastructure, such as interbank payment systems like SWIFT, cyberwarfare can affect liquidity. Targeted attacks on banks, clearinghouses, and major stock exchanges could trigger significant market disruption.

A lack of trust in international clearinghouses, for example, could cause investors to move funds to safer assets, triggering sell-offs that amplify volatility. Real-world incidents highlight this risk. For example, the cyberattack on Change Healthcare temporarily froze a large share of US healthcare payments.

Global supply chain attacks

Cyberwarfare targeting global supply chains can create bottlenecks, leading to significant price hikes. For example, disabling major ports, critical supply‑chain nodes, or shipping‑tracking systems can cause supply shortages, leading to cascading financial losses.

Cascading financial effects are also a risk following infrastructure attacks. A cyberattack on an electrical power grid, for instance, could lead to the closure of factories, data centers, and communication networks. This stress can cascade into banks and insurers that must deal with claims and defaults.

Public confidence and digital trust

Economic harm caused by cyberwarfare often stems from a loss of trust in digital services. If consumers lose faith in digital systems like online banking, e‑commerce, or digital contracts, it may lead to lower transaction volumes and slower financial activity. This stands to weaken confidence in fiat currencies and places additional stress on economies.

Preventing access to financial systems can stop citizens and military personnel from withdrawing funds or making payments. This can disrupt everyday economic activity.

It can also undermine public confidence in a government’s ability to protect its citizens, potentially causing more chaos than some kinetic battlefield attacks.

The risk of social destabilization has been explored in popular culture. The film Leave the World Behind, directed by Sam Esmail and executive-produced by Barack and Michelle Obama, portrayed how disruptions to digital infrastructure can quickly erode public trust and trigger social instability.

Impacts on the private sector

Cyberwarfare could also cause significant losses for the private sector. Besides the cascading effects of attacks on financial services or global supply chains, businesses can incur losses due to intellectual property theft.

Theft of valuable research and IP (including medical research, vaccine formulations, proprietary technologies, and military innovations) could allow aggressors to gain competitive or strategic economic advantages.

A notable example happened in 2017 when the NotPetya attack resulted in costs of nearly $1 billion for just three of the known victims.

The attack is believed to have affected tens of thousands of organizations across Ukraine, France, Germany, Italy, Poland, Russia, the United Kingdom, the United States, and Australia. (Including Maersk, FedEx/TNT, Merck, Rosneft, and several Ukrainian institutions, to name a few.)

Propaganda and disinformation

In some cases, cyberwarfare targets people’s opinions and beliefs by manipulating the spread of information online.

These digital disinformation campaigns allow governments to affect public opinion both at home and abroad. Dissinformation is seeded using technologies such as bots to flood social media with propaganda.

The core objective of digital thought manipulation is to engage in psychological operations (PSYOPS) and propaganda. The internet makes it easy to rapidly spread false information that re-shapes people’s beliefs and actions, for example, at the polling booth during elections.

The rise of AI tools magnifies these risks by enabling cyberwarfare operatives to disseminate deepfake photographs and videos. These are used to create false narratives and deploy large numbers of bots to shape public opinion online.

When carried out successfully, misinformation campaigns help to fuel domestic unrest and social division, destabilizing a nation from within.

How is Cyberwarfare defined legally?

No laws currently exist that establish an agreed-upon legal definition of cyberwarfare. Instead, cyber operations have to be classified based on existing rules of International Humanitarian Law (IHL).

IHL sets rules of conduct for hostilities during armed conflicts. These rules define what each side can and cannot do. They include restrictions on intentionally targeting civilians and protections for critical infrastructure such as hospitals. The rules also prohibit the use of weapons that inflict unnecessary human suffering.

When war moves into the digital domain, IHL still applies. However, these laws were originally written with kinetic warfare in mind (tanks, bombs, guns, land invasions, air attacks, etc.). This requires regulators to reinterpret existing rules through a digital lens.

Deciding how IHL applies to hacking, malware, and other digital operations can create grey areas. Below, you can see how IHL rules generally apply to cyber operations.

Attacks

Under IHL, an attack is generally understood as any act of violence against an enemy that causes death, injury, or physical damage.

Using this as the legal basis, it is possible to label cyber operations that target civilian infrastructure (such as a power grid) as attacks if the resulting power outages lead to hospital failures and deaths.

Another example is the use of a computer virus to take out a military target, such as a command system. If the virus later spirals into other systems, such as power grids, hospitals, or other civil services, this would constitute an attack under IHL.

If this were to happen, the aggressor would need to demonstrate that reasonable precautions were taken to limit civilian exposure. This ensures that attacks are undertaken within a limited scope. Failure to do so could cause authorities to deem an attack unlawful.

Implying that there was no intention to target civilians is not enough. Parties must demonstrate that they have implemented appropriate safeguards.

Grey areas

Other digital operations, such as data theft or the defacing of government websites, may not be considered attacks under IHL or the United Nations (UN) Charter, which includes limitations on the use of force (Article 2(4)) and right of self-defense (Article 51).

Experts often disagree on what qualifies as a cyberwarfare attack. Some experts feel that cyberattacks aimed at financial services should be treated as an attack under IHL. This is because of the dire social and economic consequences they can cause.

The same applies to data theft or fraud that bolsters wartime operations. Others claim that a cyberwarfare attack should only be defined as actions that cause physical harm or damage.

Due to this lack of agreement, legislators are being urged to update the rules governing warfare to address the increasing use of cyber operations. This push argues that international law should evolve to better define the legal and illegal boundaries of cyberwarfare.

In the meantime, the Tallinn Manual serves as a useful guide on how international law may apply to cyberwarfare operations, including details on when an attack may be considered an unlawful use of force.

Cyber Defense Frameworks and Strategies

With the threat of cyberwarfare at an all-time high, organizations and governments are investing heavily in cyber defense frameworks and resilience strategies designed to detect, prevent, and respond to hostile, state-sponsored digital operations.

How do governments prepare for and protect against cyberwarfare?

Governments around the world are increasingly creating and empowering agencies to deal with cyber threats. These organizations often collaborate to enhance cyber resilience and take proactive measures to prevent victimization.

In the United States, for example, the US Cyber Command conducts and coordinates military cyber operations and supports the defense of DoD networks (FBI, CISA, and the NSA).

The Budapest Convention on Cybercrime and the United Nations Convention against Cybercrime aim to formalize cross-border information-sharing and response coordination to prevent cybercrime (potentially including acts of cyberwarfare).

It is also worth noting that the North Atlantic Treaty Organization (NATO) has declared that, in some cases, an act of cyberwarfare could reach the threshold for Article 5. In such a case, cyber operations aimed at one member country could be treated as an attack on all members (collective defense).

Below, I have included common methods that can help organizations to become more cyber resilient:

Hardening digital infrastructure

A crucial element in protecting against cyberattacks is to understand your environment. A reliable inventory of digital assets, software dependencies (via SBOM), and cryptography will highlight what your organization needs to protect. After all, you need to know what you have to understand how to protect it.

This type of inventory can help you understand the risks involved with each type of data and set priorities for protecting highly sensitive data using robust modern encryption standards. Company and user data should be protected both at rest and in transit to ensure it is safe against cyberwarfare attacks.

Many organizations use structured security frameworks, such as the NIST Cybersecurity Framework and NIST SP 800-53, to guide asset identification, risk management, and the implementation of security controls.

It is worth noting that, in the future, new regulations could emerge that require businesses to demonstrate post-quantum resilience. In this case, a cryptographic bill of materials (CBOM) may become necessary rather than just a recommendation.

Layered Defenses

The best way to harden digital infrastructure is to use a layered approach:

• Zero Trust (ZTNA) is a security model that enforces never trust, always verify. It limits access by requiring users to verify their identity when accessing different applications or network resources. It also monitors context and behavior to block users who are suspected of threatening behavior. This creates hierarchies of access and limits exposure by preventing lateral movement within a network during a cyberattack.
• Endpoint protection is a proactive defense that helps prevent malware infections on individual devices. This can help prevent a payload from making its way deeper into your network. There are many types of endpoint protection, including antivirus, anti-malware, behavioral detection, device control, data encryption, and Endpoint Detection and Response (EDR) programs that monitor for signs of infection and contain attacks.
• Data Loss Prevention (DLP) tools help to automate the process of tracking the flow of data to provide warnings or block actions that put sensitive data at risk of exfiltration.

Preparing and responding to cyberwarfare

In addition to understanding your environment and using the best tools to protect assets, it is vital to know how to respond to cyberattacks. Having a clear incident response plan, with clearly defined ownership of key assets and systems, is a great first step.

Organizations should actively monitor their systems for potential threats, track changes to understand how their environment’s needs may evolve, and ensure that they comply with any current or new data protection regulations.

Knowing how and when to coordinate with government agencies, and using wargames to simulate and prepare for attacks can vastly help to improve preparedness.

Examples of cyberwarfare attacks

The attacks below are widely cited as examples of cyberwarfare:

• Estonia DDoS attacks (2007): Distributed denial-of-service (DDoS) attacks disrupted Estonian government, media, and banking websites during a political dispute with Russia, widely cited as one of the first large-scale cyberwarfare incidents targeting a nation’s digital infrastructure.
• Stuxnet attack on Iran (2010): The Stuxnet worm targeted industrial control systems at Iran’s Natanz nuclear facility and is widely considered the first cyberweapon known to cause physical damage to critical infrastructure.
• Ukraine power grid cyberattack (2015): Attackers infiltrated Ukrainian energy networks and remotely shut down electrical substations, causing power outages and demonstrating how cyber operations can disrupt national infrastructure.
• Viasat KA-SAT satellite attack (2022): A cyberattack on satellite communications infrastructure disrupted internet services across Ukraine and parts of Europe at the start of Russia’s invasion, highlighting the role of cyber operations in modern warfare.

Grey-area cyber operations

The incidents below fall into a grey area. Experts often describe them as cyber espionage or state-attributed cyber operations rather than clear acts of cyberwarfare. However, some experts argue that attacks of this scale should be considered part of modern cyber conflict.

• OPM data breach (2015)
• SolarWinds supply-chain compromise (2020)
• Microsoft Storm-0558 email intrusion (2023)
• Democratic National Committee cyber attacks (2016)

Cyberwarfare FAQs