Russia’s full-scale invasion of Ukraine in 2022 marked a new era of hybrid warfare, with cyber operations and proxy actors playing a persistent strategic role. This paper examines how – and how effectively – the international community can hold those actors accountable.
On 24 February 2022, hours before Russian tanks crossed into Ukraine, a cyberattack disabled tens of thousands of satellite modems across Ukraine and parts of Europe. The Viasat incident disrupted Ukrainian military command-and-control systems at a critical moment, signalling that Russia’s invasion would unfold not just on the ground but in cyberspace. Over the following weeks and months, many of the subsequent cyber operations, often linked to a mixture of Russian state agencies and cyber proxies, deployed wiper malware against Ukrainian government networks, launched distributed denial-of-service (DDoS) attacks against critical infrastructure, and flooded social media with disinformation. For many observers, these events appeared to validate predictions that cyber would become a decisive dimension of the conflict, potentially crippling Ukraine’s ability to defend itself and generating spillover impacts on Western states supporting its defence.
A critical but often under-analysed dimension of Russia’s cyber campaign has been its extensive use of proxies. This paper uses the term ‘cyber proxy’ to encompass a wide variety of actors – from units formally tasked by state intelligence services, through criminal groups operating with state tolerance, to commercial enterprises – whose relationships with the Russian state vary considerably in nature and degree, with significant implications for how accountability mechanisms are designed and applied.
At one end of the spectrum sit non-state actors commissioned by ‘advanced persistent threats’ (APTs) such as Russia’s intelligence services (see Table 1); APT-commissioned proxies retain partial operational autonomy but execute tasks aligned with state objectives. At the other end are commercial enablers: private companies and contractors that willingly provide infrastructure and services to malicious actors, motivated by profit or ideological alignment. These include so-called ‘bulletproof hosting’ providers, virtual private network (VPN) services offering anonymity, IT contractors developing custom tools, and cryptocurrency services facilitating money laundering.
Between these poles sits a diverse middle ground: ransomware collectives such as Conti, hacktivist groups like Killnet (both active in the conflict’s early phase before fragmenting into affiliated networks and successor brands), criminal networks, contractors and semi-autonomous groups. Many of these actors, while not openly directed by the Russian state, have operated with varying degrees of tacit approval or ideological alignment; some have acted entirely independently, motivated by financial gain or political sympathy. Given this diversity, the relationships between cyber proxies and the Russian state often resist easy categorization.
Across this spectrum of relationships and actor types, the use of proxies expands Russia’s cyber reach, provides plausible deniability for perpetrators and the political leadership, makes attribution of cyberattacks and other hostile operations difficult, and helps insulate both the Russian state and individual actors from sanctions – even where, as with APT-commissioned proxies, the state remains the principal actor behind the operation.
Why Russian cyber operations have not achieved strategic effects
Four years into the war, Ukraine still functions. Its government operates, its military communicates and its infrastructure – while repeatedly targeted and damaged – continues to provide essential services, often under emergency conditions. Russian cyber operations have been relentless and damaging, imposing real costs on Ukrainian society and military operations. But Russian cyber activity has not achieved the strategic effects Moscow appears to have anticipated.
Several factors explain this. First, Ukraine has substantially improved its cyber defences since 2014, building on lessons from repeated Russian attacks. Investments in resilient networks, distributed infrastructure, cloud-based services and institutionalized incident response have significantly reduced the impact of many Russian operations, forming a strong domestic foundation for cyber resilience.
Second, Western support during the war has significantly enhanced Ukraine’s ability to detect, mitigate and recover from cyberattacks, often far more quickly than Russia has anticipated. Such support includes: cyber assistance from the US, Canada, the UK, Estonia and others; coordinated civilian cyber capacity-building through the Tallinn Mechanism; extensive public–private defensive operations; and private sector threat intelligence and initiatives, such as the Cyber Defense Assistance Collaborative (CDAC). Finally, Russia’s own operational assumptions have shifted as the war has endured far beyond Moscow’s initial expectations of a swift victory.
As the conflict has evolved into a protracted war of attrition, Russian cyber activity has changed tack. It has increasingly sought to deliver direct battlefield advantages. Intelligence collection, signals monitoring and real-time targeting support have become priorities. Operations have included compromises of mobile devices used by Ukrainian military personnel, exploitation of encrypted communications platforms, and deployment of malware designed to support operational intelligence and tactical coordination. At the same time, Russia has retained – and occasionally employed – the capability to conduct large-scale attacks against critical national infrastructure, whether through sustained missile and drone strikes on Ukraine’s electricity network or through cyberattacks such as the 2023 incident that temporarily disabled Kyivstar, Ukraine’s largest telecommunications provider.
Parallel to these technical operations, Moscow has pursued extensive cyber-enabled influence campaigns, deploying coordinated networks of inauthentic accounts, botnets and fabricated content across social and other digital platforms to spread pro-Russian narratives, undermine Ukrainian morale and weaken Western political support for Kyiv’s defence. These information operations are tailored to distract, divide and destabilize both Ukrainian and wider international audiences, and have been particularly effective at exploiting rapidly shifting perspectives among traditionally allied Western nations. Russian operations have flooded European websites and social media with untrusted content and have made it difficult for citizens to identify authentic sources of information. This dual approach – blending technical cyber operations with influence activities – showcases how Moscow continues to view cyber as a strategic lever that can be applied selectively for tactical, coercive and cognitive effects.
Taken together, these dynamics illustrate a complex reality: Russian cyber operations in Ukraine have been neither the war-defining force some anticipated, nor the strategic irrelevance others dismissed. Rather, they reflect a persistent, adaptive – if sometimes uncoordinated – effort to integrate cyber capabilities with conventional warfare, underpinned both by state units and by proxies.
This paper builds on this analysis to examine Russia’s broader cyber approach in Ukraine from 2022 to 2024, with a particular focus on the structure, behaviour and strategic function of what can be termed Russia’s cyber proxy ‘ecosystem’. A central concern is the question of accountability: how can states meaningfully respond to offensive and malicious cyber operations conducted through proxies that operate in the grey space between state direction, tolerated activity and opportunistic alignment?
Existing responses from Ukraine and its allies to Russian cyber proxies have achieved measurable tactical gains within the particular domains involved. Criminal indictments have named alleged perpetrators and have documented activities, coordinated sanctions have imposed costs on individuals and entities, technical attribution has publicly exposed operations, and disruptions such as the takedown of the LockBit ransomware group (via Operation Cronos) have temporarily degraded prominent threat actors.
However, these measures have not translated into strategic-level success in degrading the proxy ecosystem as a whole. Recent coordinated counter-proxy operations – including Cronos, Endgame and NoName – have achieved measurable tactical impact, with some evidence suggesting significant reductions in ransomware activity following enforcement actions targeting the infrastructure and financial networks on which proxies depend. Yet these gains remain vulnerable to the remarkable ability of many cyber proxies to reconstitute themselves and adapt even after initially successful action against them: indictments and sanctions have only partially constrained threat actors’ operations over time, as such actors have often migrated to successor groups or pivoted to alternative methods (such as identity theft and data extortion). Even when specific organizations have been dismantled, the underlying enabling ecosystem of infrastructure providers, cryptocurrency exchanges, technical supply chains and so on has largely persisted. The challenge is not that individual operations fail, but that tactical successes have not yet compounded into systemic degradation of proxies’ capabilities.
This fragmentation reflects institutional realities: different Ukrainian and Western intelligence and anti-cybercrime agencies operate under different mandates and legal frameworks both within and across jurisdictions, and Ukraine’s international partners have divergent capabilities and approaches. Such separation creates exploitable gaps that adversaries systematically leverage.
The central argument of this paper is that tactical successes cannot substitute for strategic coherence in holding cyber proxies accountable. While different tools and domains require specialized approaches, each response mechanism must contribute to a unified strategic purpose rather than function in isolation. Achieving accountability demands alignment across attribution, legal, diplomatic and economic tools through sustained international coordination. By analysing how Russia employs proxies across different dimensions – and how Ukraine, its partners and the wider international community have responded – this paper aims to inform the development of more coherent strategies for countering state-aligned cyber proxies not only in the current Russia–Ukraine war but also in future conflicts, where proxies are expected to remain prominent and play a destabilizing role.
Methodology
This paper is carefully confined in scope in order to allow in-depth focus on a particular context involving Russian proxies.
Firstly, our analysis centres on the 2022–24 period in the war on Ukraine. This time frame corresponds with the large-scale escalation of Russian hostilities against Ukraine and the intensification of associated cyber proxy operations. Although cyber activity linked to the conflict extends at least back to 2014, when Russia annexed Crimea and occupied parts of eastern Ukraine, we treat this earlier phase of conflict as contextual background that sheds light on the emergence and evolution of proxy relationships, tactics and capabilities.
The selected time frame therefore represents a concentrated phase of activity in which Russian cyber operations became more visible, diversified and operationally integrated with conventional military campaigns. Focusing on 2022–24 enables an analytical approach that covers a period of high operational tempo, abundant open-source visibility, and extensive public attribution by both governmental and private sector actors. Earlier incidents such as the NotPetya attacks (2017) and the 2015–16 intrusions against Ukraine’s power grid demonstrate the long-standing role of Russian cyber operations in Ukraine, but the escalation beginning in February 2022 marked a qualitative and quantitative shift in the frequency, coordination and strategic purpose of such activity.
Although the conflict and associated cyber operations have of course continued beyond 2024, attaching an end date to the period of activity principally covered in this paper also provides a pragmatic boundary for our analysis, ensuring depth over breadth while leaving scope for subsequent longitudinal comparison. Notwithstanding this point, the paper also draws, where relevant, on developments from 2025 and early 2026 – including significant prosecutions, sanctions designations and institutional developments.
Secondly, this paper focuses primarily on cyber proxies operating in support of Russia, reflecting the position of Russia as the aggressor state in the ongoing armed conflict, as recognized by the United Nations General Assembly. Concentrating on Russian-linked proxies allows for a coherent analytical lens on questions of accountability, state responsibility and the integration of cyber capabilities within an offensive war strategy.
At the same time, many states other than Russia increasingly work with non-state actors for cyber defence in conflict situations, though the nature and implications of these relationships differ significantly from the malicious proxy activities examined in this paper. Commercial entities such as Microsoft and Starlink have provided defensive resources and capabilities for Ukraine, while volunteer organizations like the IT Army of Ukraine and various hacktivist groups have conducted operations in support of Ukraine’s defence.
These actors – which range from major corporations to decentralized volunteer networks – illustrate the complex interplay between state, corporate and grassroots actors in modern conflict. Although these cases are not examined in depth, the paper acknowledges that such participation raises important questions, particularly regarding the boundaries between defensive and offensive action and the consequences – including under international humanitarian law (IHL) – of increasing civilian and corporate involvement in hostilities.
Thirdly, this paper builds on the operational picture to examine an increasingly urgent policy question: how to hold cyber proxies conducting malicious operations accountable in a conflict environment where responsibility is intentionally blurred. Existing scholarship highlights substantial barriers to accountability – these include opaque state–proxy relationships, inconsistent public attribution of cyber operations to specific state or non-state actors, and the difficulties of establishing legally meaningful links between states and non-state actors. The barriers are compounded by the structural fragmentation of response mechanisms. Different states employ different attribution standards; sanctions regimes often operate independently from criminal prosecutions; and technical evidence produced by private firms has historically translated inconsistently into coordinated policy action, although this is gradually improving. Diplomatic responses can also proceed on separate tracks from operational disruption efforts.
This fragmentation is not merely an administrative inconvenience; it fundamentally limits the ability of states and international partners to deter or constrain malicious cyber actors, thus leaving exploitable gaps that adversaries systematically leverage. Addressing these challenges, we argue, requires a multidimensional framework capable of reflecting both the operational complexity of proxy activity and the spectrum of tools available to states.
Accordingly, this paper frames accountability as consisting of two dimensions: ‘disruption’ and ‘cost imposition’. In the cyber proxy context, we argue, accountability is achieved by deploying these mutually reinforcing sets of instruments in service of a single strategic objective, ‘deterrence’:
- Disruption: this term refers to operational measures designed to degrade proxy capabilities in real time and limit the ability of proxies to conduct ongoing or imminent attacks.
- Cost imposition: this refers to legal, financial and reputational measures that increase the cost of hostile activity and constrain cyber proxies’ future operations.
To be effective, deterrence must establish predictable consequences and behavioural expectations that shape adversaries’ decision-making and influence their calculus around future operations when disruption and cost-imposing measures are credibly applied and communicated.
Critically, disruption and cost imposition must function as integrated components of a strategically coherent response rather than as parallel, uncoordinated tracks. Strategic coherence means that disruption and cost imposition are aligned across criminal, diplomatic and operational contexts – and that both consistently serve the overarching objective of deterrence. Achieving this integration in policy and operational practice is essential for developing effective responses to state-aligned cyber proxies, both in the Ukrainian conflict and in potential future theatres where such actors will almost certainly play a significant role.
The rest of this paper is structured as follows. Chapter 2 maps Russia’s cyber proxy ecosystem, outlining definitional approaches, our analytical framework and the impact of proxies’ activities. Chapter 3 assesses the effectiveness of international legal and policy frameworks, including the Framework for Responsible State Behaviour in Cyberspace, for addressing proxy activity. This chapter analyses, in particular, the various rules of international law relevant to the activities of proxies. Chapter 4 evaluates the disruption and cost imposition measures and tactics that have been employed by Ukraine and its allies, and assesses the impact these have had on deterring hostile Russian cyber operations. Chapter 5 presents policy recommendations organized around the imperative of building strategic coherence, and advocates a three-tiered response hierarchy comprising what we term ‘core levers’, ‘amplifiers’ and long-term ‘enablers’; it is followed by a brief concluding chapter.
This research was informed by a combination of literature review; semi-structured interviews with legal, cyber and Russia experts; and an expert roundtable, held at Chatham House in November 2025, that focused on the different potential pathways for holding cyber proxies accountable. Insights from these sources have guided our analytical framework, validated our operational and legal observations, and helped shape the dual approach to accountability (disruption and cost imposition) outlined in this paper.
