“Cyberspace espionage is nothing new,” JP Castellanos, Director of Threat Intelligence at Binary Defense and a former cyber operator at U.S. Central Command, tells The Cipher Brief. “However, this is the first time it has been publicly reported that a country such as Ukraine is taking the offensive. These recent operations yielded troves of classified information, from submarine schematics and crew rosters to aircraft design documents and staff records, suggesting that Kyiv is expanding the war into cyberspace to erode Moscow’s military advantage.”
Latest: Submarine Secrets and the Erosion of Strategic Sanctuaries
The most consequential public instance of this trend came in early August, when Ukraine’s military intelligence agency (HUR) published documents it says were extracted from Russian naval systems tied to the newly commissioned Project 955A submarine Knyaz Pozharsky.
According to reporting based on HUR’s release, the cache included technical diagrams, crew manifests, and operational procedures — material that, if authentic, could diminish the survivability and operational security of a platform that sits at the apex of Moscow’s sea-based nuclear deterrent. If genuine, the leak not only undermines the Kremlin’s confidence in the operational security of its strategic assets, but it also demonstrates Kyiv’s intent to target the symbolism and substance of Russia’s nuclear posture.
But Emily Otto, an Alperovitch Fellow at the Johns Hopkins School of Advanced International Studies, warns that some of the press coverage of what HUR was able to directly access, may be exaggerated.
“It’s highly unlikely the Ukrainians reached directly into a submarine’s network,” she said. “Far more plausible is that the data originated from external systems, such as contractors, shipbuilders, or onshore networks tied to deployments and crew management. To penetrate hardened systems, hackers often pivot through softer targets in the supply chain or exploit individuals with legitimate access through social engineering techniques.”
The distinction matters, but the national security implications are clear. Cyber operations that expose nuclear-capable platforms create new friction points in deterrence dynamics. States base much of their escalation calculus on the opacity of their most lethal systems. When that cloak is torn open in cyberspace, adversaries — and allied planners — gain a clearer sightline into vulnerabilities and potential avenues for non-kinetic exploitation. That kind of de-mystification can alter decision-making timelines in crisis scenarios and complicate strategic signaling that historically relied on uncertainty.
The Cipher Brief Threat Conference is happening October 19-22 in Sea Island, GA. with the world’s leading minds on national and global security. Can you afford to miss it? Apply for your seat today.
Disrupt, Denude, Broadcast: The Multi-Pronged Ukrainian Approach
Ukraine’s cyber campaign is not monolithic. It consists of several layers of actors: formal intelligence operations, state-aligned volunteer groups known as the “IT Army,” and independent hackers targeting media and communications systems.
The IT Army has been a central feature of Ukraine’s approach since 2022. It has drawn in civilians, ethical hackers, and members of the diaspora to carry out distributed denial-of-service (DDoS) attacks, data leaks, and influence operations. This open, crowdsourced model has expanded Ukraine’s list of targets and made attribution more challenging for Moscow.
Alongside these volunteers, trained operators from Ukraine’s military intelligence agency have executed precise intrusions against Russia’s defense industry and logistics hubs. These operations have included breaches of companies tied to strategic bombers and drone supply chains. Rather than simply disrupting activity, they are designed to collect valuable information — blueprints, procurement networks, maintenance records — that can help Ukraine, NATO planners, and defense analysts protect allied systems and identify weak points in Russian resupply lines.
Another element has been politically symbolic “cyber partisan” operations, in which actors hijack Russian TV or radio broadcasts to show images of battlefield casualties and other content that state media normally censors. The goal is to puncture the Kremlin’s information monopoly and raise the domestic political costs of sustaining the war.
Castellanos notes that the reliance on volunteers is not unique to Ukraine.
“The U.S. Marine Corps has a Cyber Auxiliary, a volunteer organization aimed at increasing cyberspace readiness,” he explains. “U.S. policymakers might consider, under appropriate legal frameworks, expanding this concept to find ways for skilled civilians to aid national cyber defense or intelligence in wartime. Clear guidelines would be needed, since Western governments have generally discouraged freelance hacking due to legal risks and escalation concerns.”
Why This Matters for U.S. and NATO Planners
Ukraine’s cyber operations carry implications well beyond the battlefield. First, they generate intelligence Western services might not otherwise obtain. Breached documents and leaked technical data provide insights into Russian systems, from undersea platforms to air defenses, that sharpen NATO’s planning. The recent Knyaz Pozharsky disclosures are just one example.
Second, these operations can alter the pace of conflict. By exposing vulnerabilities in strategic systems, they shorten the period in which adversaries can operate in secrecy. That often forces Moscow to adjust its deployments or harden its defenses more quickly — moves that can, in turn, expose new weak points.
However, compressed timelines also carry risks.
“These operations do raise the risk of Russian retaliation,” Castellanos warns. “Western officials have been vigilant since the war’s outset, with CISA even activating a ‘Shields Up’ posture to brace for possible attacks. Moscow has stated that it views major hacks on its systems as part of the broader conflict. But so far, the expected all-out Russian cyber onslaught has not materialized. The best approach for the U.S. and NATO is to continue strengthening cyber defenses and clearly signaling deterrence, including through Article 5.”
Otto is somewhat more sanguine.
“Cyber operations don’t spark the same visceral reaction as bombs or missiles, so they rarely drive escalation upward in intensity or sideways into new domains,” she explains. “This hack-and-leak operation looks aimed at embarrassing Russia, not provoking it, and Moscow is already fully committed to its war aims. At most, it might spark some retaliatory hacking, but that’s unlikely to shift the trajectory of the wider conflict.”
Limits and Risks: Fragility of Attribution and the Mirror of Counter-Escalation
Ukraine’s cyber tactics are not without hazards. Crowdsourced operations can be imprecise, raising the risk of hitting civilian infrastructure and undermining international support. They also increase the possibility of Russian retaliation against allied networks, critical infrastructure, or global systems, such as shipping and undersea cables — escalations with broader security consequences.
Another concern is exposure. Each operation risks revealing tools and techniques that adversaries can study and therefore adapt. Cyber advantage is inherently temporary: gains depend on how quickly each side can exploit discoveries before the other closes the gap.
Otto underscores that cyber power should not be overstated.
“Russia’s cyberattacks were meant to break Ukraine, but they ended up strengthening it. Each wave of attacks forced Ukraine to harden its defenses, deepen partnerships with the West, and build resilience — so Russia now gets less and less payoff,” she says. “But cyberspace is not where wars are won: you can disrupt systems online, but you can’t take and hold land.”
The Cipher Brief brings expert-level context to national and global security stories. It’s never been more important to understand what’s happening in the world. Upgrade your access to exclusive content by becoming a subscriber.
Forward Posture: How Allies Should Respond
For U.S. and NATO planners, Ukraine’s cyber operations create both opportunities and responsibilities. Intelligence should be shared quickly, say experts, but with rigorous forensics to manage risks and track collateral effects. Priorities include strengthening critical systems, such as undersea cables, satellites, and industrial networks, as well as developing cyber tools that can convert intelligence into precise effects when needed.
The growing role of volunteer actors also requires updated rules — clearer engagement standards, coordination mechanisms, and oversight when leaks involve strategic assets.
Finally, cyber-derived data should be integrated into traditional defense planning, from anti-submarine warfare to electronic warfare and force deployment, where it can shape outcomes without direct kinetic action.
Looking beyond the war in Ukraine, Castellanos sees permanence.
“It’s clear that cyber operations are the new normal,” he says. “Governments should prepare by investing heavily in both capabilities and resilience. On the defensive side, this means hardening critical infrastructure, conducting regular cyber drills, and cultivating public–private partnerships, as much of the vulnerable infrastructure, such as power grids, telecommunications, and finance, is privately owned. Additionally, the international community needs to work toward norms and agreements on cyber warfare.”
A Future of Persistent Cyber Contest
Ukraine’s cyber campaign demonstrates how a smaller state can turn decentralized technical talent into a strategic advantage, using stolen data not only for disruption but for intelligence and influence. The implications extend far beyond Kyiv and Moscow: any country that depends on secrecy to protect key systems is vulnerable.
Cyber operations are not a substitute for tanks or artillery. But as Ukraine shows, they can tilt the balance of intelligence, shape the tempo of conflict, and erode an adversary’s confidence in its most sacred capabilities.
“Cyber is on equal footing with air, land, sea, and space, but it plays by different physics,” Otto added. “It rewards persistence over battles, code over platforms, and teams that fuse operators, intel, and developers. Governments should organize to that logic. In the U.S., this means reorganizing for a dedicated Cyber Force that aligns resources, processes, and values to continuous competition, rather than relying on force generation organizations built for episodic conflict.”
For the U.S. and NATO, the lesson is clear: cyberspace is not just a tool for disruption but a permanent source of intelligence and competition. The task ahead is to harness that intelligence responsibly, reinforce exposed allied systems, and adapt to a future where stolen secrets can spread faster than they can be contained.
Are you Subscribed to The Cipher Brief’s Digital Channel on YouTube? There is no better place to get clear perspectives from deeply experienced national security experts.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief because National Security is Everyone’s Business.
