The Weak Link

Offensive cyber operations are shaping the battlefield without crossing borders

Antara Jha

In the evolving landscape of international conflict, cyber operations have emerged as powerful instruments that states wield long before and sometimes without ever crossing traditional borders with tanks or troops. Far from being abstract digital nuisances, these operations can disable critical infrastructure, shape adversary decision-making, and fundamentally redefine the notions of escalation, coercion, and deterrence. They are integral to modern hybrid warfare strategies, offering a spectrum of effects ranging from subtle espionage and disruption to near-physical damage to essential systems.

The focus of this article is to explore how cyber operations are strategically sequenced to prepare battlefields, weaken adversaries, and influence the trajectory of conflicts without kinetic violence; to examine real world examples of cyber escalation and de-escalation; and to reflect on lessons that rising powers like India must assimilate to protect national infrastructure. All assertions here are grounded in verified research and documented incidents.

Strategic Logic of Digital Preparation

Military strategists have long understood that successful invasions require meticulous preparation of the operational environment. Historically, this preparation involved reconnaissance flights, sabotage operations, and propaganda campaigns aimed at weakening an adversary before the first shot was fired. Cyber operations have revolutionised this concept, allowing states to conduct extensive preparations that would have been impossible or prohibitively risky in previous eras. The fundamental advantage lies in the ability to position capabilities within an adversary’s most critical systems years before any contemplated military action, creating what intelligence professionals call “pre-positioned access.”

The strategic sequencing of cyber-attacks against communications infrastructure, electrical grids, and logistics networks follows a carefully orchestrated timeline that maximises disruption while minimising the defender’s ability to respond effectively. Unlike conventional military preparations that involve visible troop movements, equipment positioning, and logistical buildup that intelligence agencies can detect and analyse, cyber preparations occur silently within the digital architecture of the target nation. This invisibility provides attackers with the element of surprise even when the broader geopolitical tensions suggest conflict may be imminent.

When hostilities appear inevitable, the activation of pre-positioned cyber capabilities can create cascading failures across multiple infrastructure sectors simultaneously. A successful attack on electricity distribution systems does not merely leave cities in darkness; it triggers a domino effect that cripples water treatment facilities unable to power their pumps and filtration systems, disables hospital ventilators and medical equipment, halts the refrigeration systems storing medicines and blood supplies, paralyses transportation networks dependent on electric railways and traffic management systems, and crashes financial networks unable to process transactions or maintain trading systems. This interconnectedness, while creating tremendous efficiencies during peacetime, becomes a profound vulnerability during conflict.

Digital Preludes to Kinetic War

In traditional paradigms of war, forces mobilise physically, amassing personnel, equipment, and firepower. In the 21st century, that mobilisation increasingly has a digital precursor. Sophisticated cyber operations often precede or accompany conventional military actions with the aim to blind, confuse, or degrade an adversary’s ability to respond effectively. Rather than simply stealing data, modern cyber tools can sever communications, disrupt power grids, and fracture logistical networks that armies depend on.

A stark example occurred in the days surrounding Russia’s full-scale invasion of Ukraine in February 2022. In the early hours of February 24, Russian cyber units launched a damaging attack on the Viasat KA-SAT satellite internet network using the AcidRain wiper malware, disabling tens of thousands of satellite communications terminals used by Ukrainian forces. This cyberattacks coincided with the conventional invasion, directly degrading Ukraine’s ability to command and control forces just as the physical assault began.

Earlier Russian campaigns also illustrate this synergy: the 2015 Ukrainian power grid hack by the state-linked Sandworm group disrupted electricity to hundreds of thousands of consumers, revealing how pre-positioned malicious access and command control software can bring down physical infrastructure. 

These incidents demonstrate a crucial characteristic of modern cyber operations: they are not random or opportunistic but sequenced intentionally. Disabling communications can precede kinetic manoeuvres; disabling energy and water systems can induce confusion and societal strain that erodes resistance before ground or air operations begin.

Disrupting Interconnected Systems

In highly digitised societies, critical infrastructure sectors are tightly interconnected. Power grids support water treatment, healthcare, transportation, and financial networks; communications technologies support emergency responses and civilian coordination. This interconnectedness is precisely what makes modern states vulnerable to cascading disruptions from a single point of failure.

The 2015 Ukraine power grid attack exemplified this. Once BlackEnergy malware compromised utility networks, it allowed attackers to remotely open substations, disable supervisory control systems, and trigger denial-of-service conditions that left essential services momentarily offline. At the same time, attackers targeted call centres, preventing consumers from accessing reliable outage information.

The systemic consequences of similar operations were underscored by the NotPetya campaign in 2017, where destructive malware aimed at Ukrainian financial and state infrastructures spread globally, crashing systems across transport, logistics, and manufacturing sectors and resulting in billions of dollars in economic loss. Such dynamics illustrate how digital attacks even when not intended as purely military tools can ripple outward, disrupting society and compressing the adversary’s capacity to resist.

Intriguingly, modern threats extend beyond electricity. In 2024, Danish authorities attributed cyber-attacks on a waterworks facility to actors linked with Russian operations, temporarily leaving homes without water and highlighting how digital intrusion into industrial control systems can have tangible effects on basic services.

Threat Within Critical Systems

Perhaps the most concerning aspect of modern cyber warfare is the practice of planting dormant malware within critical infrastructure during peacetime, creating digital time bombs that can be activated when geopolitical circumstances shift toward confrontation. Unlike traditional military capabilities that must be moved into position during a crisis, these cyber capabilities already reside within the target systems, waiting patiently for the command to execute their destructive payloads.

Evidence of this practice emerged most dramatically through the discovery of sophisticated malware designed not for immediate exploitation but for long-term persistence. Security researchers have documented cases where attackers maintained covert access to industrial control systems, utility management platforms, and government networks for years without taking any overtly hostile action. The malware itself demonstrates remarkable sophistication in its ability to remain undetected while maintaining communication channels with its operators, updating itself to evade new security measures, and mapping the precise architecture of the systems it inhabits.

The strategic calculus behind pre-positioning malware reflects a patient, long-term approach to conflict preparation. Adversaries invest substantial resources in gaining initial access, establishing persistence mechanisms, and mapping critical infrastructure not for immediate payoff but as preparation for potential future conflicts. This approach transforms peacetime cyber espionage into pre-positioning for potential wartime operations, creating legal and diplomatic ambiguities about when exactly hostile acts have occurred.

Espionage and Malware Dormancy

One of the most concerning aspects of state cyber operations lies in their stealth and patience. Evidence from past campaigns shows that attackers frequently infiltrate networks and implant dormant malware long before hostilities begin. These latent footholds can then be activated during crises to maximise impact.

Stuxnet, the most emblematic example of this phenomenon, was a covert joint US-Israeli cyberweapon that infiltrated Iran’s nuclear enrichment facilities, compromising programmable logic controllers to spin down centrifuges and physically degrade equipment, all the while displaying seemingly normal operations to Iranian engineers. This operation demonstrated how malware could bridge the virtual–physical divide to achieve strategic ends without open conflict.

State actors also use persistent access to gather intelligence and to embed themselves in systems governing energy, transportation, or finance, ready to disrupt at a moment of their choosing. This capability to lie in wait blurs peacetime and wartime boundaries, forcing defenders to treat every day as part of a continuous struggle for digital dominion.

Avoiding Thresholds of Armed Response

A defining strategic characteristic of cyber operations is that they can be calibrated to escalate just enough to yield advantage without crossing the traditional thresholds that trigger military alliances or collective defence obligations. For example, a crippling cyber-attack that doesn’t cause direct physical casualties may fall below the criteria that would justify invocation of collective defence treaties, yet still appreciably weaken an opponent’s military readiness.

Iran’s cyber engagements, while often opaque, illustrate this. Analysts warn that Tehran’s cyber forces can deliver psychological and long-term damage such as disruptive denial-of-service attacks or intrusion into control systems but are likely to avoid actions that would directly provoke overwhelming kinetic retaliation from the US. This calibrated approach allows states to signal intent, impose costs, and disrupt systems without igniting full-blown war.

Cyber Escalation and De-Escalation in Context

In the Russia-Ukrainian conflict, the scale and tempo of cyber operations have waxed and waned in response to battlefield dynamics and diplomatic engagement. Both sides have launched attacks against the other’s digital infrastructure, and non-state proxy groups amplify these effects. Ukraine, for instance, has undertaken offensive operations against Russian governmental and financial systems erasing data and communications capabilities of certain agencies demonstrating that cyber operations can be tools of retaliation and deterrence as well as offence.

Such dynamics feed into broader strategic signalling. Demonstrable cyber capabilities can communicate resolve and deterrence to adversaries without kinetic engagements, but they can also escalate tensions if misinterpreted. International wargame research suggests that cyber options can both moderate and intensify crisis decision-making, depending on actors’ perceptions and thresholds for response.

Strategic Degradation 

One of the most sophisticated aspects of cyber operations as pre-invasion tools involves calibrating attacks to achieve meaningful military advantages while remaining below the threshold that would trigger collective defence obligations under international treaties. This calculation reflects a deep understanding of both technical capabilities and international legal frameworks governing the use of force and collective security arrangements.

Attackers can degrade critical infrastructure sufficiently to complicate military mobilisation, disrupt logistics coordination, and create civilian chaos without necessarily causing the level of destruction or casualties that would clearly constitute an armed attack under international law. A cyber operation that temporarily disables communications networks creates operational challenges for defenders attempting to coordinate military responses, but it may not trigger the same alliance obligations as a missile strike on those same facilities. Similarly, attacks that slow rather than completely halt logistics systems, or that create temporary rather than permanent disruptions to critical services, achieve military objectives while maintaining plausible deniability about the severity and intent of the operations.

This grey zone exploitation represents a calculated strategy to maximise operational advantages while minimising international responses. By operating below thresholds for collective defence while above thresholds for effective deterrence, attackers can shape the battlefield in their favour before conventional military operations commence. The challenge for defenders lies in responding to attacks that are clearly hostile and strategically significant yet remain ambiguous enough to prevent consensus on appropriate responses among alliance partners.

The Russia-Ukraine Digital Battlefield

The ongoing conflict between Russia and Ukraine provides the most comprehensive real-world case study of cyber operations as pre-invasion tools and the integration of digital attacks with conventional military operations. The pattern of cyber operations against Ukrainian critical infrastructure began years before the full-scale invasion of February 2022, establishing a clear template for how modern adversaries prepare the digital battlefield.

In December 2015, Ukrainian power grid operators watched helplessly as their systems responded to commands they had not issued, systematically opening circuit breakers across the Ivano-Frankivsk region and plunging 230,000 residents into darkness. The BlackEnergy malware that enabled this attack had been present in Ukrainian networks for months, quietly mapping the industrial control systems and establishing the access necessary for the coordinated assault. Security researchers analysing the attack found that the attackers had studied the specific configurations of Ukrainian power systems, understood the interdependencies between different grid components, and timed their attack to maximise disruption and minimise rapid recovery.

The sophistication escalated with the December 2016 attack using Industroyer malware, which security experts consider one of the most dangerous pieces of infrastructure-targeting code ever deployed. Unlike BlackEnergy, which required continuous human interaction to execute its attack, Industroyer could directly control electrical substations and circuit breakers through automated protocols. This represented a significant evolution toward autonomous infrastructure attacks that could operate even if defenders severed attacker communications.

In the weeks preceding the February 2022 invasion, Ukrainian organisations experienced a dramatic surge in cyber operations targeting government agencies, financial institutions, and telecommunications providers. Distributed denial-of-service attacks overwhelmed government websites, wiping malware destroyed data on computers across multiple organisations, and penetrations of telecommunications networks threatened the ability to coordinate defensive military operations. These operations served clear military purposes by disrupting communications, creating uncertainty about government continuity, and complicating the mobilisation of reserve forces.

The sophistication of the pre-positioning became evident when researchers discovered that some malware used in these attacks had been planted months earlier, waiting dormant until activated as part of the broader military campaign. The timing coordination between cyber operations and kinetic military strikes demonstrated operational integration that military strategists had long theorised but rarely observed in practice. Artillery strikes followed shortly after cyber-attacks disabled specific command posts, suggesting real-time intelligence sharing between cyber operators and conventional military units.

The Armenia-Azerbaijan Digital Dimension

The 2020 conflict over Nagorno-Karabakh illustrated how cyber operations integrate into modern conventional warfare even between smaller regional powers with more limited cyber capabilities. While less sophisticated than Russian operations against Ukraine, the digital component of this conflict revealed important patterns about how cyber operations support military objectives during active hostilities.

Azerbaijani cyber operations focused heavily on information operations and psychological warfare, using social media platforms, messaging applications, and website defacements to shape narratives and undermine Armenian morale. Simultaneously, distributed denial-of-service attacks targeted Armenian government websites and media outlets, disrupting communications and preventing the dissemination of official information. These operations, while less technically sophisticated than infrastructure-targeting attacks, achieved meaningful military objectives by creating information vacuums that Azerbaijan could fill with its own narratives.

The conflict also demonstrated the vulnerability of modern military operations to cyber-attacks on commercial technology platforms. Both sides relied heavily on mobile communications, social media coordination, and digital mapping systems for military operations. Attacks on telecommunications infrastructure and mobile networks directly impacted military coordination, particularly for Armenian forces operating in disputed territories with limited redundant communications systems.

The Israel-Iran Shadow Cyber War

The long-running cyber confrontation between Israel and Iran demonstrates how sustained digital operations can become normalised components of broader geopolitical competition, serving as both substitutes for and preludes to conventional military action. This shadow war provides insights into how states use cyber operations to achieve strategic objectives while avoiding escalation to full-scale conventional warfare.

Iranian cyber operations have consistently targeted Israeli critical infrastructure, including water treatment facilities, financial institutions, and government networks. In April 2020, attackers targeted Israeli water and sewage treatment plants in operations that could have resulted in dangerous chemical levels in civilian water supplies had operators not detected and prevented the manipulation. The sophistication of these attacks, which targeted industrial control systems rather than merely disrupting computer networks, signalled Iranian willingness to conduct operations with potentially severe consequences for civilian populations.

Israeli responses have been equally significant, including cyber operations that reportedly disabled Iranian port facilities, caused problems at nuclear enrichment facilities, and disrupted petroleum distribution networks. These operations demonstrate the potential for cyber-attacks to achieve effects previously requiring conventional military strikes, such as the reported disruption of Iranian centrifuges that set back nuclear programs without dropping bombs or firing missiles.

The escalation-de-escalation dynamics between Israel and Iran illustrate how cyber operations provide mechanisms for demonstrating capability and resolve without necessarily triggering conventional warfare. Each side has conducted operations severe enough to signal serious intent yet calibrated to avoid crossing thresholds that would mandate conventional military responses. This delicate balance reflects a sophisticated understanding of adversary decision-making processes and international response thresholds.

US-Iran Digital Confrontation

The cyber dimensions of US-Iran tensions peaked during the January 2020 crisis following the US strike that killed Iranian General Qasem Soleimani. Iranian responses included both threatened and actual cyber operations against US critical infrastructure, while the US reportedly conducted cyber operations against Iranian military command systems and missile launch capabilities.

The crisis illustrated how cyber operations can serve as proportional response mechanisms in conflicts where conventional military escalation carries unacceptable risks. Iran, unable to respond to the Soleimani strike with conventional military action that would likely trigger devastating US retaliation, instead conducted cyber operations and a limited missile strike that signaled resolve without forcing further escalation. US cyber operations reportedly disrupted Iranian military communications at critical moments, demonstrating capability while avoiding the casualties and visible destruction that conventional strikes would have caused.

This episode revealed how cyber operations enable states to demonstrate power and exact costs from adversaries while maintaining off-ramps from full-scale conflict. The relative invisibility of cyber operations, compared to conventional military strikes that generate dramatic imagery and public attention, provides decision-makers with greater flexibility to calibrate responses and manage escalation dynamics.

US-Venezuela Information Infrastructure Challenge

US-Venezuela relations provide a different perspective on cyber operations in geopolitical competition, particularly regarding allegations of infrastructure attacks and the complications created by ageing, poorly maintained critical systems. In March 2019, massive power outages affected Venezuela, leaving much of the country without electricity for days and triggering a humanitarian crisis as hospitals lost power, water treatment stopped, and food supplies spoiled without refrigeration.

The Venezuelan government immediately blamed US cyber-attacks for the blackouts, while the US officials and independent experts suggested that lack of maintenance and operational mismanagement of Venezuela’s electrical grid were more likely culprits. This incident highlights a critical challenge in modern cyber conflict attribution: distinguishing between deliberate attacks and system failures in infrastructure that suffers from chronic underinvestment and poor maintenance.

The Venezuelan case demonstrates how states may attribute system failures to foreign cyber-attacks as mechanisms for deflecting domestic criticism of infrastructure mismanagement. Simultaneously, it reveals how degraded infrastructure creates opportunities for adversaries to conduct attacks that may be difficult to distinguish from organic failures, providing plausible deniability for offensive operations. For an attacker, infrastructure already on the verge of failure requires minimal additional stress to collapse, potentially making such systems attractive targets precisely because attribution becomes nearly impossible.

Legal Frameworks and International Norms

The proliferation of cyber operations as tools of statecraft has strained existing legal frameworks. The United Nations Charter prohibits the use of force against the territorial integrity or political independence of another state (Article 2(4)), yet it does not explicitly define whether a cyber-attack qualifies as a “use of force.” This ambiguity challenges international law, leaving states and international bodies to interpret norms and precedents as they arise.

International efforts, such as the Tallinn Manual on the International Law Applicable to Cyber Warfare, have sought to interpret how existing laws on armed conflict and sovereignty apply in cyberspace, emphasising that cyber-attacks causing effects equivalent to kinetic force could trigger self-defence rights. Yet, these interpretations are not universally codified or accepted in binding treaties. At the bilateral and multilateral level, states increasingly negotiate cybersecurity cooperation agreements that include provisions on information sharing, incident response, and restraint in targeting critical infrastructure and some defence pacts explicitly recognise joint cyber defence as part of collective security mechanisms.

India faces unique challenges in protecting critical infrastructure from cyber operations that could serve as pre-invasion tools or standalone attacks designed to achieve strategic objectives. The nation’s rapid technological development, extensive integration into global supply chains, and complex geopolitical environment create both opportunities and vulnerabilities that require sophisticated strategies to address.

The ongoing India-China border tensions highlight the potential for cyber operations to accompany or precede conventional military confrontations. Reports of Chinese cyber operations targeting Indian critical infrastructure, including power grids and telecommunications networks, suggest that potential adversaries are conducting the reconnaissance and pre-positioning activities that would enable infrastructure attacks during future crises. India’s experience with blackouts in Mumbai and other cities that some analysts have attributed to potential foreign cyber operations, though conclusively proving attribution remains challenging, underscores the reality that India’s infrastructure faces active threats.

Learning from Russia-Ukraine experiences, India must recognise that infrastructure attacks may precede conventional military operations by months or years rather than hours or days. The patient, long-term approach to pre-positioning malware that Russia demonstrated suggests that potential adversaries may already have established presence within Indian critical infrastructure systems. Detection and remediation of such threats require sustained investment in cybersecurity capabilities, regular security assessments of industrial control systems, and willingness to temporarily disrupt operations to thoroughly investigate and clean potentially compromised systems.

The Armenia-Azerbaijan conflict offers lessons about information operations and psychological warfare dimensions of modern conflicts. India’s large, diverse population and active social media environment create opportunities for adversaries to conduct information operations designed to create panic, spread disinformation, or undermine confidence in government capabilities during crises. Protecting critical infrastructure requires not only technical cybersecurity measures but also strategies for maintaining public confidence and countering disinformation during infrastructure disruptions.

From Israel-Iran experiences, India can learn about managing escalation dynamics through calibrated responses that demonstrate capability without triggering uncontrolled escalation. Developing cyber capabilities that can impose costs on adversaries while maintaining options for de-escalation provides strategic flexibility during crises. This requires sophisticated intelligence about adversary critical infrastructure, capabilities for effects that can be precisely calibrated, and diplomatic frameworks for managing crises that involve cyber operations.

India’s relationships with technology suppliers require careful management to reduce dependencies that could create vulnerabilities during conflicts. Developing domestic capabilities in critical technologies, diversifying suppliers for essential systems, and maintaining rigorous security evaluation processes for imported technology all contribute to reducing strategic vulnerabilities. The goal is not complete technological autarky, which would be economically inefficient and technologically limiting, but rather strategic resilience that prevents single points of failure or excessive dependence on technology from nations that could become adversaries.

Perhaps most importantly, India must invest in the redundancy and resilience that make critical infrastructure poor targets for cyber operations. When adversaries know that attacks will be detected quickly, that backup systems can maintain essential services, and that recovery will occur rapidly, the strategic value of infrastructure attacks diminishes substantially. Building this resilience requires sustained investment in cybersecurity capabilities, training for infrastructure operators, regular exercises simulating cyber-attacks, and governance structures that enable rapid coordination between government agencies and private sector infrastructure operators during crises.

The integration of critical infrastructure protection into national security strategy represents a fundamental requirement for modern nations. The cases examined here demonstrate conclusively that cyber operations against critical infrastructure have transitioned from theoretical concerns to practical realities of contemporary conflicts. For India, with its aspirations for regional leadership and its complex security environment, developing comprehensive strategies for protecting critical infrastructure while maintaining capabilities to impose costs on adversaries conducting infrastructure attacks represents not merely a technical cyber security challenge but a fundamental national security imperative that will shape the nation’s security and prosperity for decades to come.

Fortifying the Digital Frontier

For a rising power like India, which is rapidly digitising critical infrastructure from power grids to healthcare networks to financial systems these global patterns offer sober lessons. The strategic sequencing of cyber operations in conflicts like Russia-Ukraine underscores the need for continual readiness, robust defensive postures, and resilient architectures that reduce reliance on unverified foreign technology and opaque supply chains.

India must invest in advanced cybersecurity capabilities, adopt zero-trust architectures for industrial control systems, and foster public–private cooperation to detect and thwart latent threats before they are activated. Bilateral and multilateral cooperation with trusted partners on cyber threat intelligence and defence exercises will strengthen deterrence and improve incident response coordination.

Moreover, India’s legal frameworks and national policies should clarify norms for attribution, response, and escalation in cyberspace, aligned with international legal constructs like the UN Charter while promoting transparent, accountable cyber norms globally. Participation in cooperative agreements both regionally and in global forums will help shape emerging norms that discourage the weaponisation of critical infrastructure in peacetime.

Conclusion

Cyber operations have fundamentally reshaped the contours of modern conflict, providing states with tools to prepare battlefields, influence adversaries, and pursue strategic aims without firing a bullet. From disabling communications networks at the outset of an invasion to exploiting systemic dependencies that cascade across society, these digital actions have real political and human consequences. Recognising their role, understanding their mechanics, and strengthening legal and defensive frameworks are essential for any nation seeking security and stability in an increasingly digital world. By studying recent global examples and calibrating policy and infrastructure accordingly, India and other states can better defend themselves against the unseen but potent threats of cyber-enabled conflict.