Cyber Lessons From Russia’s War in Ukraine
Cyber Lessons From Russia’s War in Ukraine
Executive Summary:
- Chinese analysts have closely followed Russia’s cyber offensive against Ukraine, drawing a series of lessons about how the People’s Republic of China (PRC) can better prepare for cyber warfare.
- Analysts blame Russia’s underwhelming cyber campaign at the outset of its invasion on institutional flaws. This contrasts with analysts in the West who suggest that cyber capabilities are not a decisive factor in contemporary warfare. In response, Chinese analysts advocate for a more unified command structure and enhanced civil-military fusion.
- Research on cyberattacks against critical infrastructure in Ukraine and, more recently, by the United States in Venezuela underscore the need to improve domestic resilience and defenses for critical infrastructure.
- Developing “independent and controllable” technologies and reducing dependence on those controlled by adversaries is a key theme of this literature. Some scholars also advocate using international governance institutions to shape global cyberspace regulation in favorable ways.
For the last ten years, Chinese experts and policymakers have referred to cyberspace as the “fifth domain” (第五疆域), after land, sea, air, and space (Central Cyberspace Affairs Commission, September 8, 2024). For the last four, Russia’s invasion of Ukraine has given strategists in the People’s Republic of China (PRC) a first sustained look at large-scale cyber and electronic warfare operations between two digitized states. Analysis of the conflict has resulted in a substantial literature, spanning institutional journals of the People’s Liberation Army (PLA), military conference proceedings, state-backed magazines, academic quarterlies, and the PLA Daily. These writings are often strikingly critical about Russia’s failings. A survey of some two dozen analyses that engage the cyber war in Ukraine maps how the PLA is using the conflict to inform a new cyber doctrine. In the course of reviewing these analyses, minor discrepancies were found between different published versions of particular articles. In such cases, the analysis below prioritizes versions that appear more complete and/or authoritative.
The Chinese military’s ability to learn the correct lessons from Russia’s war in Ukraine and successfully implement them will be crucial to its military modernization efforts. One recent data point could call that into question. In late June, the Standing Committee of the National People’s Congress (NPC) decided to remove the commander of the two-year-old PLA Cyberspace Force (网络空间部队) from his position as a delegate to the NPC. Lieutenant General Zhang Minghua (张明华), who has led the Cyberspace Force since its inception, was one of several senior officers removed from the national legislative body without public explanation (NPC, June 26). Chinese analyses of Russia’s cyber operations frequently fault Russia for running a personalized, opaque, and disunified cyber command, but Zhang’s removal from the NPC could indicate that the Chinese system is plagued by the same pathologies as Russia’s.
Russia’s Cyber Failures Are Institutional
Many Western commentators spent 2022 puzzling over why Russia’s vaunted cyber forces never delivered a knockout blow to Ukraine. Chinese analysts noted the same puzzle, but described Russia’s cyber prowess as something of a “myth” (迷思). As Tsinghua University’s Wu Dahui (吴大辉), a prominent Russia hand, pointed out, Russia lacked a unified cyber command, its security services carried “traditional organizational structures and strategic cultures ill-suited to cyber operations” (传统组织结构和战略文化不适用于网络行动), its operators were rooted in Soviet-era signals-intelligence habits, and the state leaned on a private sector that “values commercial interest over national duty” (更看重商业利益而非国家责任) (Wu, 2023). [1] Researchers at Nanjing University reinforced this reading. In a paper published in early 2026, two scholars portrayed the “strategic culture” (战略文化) of Russia’s cyber warfare ecosystem as one that was too invested in a view of Russia as a great power and that “worship[ped] force” (力量崇拜). As a result, they assessed that Russia’s rhetoric about pre-emptive strikes was undercut by a technology gap with the West (Guo & Shi, 2026). [2]
The subtext for a PLA audience is unmistakable: capability is worthless without unified command and civil-military fusion. This may in fact have been a key reason behind the PLA’s organizational overhaul in April 2024 that stood up independent PLA branches under the Central Military Commission for cyber, information, and aerospace warfare. One PLA Daily commentary from that year effectively argued that the Information Support Force (信息支援部队) was an organizational remedy for the problems identified in Russia’s system, stating that the network information system “directly determines the effectiveness of command, [intelligence, surveillance, and reconnaissance], fire-strike, and support systems” (直接决定着作战指挥系统、情报侦察系统、火力打击系统、综合保障系统等方面的效能) (PLA Daily, December 6, 2024).
A minority of Chinese analysts have voiced skepticism about whether cyber operations can be a decisive factor in a conflict. Observers from the Shaanxi branch of the National Internet Emergency Response Center (CNCERT; 国家互联网应急中心) invoked a “trilemma” (三难困境)—the argument that a cyber operation cannot be simultaneously fast, intense, and controllable. Applying this to Ukraine, they conclude that cyber “did not substitute for, nor did it significantly supplement, conventional combat operations” (既没有取代也没有显著补充常规作战活动) (Ling, April 2023). [3] In a separate instance, the 30th Research Institute of the China Electronics Technology Group Corporation (CETC-30; 中国电科三十所) translated and circulated a commentary by the Royal United Services Institute (RUSI) in the United Kingdom that described deterrence as being “enabled by cyber rather than unilaterally ensured by it” (RUSI, January 14; Chen, May 22). [4] CETC-30 is the principal research institute under the state-owned defense research and development conglomerate CETC for cryptography, information security, and secure communications.
These skeptics nevertheless conclude that cyber remains essential to enabling and supporting the broader fight. In their view, Russia’s execution of cyber operations in the early stages of its invasion was simply poor. The diagnosis that a key limitation of Russia’s capabilities has been an institutional one suggests that the Chinese side is confident it will not succumb to the same vulnerabilities.
Cyber Campaigns Against Command Nodes and Civilian Will Most Effective
The consensus among Chinese experts is that contemporary and future conflicts will begin with the targeting of an adversary’s critical information infrastructure. In the early stages of Russia’s invasion, researchers at the National University of Defense Technology and CETC-30 catalogued Russia’s deployment of its offensive cyber toolkit against Ukrainian systems. They observed how operators seeded Ukrainian government, energy, and financial systems with data-wiping malware that erases files by overwriting a hard drive’s partition tables so a machine “forgets” where its files are and goes dark. Russia then paired this with platforms and botnets that used distributed denial-of-service (DDoS) attacks to swamp servers. The researchers flag a February 2022 attack on the Viasat KA-SAT satellite-modem network as “the first successful wide-area satellite-communications cyber engagement” (历史上首次成功实施的广域卫星通信对抗战例)—the moment cyber conflict visibly “extended into space” (延伸至太空领) (An & Hao, 2022). [5]
The scale of Russia’s cyber force is evident in a 2023 paper that maps its order of battle. The study, authored by experts at the PLA Information Engineering University—at the time the cyber arm of the precursor to the Cyberspace Force, the Strategic Support Force—assesses more than 7,000 uniformed cyber personnel plus proxy groups and units 26165 and 74455 of Russia’s foreign military intelligence agency, the Main Intelligence Directorate. Ukraine’s forces were assessed as comprising roughly 270,000 volunteers dispatched through a Telegram channel, and supported by many more through some 22 international hacker collectives. The authors also trace how Russian cyber forces worked to force Ukrainian industrial-control systems to a halt. This process involved exploiting a web-server flaw and implanting a trojan, before corrupting host data, destroying the disk drive, overwriting its contents, and deleting the partition table. They also note that Ukraine was deploying a ransomware called RuRansom to target Russian systems. This malware checks whether a machine’s IP is Russian before irreversibly encrypting its files, and adding a text file with a message for Russian President Vladimir Putin (VMware Security Blog, April 12, 2022; Cao, Song & Zeng, 2023). [6]
The PLA authors argue that cyberattacks on infrastructure are most potent not as a single knockout blow but as a sustained “surgical” (外科手术式) campaign against an adversary’s command nodes and civilian will. They observe that, starting in February 2023, Russian “directional destructive” (定向性破坏型) attacks nearly severed Internet connections offered by the satellite provider Viasat and the broadband provider Triolan, affecting a quarter of users in the city of Kharkiv and taking Mariupol offline. By that October, the attacks had shifted to rear-area water, power, and gas utilities, explicitly to manufacture distress among the Ukrainian people through the harsh winter months. The authors close with the blunt prescription that the PRC must “strengthen the protection of critical information infrastructure” (聚焦提升关键信息基础设施防护体系与能力建设) and “seize the initiative in cyber warfare” (在网络作战中掌握自主权和主动权) (Cao, Song & Zeng, 2023). [7]
Chinese analysts see the same template repeated elsewhere. In a study of the January 2026 U.S. operation Absolute Resolve in Venezuela, CETC-30 engineers describe a “system-breaking” (体系破击) sequence. This involved the U.S. mapping the Venezuelan critical information infrastructure network, cataloguing its vulnerabilities, and exploiting flaws in industrial software by pre-implanting trojans to interfere with Caracas’s power grid, hijack the national telecom provider’s core routers, poison its domain-name servers, and feed falsified radar data to its command system (Zhang et al., May 20). [8]
Experts see Self-Reliance as the Only Solution
Chinese experts repeatedly worry that reliance on adversary-controlled technologies is a strategic vulnerability. This is most clear in an essay by Yan Ming (严明), honorary director of the security committee of the China Computer Federation (中国计算机学会). After cataloguing how Western firms severed their business ties with Russia following its invasion of Ukraine, Yan notes that “the crisis facing Russia today may one day come to us” (俄罗斯当前面临的危机是否有朝一日也会来到我们面前). He then asks his readers: “If we face the same or fiercer service cutoff, supply cutoff, and network disconnection, are we ready?” (如果面临同样的甚至更加激烈的舆论战、网络战、信息战,面临全面停服、断供、断网等,我们准备好了吗?) (Yan, August 5, 2022). [9] A scholar at the Chinese Academy of Social Sciences (CASS), Lang Ping (郎平), voices similar concerns, warning that a fragmentation of the Internet would entrench U.S. dominance, as it would cement the positions of U.S.-based platforms that already dominate the global information space. Lang argues that this fragmentation would be a downstream effect of the weaponization of code, social media, and, most novelly, “Internet resources” (互联网资源) such as certificate revocation and DNS cutoffs (Lang, August 5, 2022). [10]
The primary remedy Chinese experts prescribe is one that Beijing has been pursuing for years. This is the push to develop “independent and controllable” (自主可控) indigenous technology. This includes a related concept, which the government refers to as “information technology application innovation” (信息技术应用创新) or simply xinchuang (信创). This, according to a recent state media article, is “the foundation for ensuring information technology security” (保障信息技术安全的基础) (Xinhua, February 14). Researchers at Sichuan University frame the war in this way as validating the argument that the PRC needs to follow a model of technological sovereignty. For them, this entails full data localization and a “sovereign Internet” (主权互联网) modeled explicitly on Russia’s RuNet as insurance against being forcibly disconnected (Yang & Cheng, May 19, 2025). [11] The urgency of these ambitions was underscored in late 2025, when the Ministry of State Security alleged that the U.S. National Security Agency had spent years penetrating the PRC’s National Time Service Center (国家授时中心) (CCTV, October 19, 2025; China Brief, November 7, 2025). This followed earlier claims that the 2025 Harbin Asian Winter Games had been the victim of 270,000 attempted cyberattacks, of which nearly two thirds allegedly originated from IP addresses in the United States (Yang, July 23, 2025). [12] Whatever the merits of those attributions, commentators and authorities in the PRC have marshaled them to argue that the PRC already faces the same state-level operations seen in Ukraine.
A secondary lesson that Chinese experts have taken from Russia’s war in Ukraine is the need to enhance the defensive engineering of domestic information systems. The scholar Zhang Shuai (张帅) and his colleagues at the National University of Defense Technology use their observations from the conflict to develop a five-phase planning cycle for the country’s cyber defense. The cycle involves continuous red-team/blue-team drills, phishing exercises, and “active cyber defense” (积极主动的网络防御), and the authors write that their base assumption is the premise that “there is no clear boundary between peace and war” (和平与战争之间并无明确界限) (Zhang, 2025). [13] The infrastructure for running nationwide offense-defense exercises at scale is already in operation. A 2026 paper discusses distributed “cyber ranges” (网络靶场), virtual environments where cyber weapons are tested and operators are trained. These ranges are built by stitching a network of geographically separate ranges into one (Jiang, 2026). [14]
Additional ideas also emerge in the literature. Some scholars argue that the PRC should assert cyber self-defense but also push to de-militarize cyberspace (Sun, 2023). [15] Others, meanwhile, believe that the PRC simply needs to influence international governance institutions to shape emerging regulations for international cyberspace in ways that better support Beijing’s priorities. A researcher at the Academy of Military Sciences, for instance, has urged Beijing to “seize the window of opportunity for making international rules” (抓住国际规则窗口期) at the United Nations to “actively shape an international rules system for cyberspace that is favorable to us” (积极塑造对我有利的网络空间国际规则体系) (International Cooperation Center, March 19, 2023).
Conclusion
Analysts in the PRC have spent over four years dissecting Russia’s war in Ukraine to extract practical and actionable lessons that it can apply to enhance its own systemic resilience and military competitiveness. In the cyber domain, they broadly conclude that cyber warfare is a crucial factor in contemporary warfare, but that Russia executed its cyber operations badly at the outset of its invasion, in part as a result of flaws in the institutional design of its cyber ecosystem. More broadly, the conflict has convinced Chinese experts that dependence on adversary-controlled technologies is a serious vulnerability, and that cyber sovereignty and technological self-reliance are prerequisites for national security. This confirms many experts’ prior assumptions rather than constituting a novel insight—Beijing was already forging ahead in building such a system by 2022.
Notable in Chinese analyses is a fairly objective view of Russian and Ukrainian strengths and weaknesses. Many Western analysts would agree with points raised by Chinese experts diagnosing problems with Russia’s cyber capabilities. An important takeaway from this literature, therefore, is that the PLA assiduously studies the techniques, tactics, and procedures of both parties to the conflict, assessing each side’s merits and demerits, and picking and choosing those aspects that are most applicable for advancing its own capabilities.
Notes
[1] Wu Dahui [吴大辉], “乌克兰危机与新军事革命:网络战篇” [The Ukraine Crisis and the New Military Revolution: Cyber Warfare], World Affairs [世界知识], no. 13 (2023): 72–73.
[2] Guo Sunyue [郭孙越] and Shi Bin [石斌], “俄罗斯网络空间战略文化的生成逻辑、核心要素及其效应分析” [The Generative Logic, Core Elements, and Effects of Russia’s Cyberspace Strategic Culture], Russian, East European & Central Asian Studies [俄罗斯东欧中亚研究], no. 1 (2026).
[3] Ling Yuhao [令宇豪], “从俄乌冲突看网络战的发展与迷思” [The Development and Myths of Cyber Warfare as Seen through the Russia-Ukraine Conflict], Information Security and Communications Privacy [ 信息安全与通信保密], no. 11 (2022): 36–44.
[4] Louise Marie Hurel, “分层模糊性:美国突袭委内瑞拉抓走马杜罗行动中的网络能力” [Layered Ambiguity: Cyber Capabilities in the U.S. Raid on Venezuela to Capture Maduro], translated by Chen Qian, Information Security and Communications Privacy [信息安全与通信保密], no. 2 (2026): 28–35.
[5] An Zidong [安子栋] and Hao Zhichao [郝志超], “俄乌冲突中的网络对抗分析” [Analysis of Cyber Confrontation in the Russia-Ukraine Conflict], Information Security and Communications Privacy [信息安全与通信保密], no. 11 (2022): 2–8.
[6] Cao Weidong [曹卫东], Song Liuyong [宋留勇], and Zeng Xiangwei [曾相为], “乌克兰危机中网络战战法分析” [Analysis of Cyber Warfare Tactics in the Ukraine Crisis], Information Security and Communications Privacy [信息安全与通信保密], no. 7 (2023): 22–29.
The Russian proxy groups referred to include Sandworm and Gamaredon.
[7] Ibid.
[8] Zhang Xin [张欣], Kang Rongbao [康荣保], Zhu Zhicheng [朱治丞], Xi Jianmin [席建民], and Lai Dian [赖滇], “美军‘绝对决心’行动多域技术体系协同机制与实战效能研究” [Research on the Synergy Mechanism and Combat Effectiveness of the Multidomain Technology System in the U.S. Military’s “Absolute Resolve” Operation], Information Security and Communications Privacy [信息安全与通信保密], no. 5 (2026): 1–12.
[9] Yan Ming [严明], “对俄乌冲突中网络空间对抗的思考” [Reflections on Cyberspace Confrontation in the Russia-Ukraine Conflict], China Information Security [中国信息安全], no. 6 (2022): 70–72.
[10] Lang Ping [郎平], “从俄乌冲突看网络空间武器化倾向及其影响” [Cyberspace Weaponization Trends and Their Impact as Seen through the Russia-Ukraine Conflict], China Information Security [中国信息安全], no. 6 (2022): 66–69.
[11] Yang Feng [杨峰] and Cheng Yuexin [程越欣], “俄乌冲突中的网络空间安全:中国之治与全球共治” [Cyberspace Security in the Russia-Ukraine Conflict: Chinese Governance and Global Co-Governance], Journal of Chengdu University (Social Sciences), no. 3 (2025): 29–44.
[12] Yang Liangbin [杨良斌], “当前我国网络安全形势与网络安全意识提升对策” [China’s Current Cybersecurity Situation and Measures to Raise Cybersecurity Awareness], China Information Security [中国信息安全], no. 4 (2025): 22–25.
[13] Zhang Shuai [张帅], Ni Lin [倪林], Wang Xinmei [王欣玫], and Ye Qiukai [叶秋凯], “俄乌冲突下网络空间防御行动规划与实施研究” [Research on the Planning and Implementation of Cyberspace Defense Operations in the Context of the Russia-Ukraine Conflict], Network Security Technology & Application [网络安全技术与应用], no. 8 (2025): 152–55.
[14] Jiang Zhiqiang [蒋志强], Zheng Yi [郑轶], Hu Zhifeng [胡志锋], and Wang Lulu [王路路], “分布式网络靶场跨地域靶标互联方案初探” [A Preliminary Study of Cross-Regional Target Interconnection Schemes for Distributed Cyber Ranges], Network Security Technology & Application [网络安全技术与应用], no. 6 (2026): 1–3.
[15] Sun Kewang [孙可旺], “俄乌冲突‘网络战’对我国的启示——以国际法为视角” [Implications of the Russia-Ukraine “Cyber War” for China: An International Law Perspective], Network Security Technology & Application [网络安全技术与应用], no. 3 (2023): 163–65.