The Russian cyberwar against both NATO and Ukraine have steadily evolved into one of the most persistent and constantly adapting weapons in modern conflict. Utilising these cyber-tactics alongside conventional military operations, the Kremlin has deployed digital tools that are getting increasingly more sophisticated and complex. This report analyses a key aspect of this campaign that has been overlooked: how Russia uses cyberattacks as a coercive instrument against NATO states. Although the scale of Russian cyber activity is widely acknowledged, far less is understood about the conditions under which Russia chooses to escalate these attacks. As a result, NATO members remain exposed to sudden surges in hostile cyber activity and are unable to anticipate when they are most at risk.
The Henry Jackson Society set out to determine whether identifiable triggers make Russian cyber escalation more likely. If such conditions can be mapped, NATO governments would be better positioned to anticipate and prepare for future waves of cyber aggression. Our working hypotheses were:
Russia would be more likely to escalate cyberattacks in response to political or military support provided to Ukraine by NATO states.
Russia would be more likely to intensify cyber operations following diplomatic actions perceived as hostile, such as public criticism, sanctions‑related statements, or international condemnations.
To test these hypotheses, we used data from the Cyber Peace Institute, which records cyberattacks by country, attack type, and targeted sector. This allowed us to construct a detailed timeline of Russian cyber activity against Ukraine, NATO members, and the UK. We then compared this timeline with key political and military events, including UK government announcements on Ukraine, major diplomatic interventions, and public statements at international organisations. This dataset was supplemented with sector‑specific targeting patterns to understand whether spikes in activity corresponded to particular strategic aims.
This approach enabled us to examine whether Russian cyber escalation aligns with identifiable political triggers – and whether NATO states can better anticipate future cyber aggression when similar conditions arise.
