Author : Pavlina Pavlova

Expert Speak Digital Frontiers
Published on Feb 21, 2024

Ensuring the safety of the most vulnerable is the most pressing concern on our path towards a more secure cyberspace

Silent battles, audible woes: The human cost of cyberattacks against critical infrastructure

This article is part of the series—Raisina Edit 2024


Over the past few years, cyberattacks against critical infrastructure have dramatically expanded in frequency, scale, sophistication, and severity. The global pandemic acted as an accelerator for complex cyber threats that wreaked havoc in times of emergency and inflicted costs on the economy and patient care alike. From ransomware targeting hospitals to disruptive attacks against power and water systems, financial institutions, and communication networks, more essential services nowadays fall victim to cybercriminals and state-sponsored attacks. Cyber incidents that aim to destroy and disrupt vital sectors are also on the rise as a weapon of choice in international armed conflicts around the world. With civilian critical infrastructure being among prime targets, no country and no organisation are off-limits to the attackers.

From ransomware targeting hospitals to disruptive attacks against power and water systems, financial institutions, and communication networks, more essential services nowadays fall victim to cybercriminals and state-sponsored attacks.

Due to wider access to cyber capabilities and the continuous lowering of the threshold and capabilities to conduct cyberattacks and operations, the threat landscape now consists of state actors and non-state actors with a plethora of non-traditional actors such as collectives, hacktivists, and cybercriminal groups carrying out malicious activities. Within the Russia–Ukraine conflict, independent hackers have joined collectives such as Anonymous, which had declared a “cyberwar” against Russia, or KillNet, which stated their full support of Russia and threatened retaliatory cyberattacks against critical infrastructure. State-sponsored threat actors, such as Sandworm—an Advanced Persistent Threat (APT) actor linked to a Russian military intelligence service—have conducted cyber operations in Ukraine even before the 2022 full-scale military invasion. Incidents such as the 2015 BlackEnergy malware attack against Ukraine’s power grid and the 2017 NotPetya wiper attack that infected critical systems such as Chernobyl’s radiation monitoring system and United States (US) healthcare organisations illustrate the potential for causing collateral or deliberate damage to states and organisations globally.

The CyberPeace Institute has been collecting data connected to the international armed conflict between Ukraine and Russia since January 2022. In the two years, we have recorded 3,225 cyberattacks and operations conducted by 126 threat actors against critical infrastructure, from which some 80 percent were ‘self-attributed’. This means that perpetrators publicly disclosed their acts. Substantiated self-proclaimed cyberattacks point to the geopolitical importance of such actions, and the fact that some malicious actors take pride in conducting them. While the nature of these attacks is not novel, their extent and weaponisation against critical infrastructure raise significant concerns.

Due to the interconnected nature of cyberspace, the ramifications of cyber incidents are felt across countries and regions. The Institute’s in-house data collection on cyberattacks exposed that these geopolitically-motivated incidents have impacted 58 countries across 23 sectors. These numbers have very real consequences. Cyberattacks cause destruction of systems or data, disrupt essential services, facilitate data theft and leak, and limit access to accurate information that can exert adverse and compounding effects on economic and operational activity, and can impact the daily lives of people.

Substantiated self-proclaimed cyberattacks point to the geopolitical importance of such actions, and the fact that some malicious actors take pride in conducting them.

In a single day, on 31 December 2023, Ukraine experienced disruptive attacks against the website of a Ukrainian government ministry, national news media, and eight Ukrainian blood donation centres. Two weeks before this, the country was hit by a massive hacker attack. Ukraine’s leading mobile phone provider, Kyivstar, suffered a cyberattack on 12 December leading to the disruption of internet and mobile services. The company serves more than half the country’s population. The incident affected over 24 million clients, and their loss of phone and internet connectivity led to a serious issue in a war-torn country where many rely on mobile phones for air raid alerts. Services were not restored until one week later. The attack has been attributed to Sandworm by Ukrainian authorities.

The cases of severe harm stemming from malicious use of cyber are not limited to the war context and can impact any sector custodian sensitive data. In October 2023, the biotech company, 23andMe, suffered a data breach where threat actors were able to obtain the personal data of 6.9 million users by using customers’ old passwords. The threat actors were able to obtain sensitive data such as ancestry information, names, birth dates, and locations. In October 2022, the Australian health insurer, Medibank, was targeted by a ransomware attack where the records of almost 10 million customers were obtained by cybercriminals. The cyberattack was later attributed to an individual belonging to the Russian ransomware group, REvil.

The threat actors were able to obtain sensitive data such as ancestry information, names, birth dates, and locations.

When governments, companies, or insurers attempt to measure the consequences of cyber incidents, they primarily focus on the direct impact on targeted systems or organisations—the time to restore operational capacity, the amount of financial loss, and the volume of breached data. This narrow assessment lacks a fundamental element: What are the tangible harms that cyberattacks cause to people and society?

The full damage to society and individuals is difficult to estimate, whether it is connected to a cumulation of many individual events or a one-off major disruption. Cyberattacks can negatively affect individuals, particularly those who are excessively targeted or in a position of vulnerability. They can also have lower-level or prolonged impacts but affect people at scale. Harm to populations stemming from cyber incidents can also materialise only after a time delay or may be indirect, especially if we consider the many potential negative effects on victims, including their physical, psychological, social, and economic well-being; physical or economic security; or the environment.

Using the aforementioned cyber incidents as examples, violating the confidentiality of sensitive information such as personal health records can have irreparable psychological, social, and economic consequences for people, and particularly vulnerable people such as those struggling with mental health conditions, addiction, or diseases. Similarly, the loss of phone connectivity for millions of Ukrainian Kyivstar clients could plausibly have led to harm or death of civilians relying on online information to avoid danger during the conflict.

Despite the growing awareness about the many consequences of cyberattacks, there is currently no established methodology to provide the metrics, tools, and frameworks for understanding and tracking harm from cyberattacks over time. To close this evidence gap, the CyberPeace Institute is developing a harm methodology to identify means to assess the impact of incidents across multiple indicators and categories of harm. A standardised data-driven approach to measuring the impact and harms from cyberattacks can help build stronger and holistic accountability measures, and become a practical tool for informing policymaking, resilience efforts, and resource allocation by placing victims at the centre.

Despite the growing awareness about the many consequences of cyberattacks, there is currently no established methodology to provide the metrics, tools, and frameworks for understanding and tracking harm from cyberattacks over time.

Cyber incidents do not only damage technology, but can have direct impacts on people and do not always have reversible effects. Our collective ability to protect the most vulnerable in cyberspace is the most urgent and critical issue to address on the journey towards safer cyberspace. It is imperative for policymakers, industry, civil society groups, and the technical community involved in addressing and mitigating cyberattacks to recognise and understand their human and social cost. Doing so is vital for fostering collaboration and for holding to account those who deliberately and indiscriminately harm civilians and civilian infrastructure for geopolitical advantage.


Pavlina Pavlova is a Public Policy Advisor at the CyberPeace Institute

The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.