The views and opinions expressed or implied in WBY are those of the authors and should not be construed as carrying the official sanction of the Department of Defense, Air Force, Air Education and Training Command, Air University, or other agencies or departments of the US government or their international equivalents.

Russia’s Implementation of Hybrid Warfare: Estonia ('07), Georgia ('08), Crimea ('14)

  • Published
  • By Capt Michael C. Mastalski, USAF

Hybrid Warfare: Russian Implementation

Hybrid warfare—also partially known as grey zone conflict or low-intensity conflict—is a reality, and the United States (US) military must be ready to confront and deter it from peer-to-peer adversaries.1 The US defines grey zone conflict as actions that seek to gain an advantage without provoking a conventional military response.2 Still, Russia’s definition of hybrid warfare takes it beyond the grey zone depending on their desired outcome. As used today in reference to Russia, “hybrid warfare” refers to Moscow’s use of a broad range of subversive instruments, many of which are nonmilitary, to further Russian national interests.3 Russia has adapted their idea of hybrid warfare as a way to divide and weaken NATO allies; deter or subvert pro-western influence; create pretexts for war; annex territory; and to ensure access to European markets on its own terms.4

This paper addresses the key characteristics of the Russian hybrid warfare strategy. The three characteristics are to economize the use of force, persistence, continuous attacks, and population centric.5 Russia’s continuous objectives, specifically during attacks on Estonia (’07), Georgia (’08), and Crimea (’14), was to capture territory without conventional military force if possible, create a pretext for conventional military action if needed, and hybrid measures to influence politics and policies on targets and pro-Western states.6 All three incidents will be broken down within the three key characteristics, addressing the similarities between them and the perfected escalation from Estonia to Crimea. Following the characteristics, it will address experts’ educated opinions on Russia’s desired objectives. Finally, the paper will briefly cover what the US and allies can do to potentially limit Russia’s effectiveness of attacks on US and European Union (EU) infostructures.

Hybrid Characteristics & Objectives of Hybrid Warfare

Estonia in 2007 saw first-hand Russia’s hybrid warfare capabilities when attacked with extreme and effective information and cyber ops. Once separated after the cold war, Estonia became a marvel of e-government where online procedure was dominant. Estonia had managed to build a new infostructure for the citizens and government to operate into the future. On 27 April 2007, a cyber-attack on their government ministries, political organizations, newspapers, banks, and companies’ websites commenced.7 In computer language, Estonia had seen a wave of Distributed Denial of Service attacks (DDoS) and Botnets (computers hacked from remote sites and controlled to unwittingly deliver spam and viruses to any location in the globe).8

Many of these attacks traced back to servers in Egypt, Russia, and the US.9 Internet chatter on forums was heavy with instructions on how to overwhelm Estonian websites with traffic.10 What makes these types of attacks significant is that Botnet attacks involve millions of computers worldwide controlled by a sole operator, increasing the number of attacks tenfold. Government and bank websites typically received 1,000 visits a day, but during the attack were hit with 2,000 hits a second.11 These attacks overwhelmed their websites, causing them to crash, preventing the use of them through any means. During these, Russia’s primary objectives were to ensure the Estonia government could not communicate with the country or other governments about what was going on.

Additionally, these attacks defaced government sites while pushing Russian propaganda and graffiti to label Estonia party leaders as Nazis, affecting the populous perception. Simultaneously, the Estonian banks’ cyber-attacks required them to report losses estimated at around $1 million. The actions of these attacks prevented credit card and automatic teller machine transactions from occurring for several days.12 Cyber-attacks maintained the characteristic of persistence, where attacks continued for days, intensifying with each passing day. Russia's attacks were significant at impacting the phycological effects on the Estonian populace and the disruption and loss of trust between citizens and the government.

These types of attacks were significant due to the exploitation of a vulnerable system perceived to be untouchable. Russia’s cyber-attacks on Estonia proved that “cyber terrorism” is capable of shutting down critical national infrastructures (such as energy, transportation, and government operations) in an attempt to coerce or intimidate a government or civilian population.13

Georgia, in August of 2008, saw almost the same cyber and informational attacks on all the same websites and infostructures. The first phase of these attacks commenced on the evening of 7 August when hackers launched the same form of DDoS attacks that Estonia experienced.14 According to Arbor Networks’ analysis, the observed DDoS traffic average duration of each surge was two hours and fifteen minutes—the longest lasted six hours.15 Again, the cyber-attacks targeted the crippling of the countries’ government’s ability to communicate events as they happened while attempting to correct Russian propaganda. These events had such debilitating consequences for essential services, the National Bank of Georgia ordered all banks to stop offering electronic services. Bank services didn’t fully resume until 18 August.

Cyber activity in Georgia shifted to the recruitment of “patriotic” Russian “hacktivists.”16 Much of the recruitment happened through various sites, the most infamous of which was Some believe that there were indicators of preparation well before these August attacks; July 2008 when servers were flooded with “win+love+in+Russia,” while analysis of graffiti images discovered the images created as early as 2006.18

The second phase of these attacks was in sync with the ground operations of Russian forces into Georgia. Many experts claim that the cyber-attacks and propaganda assisted the pretext of conventional force’s entry into Georgia. Signs of escalation were evident, which played well into Russia's hybrid strategy. Because relations between the parties had been deteriorating for a while, Russia and Georgia seemed to take preemptive measures in case of an escalation of aggression. Russia, at the time, was conducting military exercises at several points of the border. Between July and August 2008, Russia had 8,000 soldiers and heavy military hardware in the area that remained on high alert.19 On the evening of 7 August 2008, the Georgian military entered the South Ossetian capital and several other villages because they claimed that they were responding to South Ossetian soldiers' bombardments that ignored a previously established cease-fire.20 On 8 August 2008, Russia responded to the Georgian invasion of South Ossetia with superior military force because they saw Georgian actions as a threat.21 This was the first time Moscow deployed its military forces outside of its borders since the war in Afghanistan in 1979.22

Crimea attacks were slightly different from the Estonia and Georgia attacks. However, the beginning stages of cyber-attacks through DDoS and Botnets were identical in producing their desired outcome. But these attacks intensified due to exchanging cyber attacks between both countries due to the revolution in Keiv.23 Tensions rose due to the 2014 Ukrainian revolution, in which the government of President Viktor Yanukovych was ousted after a popular revolt.24 Contrary to the protests, the region had groups that desired the integration of Crimea and Russia. 1 March 2014, the de facto Crimean Prime Minister Sergey Aksyonov appealed directly to Russian President Vladimir Putin in a signed statement calling for Russia to “assist in ensuring peace and tranquility on the territory of Crimea.”25 After these events occurred, the Russian parliament approved President Vladimir Putin’s orders to use military force in Ukraine.

Because of this approval, state-sponsored cyber units, groups of hacktivists, and cybercriminals started their intensified campaigns against enemies.26 Instead of conventional forces, Russia sent in pro-Russian armed soldiers without insignia known as the “green men.” In addition to the cyber-attacks already in place, these soldiers had seized buildings and Crimea assets. The attackers also used specialized equipment installed within Ukrtelecom networks in the Crimea region.27 The installed devices degraded Ukraine’s mobile phone infrastructure that targeted parliament members.28

Ultimately these attacks, like Estonia and Georgia, prevented the government from communicating with the world and its citizens, allowing Russia to control the chain of events. The green men also set up roadblocks to isolate Crimea from the rest of Ukraine. Concurrently, the Russian military maneuvered their naval vessels in the port of Sevastopol that security experts believed was a mission to isolate the region. Many units were carrying jamming equipment to block radio communications. Along with the cyberattacks, this denial act isolated Crimea to the point they relied on foreign governments, including Russia, for nearly 70 percent of its internet exchange capacity.29 These moves ultimately affected the political and economic influence on the region.

Strategies to Counter Hybrid Warfare

Countering the challenges posed by the Russian government and their implementation of hybrid warfare will take time, effort, and resources. Practical strategies to defend the US, NATO, and the EU against Russian hybrid strategy will include, at a minimum, the following.

Analyze the Kremlin’s decisions within the Russian framework of hybrid war to understand and mitigate Russian lines of effort. Obfuscating the nature and purpose of Kremlin activities is a crucial objective of hybrid warfare, and US confusion about the term and the Russian approach to such conflicts hinders the development of effective counterstrategies.30

Increase collaboration between US agencies, NATO, and EU. Because hybrid warfare can affect the US State Department, the Defense Department, the Treasury Department, the intelligence community, and NATO’s equivalent, combining doctrine is essential. Since 2015, NATO has had a strategy to counter hybrid warfare and ensure that the Alliance and Allies are sufficiently prepared. And that they will deter hybrid attacks on the Alliance, if necessary, will defend Allies.31

Develop appropriate resource allocation to the collection and analysis of intelligence in the European theater. The US, NATO, and EU members must ensure that they have the necessary resources to meet the growing threats. Each must be more transparent with each other to provide a solid collected amount of intelligence. Intelligence is vital to tracking and advanced warning of Russian hybrid activities. To successfully combat these issues, individual intelligence agencies from all partners much be closely linked.

Support transparency and anti-corruption efforts abroad and at home. Tolerance of corruption greatly facilitates Russian influence strategies.32 The US must support European anti-corruption efforts, with appropriate funding for related State Department and US Agency for International Development programs.33

Russia has continually proven it can implement its hybrid warfare to help push its agenda. Though not definitively proven that Russia has tampered with or influenced recent US elections, it certainly carries that type of stigma. Nevertheless, Russia’s threat and growing challenge are undoubtedly real, with no chance of going away any time soon. The US, NATO, and EU must continue to recognize the threat and continue moving forward together to counter.

Captain Michael Mastalski

Captain Michael Mastalski (BS, Southwestern College) is finishing his MS at Missouri State University through the Air Force Institute for Technology Academic Partnerships in Nuclear Education program. He is an Air Force Aircraft Maintenance Officer serving as the 420th Aircraft Maintenance Unit, 412th Maintenance Group, Edwards AFB California.


1 Jim Garamone, “Military Must Be Ready to Confront Hybrid Threats, Intel Official Says,” US Department Of Defense, 4 September 2019,

2 Ronald J. Deibert, Rafal Rohozinski, and Masashi Crete-Nishihata, “Cyclones in Cyberspace: Information Shaping and Denial in the 2008 Russia-Georgia War,” Security Dialogue Vol. 43, No. 1, February 2012,

3 Christopher S. Chivvis, “Understanding Russian ‘Hybrid Warfare’ and What Can Be Done About It,” 22 March 2017,

4 Christopher S. Chivvis, “Understanding Russian ‘Hybrid Warfare’ and What Can Be Done About It.”

5 Christopher S. Chivvis, “Understanding Russian ‘Hybrid Warfare’ and What Can Be Done About It.”

6 Christopher S. Chivvis, “Understanding Russian ‘Hybrid Warfare’ and What Can Be Done About It.”

7 Binoy Kampmark, “Cyber Warfare Between Estonia and Russia,” Contemporary Review 289 (2007): pp. 288-293.

8 Binoy Kampmark, “Cyber Warfare Between Estonia and Russia.”

9 Stephen Herzong, “Revisiting the Estonian Cyber Attacks: Digital Threats and Multinational Responses,” Journal of Strategic Security 4, no. 2 (2011): 49-60,

10 Stephen Herzong, “Revisiting the Estonian Cyber Attacks.”

11 Stephen Herzong, “Revisiting the Estonian Cyber Attacks.”

12 Stephen Herzong, “Revisiting the Estonian Cyber Attacks.”

13 Stephen Herzong, “Revisiting the Estonian Cyber Attacks.”

14 Paulo Shakarian and Andrew Ruef, “Chapter 3: How Cyber Attacks Augmented Russian Military Operations,” in Introduction to Cyber-Warfare: A Multidisciplinary Approach, ed. Jana Shakarian (Burlington, MA: Syngress, 2013), 24-28.

15 Ronald J. Deibert, Rafal Rohozinski, and Masashi Crete-Nishihata, “Cyclones in Cyberspace: Information Shaping and Denial in the 2008 Russia-Georgia War,” February 2012,

16 Ronald J. Deibert, Rafal Rohozinski, and Masashi Crete-Nishihata, “Cyclones in Cyberspace.”

17 Ronald J. Deibert, Rafal Rohozinski, and Masashi Crete-Nishihata, “Cyclones in Cyberspace.”

18 Ronald J. Deibert, Rafal Rohozinski, and Masashi Crete-Nishihata, “Cyclones in Cyberspace.”

19 “The Russo-Georgian War 2008: The Role of the Cyber Attacks in the Conflict,” 24 May 2012,

20 “The Russo-Georgian War 2008.”

21 “The Russo-Georgian War 2008.”

22 “The Russo-Georgian War 2008.”

23 Pierluigi Paganini, “Crimea – The Russian Cyber Strategy to Hit Ukraine,” Infosec Resources, 11 March 2014,

24 Pierluigi Paganini, “Crimea – The Russian Cyber Strategy to Hit Ukraine.”

25“Ukraine Crisis: Crimea Leader Appeals to Putin for Help,” BBC News, 1 March 2014,

26 “Ukraine Crisis: Crimea Leader Appeals to Putin for Help.”

27 “Ukraine Crisis: Crimea Leader Appeals to Putin for Help.”

28 Roger McDermott, “Russia's Information Campaign in Crimea: Nodes, Themes and Caution,” 20 September 2016,

29 Roger McDermott, “Russia's Information Campaign in Crimea.”

30 Mason Clark, “Russian Hybrid Warfare,” September 2020,

31 NATO, "NATO's Response to Hybrid Threats," NATO, 28 May 2019,

32 NATO, "NATO's Response to Hybrid Threats."

33 NATO, "NATO's Response to Hybrid Threats."

Wild Blue Yonder Home