The Ukraine war could provide a cyberwarfare manual for Chinese generals eyeing Taiwan

China's certainly watching Russia's missteps in cyberspace, as well as the U.S. response.
This picture taken on Sept. 22, 2021 shows honor guards marching in front of the Chiang Kai-shek Memorial Hall in Taipei. Beijing views Taiwan as part of China. (Photo by SAM YEH/AFP via Getty Images)

Military leaders around the world are closely watching Russia’s invasion of Ukraine, which just entered its fifth month, but perhaps none more than those in China are tracking the intricacies of Russia’s cyberattacks designed to further cripple Kyiv.

Cybersecurity experts and China observers who spoke to CyberScoop strongly believe that Beijing’s military leaders are learning from Russia’s approach to cyberspace — missteps and all — during the Ukraine conflict. There are implications not only for the U.S., but for China’s neighbor Taiwan, which a U.S. official said in 2021 could be subject to a Chinese invasion in the next six years.

Shawn Henry, a former top FBI official and the head of cybersecurity company CrowdStrike’s incident response division, gathered a group of corporate chief information security officers at last month’s RSA cybersecurity conference and told them they needed to start planning for how a Chinese invasion of Taiwan, and the potential U.S. response, would affect their companies’ ability to keep operating.

“China is absolutely watching what’s happening in Russia and Ukraine, what the U.S. is doing or not,” Henry said. The message he delivered to those CISOs: “Are you thinking about what happens if your supply chain is shut down? What about continuity of operations? What does it look like?”


“I’m concerned that they’re going to take away from it that they put everything into the first attack.”

tatyana bolton, r street institute

Opinions vary widely on the degree to which cyber is playing a role in Russia’s Ukraine invasion, and why it hasn’t been more prominent — as well as why Russia hasn’t acted on threats to the U.S. But there is evidence that Russia has been foiled in some of its ambitions, with Ukrainian officials regularly touting attacks they turned back. At times, Moscow hasn’t appeared savvy about its own cybersecurity, such as when Ukrainians reportedly located and killed a general because he was communicating on unencrypted channels.

What Beijing is seeing

Some of the possible lessons for a Chinese invasion of Taiwan, then? Strike quickly, pick targets that would cripple the enemy early on and rely on attack methods that never have been observed in public.

The idea that China is watching what’s happening in the cyberspace element of the conflict between Russia and Ukraine is more than informed speculation. As threat intelligence analyst Zoe Haver detailed for the cybersecurity firm Recorded Future, Beijing has long shown a fascination with Russia’s cyberattacks in Ukraine, especially its 2015 attack on the power grid that left hundreds of thousands of citizens without power for hours.


“Perhaps you’ll see them invest more in offensive cyber operations and keep them hidden, so that unlike in Ukraine, where we were able to — between the United States, our allies, partners  and the Ukrainian force — determine where Russia would strike and defend against it successfully,” said Tatyana Bolton, a former Department of Homeland Security cyber official who leads the cybersecurity and emerging threats team at the R Street Institute think tank. “I’m concerned that they’re going to take away from it that they put everything into the first attack.”

Russia did cause communications woes for Ukraine at the outset, Ukrainian and U.S. officials said, by remotely disabling satellite modems. But it didn’t do lasting damage.

“One of the lessons learned for Ukraine was that the Ukrainians showed a fair amount of resilience,” said Emily Harding, a former Senate Intelligence Committee staffer who led the committee’s probe into the 2016 Russian election interference and now researches international security at the Center for Strategic and International Studies. “So how do you look at the recovery in addition to the initial attack and see what’s doable? How do you focus on targets that are harder to recover?”

Starlink, a satellite-based internet service provider, has emerged as a key plank in the Ukrainians’ ability to stay online, allowing continued communications and the ability to get information out to the world. Dakota Cary, a consultant with the Krebs Stamos Group and a nonresident fellow in the Atlantic Council’s Global China Hub, pointed to a paper published earlier this year by a Chinese researcher urging the Chinese military to consider tracking Starlink satellites and consider plans to disable them if needed.

The Ukrainians’ success with Starlink — particularly the ability to share information that contradicted the Russian government’s domestic and international messaging — could be a major lesson for Beijing, Cary said.


Tom Hegel, senior threat researcher at cybersecurity firm SentinelOne, said nations other than China are also studying how cyber is playing out in the Ukraine invasion — but that China could have some questions specific to its interests in Taiwan.

“Was there proper coordination and pre-positioning across the Russian government agencies? Was the approach of wipers in the initial waves effective?” he asked in an online conversation with CyberScoop. “What could China do to be more successful in such an invasion? Was there any success to Russia’s influence ops leading up [to]/after the invasion?”

Hegel and others note that China has typically taken a different approach in cyberspace than Russia. China focuses on covert collection of information, while Russia often uses cyber for disruption, as it did by upending the 2016 U.S. election by hacking into key Democratic organizations.

Still, Harding said China appears to be modifying its approach, pointing to the particularly chaotic fallout from last summer’s attack on Microsoft Exchange, for which the U.S. formally blamed Beijing.

“Their cyber campaigns have been a little more willing to push the envelope and care less if they get caught,” Harding said. “The Microsoft Exchange attack was a really interesting example of that, that it went from kind of quiet to very loud. And maybe one lesson they’re learning from Russia is that since attribution is slow and hard, there’s probably a lot they can get away with.”


Both Harding and Bolton said that China has to be worried about how active U.S. Cyber Command — the Pentagon’s offensive cyber wing — has been in countering Russia during the invasion.

On the other hand, Henry said, sanctions that the U.S. has used to punish Russia aren’t as viable with China. The U.S. does relatively little business in Russia. Should the U.S. get as aggressive in slapping sanctions on an economic powerhouse like China over a potential invasion of Taiwan as it did with Russia over its invasion of Ukraine, the blowback for U.S. companies doing business inside China could be considerable, including the possible Chinese nationalization of company assets, Henry said.

It might be a while, though, before the rest of the world determines what China’s primary military force, the People’s Liberation Army, has picked up from Russia’s cyberspace operations in Ukraine.

Ma Xiu, an analyst at BluePath Labs who researches the PLA and who co-wrote an essay about what the Chinese military is learning from the Ukraine invasion, said a clearer picture of exactly what the Beijing’s generals are tracking will emerge soon.

“Eventually you will see ‘lessons learned’ type articles appear in PLA media intended primarily for internal consumption, and from those we will be able to get a much clearer picture of what their takeaways were,” he said.

Russia declared war against Ukraine on Feb. 24., 2022. Before, during and after the military campaign began, the CyberScoop staff has been tracking the cyber dimensions of the conflict.

This story was featured in CyberScoop Special Report: War in Ukraine

Latest Podcasts