The War You Can’t See: How Nations Are Hacking Each Other in Peacetime

What hybrid warfare really is (beyond buzzwords)

“Hybrid warfare” gets thrown around a lot — sometimes to describe everything from trolls to tanks. At its core, it’s about blurring the boundary between war and peace.

Instead of a single declaration of war, you get a constant pressure campaign. A state mixes tools that used to live in separate boxes:

• Cyber operations against ministries, companies and critical infrastructure.
• Disinformation and propaganda targeting voters, soldiers and diasporas.
• Economic levers: sanctions, trade blockages, energy supply cuts.
• Covert action: sabotage, deniable proxies, “helpful volunteers.”
• Conventional forces, held in the background as a credible threat.

The aim isn’t necessarily to occupy territory. It’s to shape another state’s choices: its alliances, elections, policies and strategic posture, ideally without triggering a response that looks like traditional war.

Cyber operations against critical infrastructure sit right in the centre of that toolkit. They’re deniable, reversible (sometimes), and can be tuned from subtle probing to headline-grabbing outages.

Why critical infrastructure is the perfect pressure point

“Critical infrastructure” is a catch-all term, but in practice it means the systems that keep a modern society alive and functioning:

• Electricity generation, transmission and distribution.
• Water and wastewater treatment.
• Oil and gas production, pipelines and fuel distribution.
• Telecoms and internet backbones, including undersea cables and satellites.
• Transport: rail, aviation, ports, highways, logistics hubs.
• Healthcare systems, emergency services and public safety networks.
• Financial infrastructure and payment rails.

For a hostile state, these are force multipliers. You don’t have to bomb a city if you can cause rolling blackouts, jam GPS for airports, choke a port, or knock a payment system offline for a few days. Even small disruptions can generate political pressure, erode trust in government, or complicate military deployments.

There are three reasons these systems are so attractive:

1. High leverage, low visibility

Citizens notice empty shelves, fuel queues and failing hospital IT long before they see evidence of a foreign hand. That ambiguity is a feature, not a bug, for hybrid operators.

2. Legacy meets connectivity

Many control systems were never designed to be internet-exposed. Over time, convenience and remote management layered on connectivity, VPNs and vendor access — often without equivalent investment in security, monitoring or segmentation.

3. Complex responsibility

Power grids, pipelines and telecoms often sit at the intersection of public and private, national and regional, regulated and market-driven. That means patchy oversight, governance gaps and slower decision-making during a crisis. Perfect conditions for pressure.

Inside a nation-state campaign: from mapping to message

Every state and operation is different, but hybrid campaigns against critical infrastructure tend to follow a loose pattern. Think of it from the defender’s perspective — what you’d see if you ran the movie backwards.

Phase 1 — Shaping the environment

• Long before anything “breaks,” intelligence services are collecting: vendor documentation, staff LinkedIn profiles, regulator reports, network maps, leaked credentials, open-source diagrams of substations, switching yards and data centres.
• They may run low-level cyber operations to learn how systems behave: who logs in from where, which third-party tools have access, what’s exposed to the internet.

Phase 2 — Gaining and maintaining access

Here the goal is persistence, not instant drama. State-linked operators might:

• Compromise IT environments (email, AD, VPNs, management consoles) that sit upstream of industrial or critical systems.
• Establish multiple footholds via different methods so that removing one doesn’t eject them completely.
• Blend their activity with normal admin behaviour — using legitimate tools, working at normal hours, avoiding noisy actions.

Phase 3 — Positioning for options

Once inside, teams may quietly:

• Map which systems actually matter to grid stability, throughput, safety or command and control.
• Identify “choke points” where small changes could have outsized effects.
• Prepare playbooks for different levels of action: from subtle data tampering or delay, through temporary disruption, up to destructive options that might only be used in an open conflict.

Phase 4 — Effects and messaging

The visible part — if it happens at all — could look like:

• A brief blackout timed with diplomatic pressure or military exercises.
• “Accidental” equipment failures that slow mobilisation or logistics.
• Widespread website defacements and DDoS against ministries amid a political crisis.
• Coordinated leaks and disinformation amplifying the idea that the government is incompetent or corrupt.

The technical operation and the information campaign support each other: a limited outage becomes proof of chaos; a doctored leak becomes more believable when systems are visibly struggling.

Case snapshots: invisible battles from grid to seabed

To keep this article focused on defense, we’ll stay high-level and avoid operational detail. But a few widely discussed patterns illustrate how hybrid campaigns show up in the real world.

1. Industrial malware and the “proof of concept” era

More than a decade ago, specialised malware demonstrated that you could cross the gap between office IT networks and industrial control systems. The message wasn’t just to one target state; it was to everyone: industrial processes are not off-limits.

Since then, researchers and governments have reported malware families built to interact with industrial protocols, manipulate safety systems, or wipe the logic from controllers. Even when these tools are never fully deployed, their existence alone changes strategic calculations.

2. Power grids and “testing the breakers”

In several high-profile incidents, attackers used access to electricity distribution systems to briefly cut power in targeted regions. Technically, those attacks were limited and recoverable. Strategically, they were loud signals:

• They proved that grid operators could be compromised.
• They forced expensive remediation and redesign.
• They showed other states what was possible.

In some theatres, these grid operations coincided with physical conflict or political pressure, underlining how cyber, kinetic and information tools can be choreographed.

3. Undersea cables, pipelines and railways

Hybrid warfare isn’t purely digital. Over the last few years, European states have investigated suspicious incidents affecting undersea cables, fuel pipelines, rail lines and communications masts. Some remain unattributed publicly; others are openly discussed as likely state-linked sabotage or probing.

The pattern looks like this:

• Physical incidents — damage to an undersea cable, a pipeline explosion, a signalling fault.
• Cyber incidents around the same time — probing of operators, phishing, network intrusions.
• Information operations amplifying local political divisions or questioning alliance unity.

Whether each event is coordinated or opportunistic, the effect is to keep societies guessing and second-guessing, while raising the perceived cost of supporting certain policies or allies.

4. Long-term “pre-positioning” in foreign infrastructure

Multiple governments and security vendors have reported state-linked groups quietly burrowing into critical infrastructure networks in other countries: targeting routers, VPN appliances, identity providers, management consoles and virtualisation platforms that sit close to the heart of operations.

Often there’s no immediate disruption. Instead, attackers appear to be building a library of footholds that could be used in a future crisis to slow mobilisation, complicate logistics or apply coercive pressure.

5. Regional tit-for-tat in the Middle East and Asia

In several regional rivalries, cyber operations against banks, media outlets, fuel distribution and government portals have been documented alongside drone strikes, proxy conflicts and diplomatic escalations. These campaigns rarely stay completely contained; spill-over to third countries, global companies and internet infrastructure is common.

For defenders, the lesson is simple: even if you’re not a primary geopolitical player, you can be the collateral terrain.

The legal grey zone: norms, red lines and deniability

On paper, many states have agreed to voluntary norms that say you shouldn’t conduct cyber operations that intentionally damage another country’s critical infrastructure in peacetime. In practice, there’s a lot of daylight between espionage, pre-positioning and destructive attack.

Three problems make this space especially messy:

1. Attribution is hard — publicly

Intelligence agencies may have a good sense of who’s behind a campaign, but turning that into evidence you can share without burning sources is difficult. That allows aggressive states to deny, delay, and muddy the waters with counter-accusations.

2. Thresholds for “armed attack” are fuzzy

When does a cyber operation count as the kind of “armed attack” that would justify self-defence under international law or trigger alliance commitments? A short blackout? A hospital disruption? A pipeline leak? States are still working through these thresholds — and hostile actors exploit that ambiguity.

3. Hybrid tactics are deliberately mixed

Cyber operations are rarely standalone. They’re wrapped in legal pressure, economic measures and information campaigns. That makes it harder to point to one act and say: “This is the line you crossed.”

Alliances like NATO have acknowledged that serious cyber operations, including against critical infrastructure, could trigger collective defence. But they also emphasise that responses don’t have to be symmetric or purely military — they can be diplomatic, economic, cyber or a mix, chosen case by case.

Defending in the grey zone: resilience over perfection

If the goal of hybrid campaigns is to keep you permanently off-balance, the counter-strategy is resilience. You can’t prevent every intrusion or outage. You can make sure they don’t break society, paralyse decision-making or shatter alliances.

1. At the national level

• Clear strategy and ownership. Define who leads on critical infrastructure cyber risk: national cyber agencies, sector regulators, defence, intelligence — and how they share information.
• Baseline standards and incentives. Use regulation, guidance and market levers so that operators of essential services adopt modern security practices, not just checkbox compliance.
• Exercises and crisis playbooks. Run national-level drills that blend cyber, physical and information scenarios, not siloed tabletop games.

2. For infrastructure operators and large enterprises

Whether you run a grid, port, hospital network or cloud platform, three themes keep coming up in post-incident reviews:

• Know your “crown jewels”. Which systems would cause real-world harm or strategic impact if compromised? Protect and monitor them differently from the rest.
• Segment like your life depends on it. Limit connectivity between IT and operational technology (OT). Use strong authentication, dedicated management paths and robust monitoring on the bridges.
• Assume breach. Design detection, logging and response as if attackers will get in eventually. The question is how quickly you can see, contain and recover.
• Harden remote access. Many high-impact incidents start with compromised VPNs, remote-desktop services or vendor portals. Reduce exposure, enforce MFA, and keep these systems patched.
• Plan for partial failure, not perfection. How do you operate safely in “degraded mode”? Can you fall back to manual procedures if necessary?

3. For cities, regions and smaller organisations

You may not be a national grid operator — but you are still part of the terrain. Local governments, schools, clinics, logistics firms and MSPs have all been swept into state-linked campaigns or their collateral.

• Stick to the fundamentals. Good identity management, updated software, secure backups and basic incident response planning go a long way.
• Know who you depend on. Map your critical suppliers and service providers, especially in cloud, telecoms and payments. Ask how they handle nation-state-level threats.
• Practice communication. In a hybrid campaign, the story can be as damaging as the outage. Have pre-planned ways to talk to staff and citizens if normal channels are down.

4. For individuals and professionals

Hybrid warfare can feel abstract, but it runs through the tools you use every day: email, messaging apps, navigation, payments, news feeds.

• Strengthen your personal security hygiene: phishing awareness, password managers, MFA, cautious sharing of sensitive workplace details online.
• Be mindful of information operations: accounts that mix truth and falsehood, memes that try to inflame division, “leaked” documents with unclear provenance.
• If you work in a sensitive sector, understand your organisation’s incident plans — don’t wait for a crisis to find out who to call.

The goal isn’t to live in fear of foreign powers. It’s to make sure that when hybrid campaigns happen — and they will — they meet a society that can absorb shocks without cracking.

Data snapshots: sectors & tactics (sample charts)

To visualise the landscape, here are two simple sample datasets that mirror how many threat reports describe state-linked activity: one by targeted sector, one by tactic or objective.