Three years into the most comprehensive sanctions regime in modern history, Russia’s economy has adapted with disturbing resilience.

Despite Western nations freezing 300 billion euros of Russian Central Bank reserves and imposing restrictions on over 16,000 entities, Moscow’s war machine grinds on.

Russian GDP, whilst 10-12 per cent below pre-invasion trends, grew in 2023 and 2024 thanks to a shift to war economy production. Meanwhile, trade diversion to third countries has “mitigated and may even eliminate the negative primary trade effects” of sanctions.

This underwhelming performance raises uncomfortable questions about the West’s preferred tool of statecraft. If sanctions cannot bring a pariah economy to heel, what can? The answer may have appeared on July 27, when pro-Ukrainian hackers calling themselves Silent Crow crippled Russia’s flagship airline Aeroflot, forcing the cancellation of over 100 flights and causing millions in losses within hours.

The immediate effect

Unlike sanctions, which require months or years to bite, cyber warfare delivers results with brutal efficiency. The Aeroflot attack, which allegedly destroyed 7,000 servers and compromised 22 terabytes of data, cost the airline an estimated six million US dollars in a single day. The hackers had spent nearly a year infiltrating the airline’s systems, gaining access to everything from reservation platforms to security monitoring tools.

The symbolic value was equally potent. Here was Russia’s national carrier—a symbol of state prestige—brought to its knees by a handful of anonymous hackers operating from safe havens. Passengers stranded at airports provided vivid imagery of state failure that no amount of diplomatic protest could achieve.

Such direct action represents warfare’s evolution beyond kinetic operations. Small groups of highly skilled malware developers can as effectively impact global politics and cyber warfare as large governmental agencies.

The playing field has levelled: cyber capabilities require software, not the massive military-industrial complex that smaller nations lack.

Rethinking coercion

Traditional sanctions suffer from fundamental design flaws. They rely on economic interdependence that savvy autocrats can sever, as Russia demonstrated by reorienting oil exports to Asia and transacting in national currencies. They also depend on multilateral cooperation that fractures under pressure—witness China (and others) serving as willing substitutes for sanctioned Western goods.

Cyber operations sidestep these limitations. They can be conducted unilaterally, without requiring complex international coalitions or enforcement mechanisms.

Attribution difficulties provide plausible deniability, allowing states to pursue aggressive policies without formal accountability. Most crucially, they target the digital infrastructure upon which modern societies depend, making them harder to circumvent than trade-based measures.

The United States has already recognised this shift. Since 2015, the Treasury Department has issued 311 cyber-related sanctions, with the largest numbers targeting Russia (141), Iran (112), and North Korea (18).

Yet these remain traditional sanctions applied to cyber actors, rather than cyber actions themselves.

The ethics of digital warfare

Such direct cyber intervention raises profound moral and legal questions. International humanitarian law struggles with cyber warfare, as it was designed for conflicts involving “destruction, bloodshed, and casualties”.

Cyber attacks are “disruptive more than destructive,” challenging traditional frameworks that equate aggression with violence.

The targeting of civilian infrastructure particularly complicates matters. The interconnectedness of cyberspace makes it “difficult to fully separate protected individuals from the rest of the cyber-battlefield”. When hackers disable an airline’s systems, they harm innocent passengers alongside state interests.

However, cyber warfare may paradoxically be more ethical than kinetic alternatives. Cyber attacks “are likely to incur only economic damages from broken computer systems, as opposed to physical harm to innocents”. They offer the possibility of “reversible effects,” unlike conventional weapons.

The Aeroflot attack, devastating as it was, caused no deaths and could theoretically be undone through system restoration.

A new doctrine

Sanctions will not disappear; they remain valuable for signalling disapproval and constraining specific activities. But they must evolve beyond their 20th-century origins. A hybrid approach combining traditional economic pressure with targeted cyber operations could prove more effective than either alone.

Such operations would require careful escalation management. Unlike conventional warfare, cyber operations’ large decentralisation and scale make them extremely difficult to direct from a policy perspective. States would need new frameworks distinguishing between acceptable disruption and unacceptable escalation.

International law must also adapt. Current interpretations struggle to regulate cyber attacks occurring “outside an existing international armed conflict,” as there is “no fixed parametre to determine which cyberattack rises to the ‘level of an armed conflict'”.

Clear rules of engagement are essential to prevent digital conflicts from spiralling into broader warfare.

The escalation trap

Cyber warfare’s apparent advantages come with considerable risks. Russia possesses formidable offensive capabilities, having demonstrated its reach through attacks on everything from Ukrainian power grids to American election systems.

Moscow’s hackers could retaliate against Western airlines, financial institutions, or critical infrastructure with devastating effect. The asymmetric nature of cyber conflict means that authoritarian states, less dependent on open digital systems, may possess inherent defensive advantages.

Moreover, cyber defence evolves rapidly. Aeroflot’s systems will presumably be far more secure after this attack, having learned painful lessons about password policies and network monitoring. The hackers’ year-long infiltration suggests such operations require enormous patience and resources—investments that become worthless once discovered.

Unlike sanctions, which can be maintained indefinitely, successful cyber operations often burn themselves out, forcing attackers to begin again from scratch against hardened targets.

Too far, or not far enough?

Indeed, critics will argue that cyber warfare represents a dangerous escalation, potentially triggering responses that dwarf the original provocation. The interconnected nature of digital systems means that attacks can cascade unpredictably, affecting infrastructure far beyond their intended targets.

However, the alternative—accepting sanctions’ limited effectiveness—may prove more dangerous still. If economic coercion cannot constrain rogue states, they may conclude that aggression carries acceptable costs. The West’s credibility depends partly on its ability to impose meaningful consequences for norm violations.

The Aeroflot attack suggests a middle path: surgical strikes against specific targets that impose immediate costs whilst avoiding broader escalation. Such operations would complement rather than replace traditional sanctions, adding precision and urgency to the West’s coercive toolkit.

The digital age demands digital solutions. As warfare evolves beyond kinetic operations, so too must the instruments of statecraft. The question is not whether cyber operations will become commonplace—they already have—but whether democratic states will develop them responsibly, or cede the field to less scrupulous actors.

In an era where servers matter as much as tanks, perhaps it is time to update the arsenal accordingly.

Photo: Dreamstime.