Russia is home to some of the world’s most infamous criminal hackers, some of them state-sponsored, so will wider cyberattacks follow the real-world invasion? And could they hit the West?

“I think the risk right now is high and rising,” said Derek Vadala, chief risk officer at the U.S. cyber risk ratings firm BitSight, who warned that Western companies should ensure their systems are patched against known vulnerabilities. “Everyone is on a heightened state of preparedness right now.”

On Wednesday, before Putin declared war and the bombing began, distributed denial-of-service (DDoS) attacks pummeled the websites of Ukraine’s Defense Ministry and one of its major commercial banks, PrivatBank. Such attacks flood the victim’s servers with connection requests, causing them to seize up as they would if millions of genuine people tried to log on at once.

Meanwhile, researchers at security firms ESET, Symantec, and SentinelOne said they had discovered a kind of “wiper” malware—which erases the contents of targeted Windows computers—circulating in Ukrainian organizations.

NetBlocks, an internet-monitoring business based in London, also noted “significant disruption” in some Ukrainian internet services after the overnight attack began, though director Alp Toker told Fortune the root cause was likely “kinetic”—in other words, the result of missile strikes and other physical, rather than cyber, attacks.

But whatever is taking place in Ukraine, the West is bracing for cyber-spillover.

‘Historical pattern of cyberattacks’

Western governments and agencies are worried about potential cyberattacks hitting their turf. The U.K.’s National Cyber Security Centre, a division of the GCHQ spy agency, said Tuesday that British organizations should “bolster their online defenses” as ”there has been an historical pattern of cyberattacks on Ukraine with international consequences”—a likely reference to the “NotPetya” ransomware attack that in 2017 targeted Ukrainian companies and organizations before causing havoc across the world.

The Department of Homeland Security this week also launched a “shields up” drive to protect the U.S.’s critical infrastructure from Russian actions, warning companies they are at risk. The FBI and Homeland Security have previously accused “Russian government cyber actors” of targeting American energy, nuclear, water, and other sectors.

Vadala told Fortune the main risk for now is collateral damage, as seen in the NotPetya attack, rather than deliberate attacks against Western organizations. “It would be unlikely that Russia would respond [to sanctions] with direct cyberattacks that could have direct or physical impact on non-Ukrainian targets,” he said. That doesn’t mean, though, that “actors associated with the Russian government,” such as criminal gangs, won’t step up ransomware campaigns and the like.

“I think the U.S. government will be very focused on understanding, if something does occur, whether it’s collateral or direct,” Vadala said. “In the last couple of years, [the government’s] focus on attribution has been more precise, and I think that will continue here, just given the stakes.”

Indeed, while attributing cyberattacks has long been difficult owing to the ease with which attackers can cover their tracks, the U.S. has become increasingly confident about pointing fingers.

In 2016, the government blamed Russia for the hacking of the Democratic National Committee—an incident that led to the leaking of embarrassing emails and may have gone on to influence the outcome of that year’s election. Two years later, the U.S. and its allies pinned the NotPetya attack on Russia, and at the start of 2021, U.S. intelligence said Russia was probably behind hacks on the federal government and U.S. corporations.

The big question now is what kind of response the West might have in store if Russia is found to be launching fresh cyberattacks in the wake of its Ukraine invasion.

Impact thresholds

“In general, cyberattacks in context of an armed conflict are quite poorly studied,” said Lukasz Olejnik, a cybersecurity consultant and former cyber-warfare adviser at the International Committee of the Red Cross in Geneva.

Olejnik, who has long been tracking the debate around potential retaliatory measures, said there are no precedents to go on, but “it is conceivable that high-impact cyberattacks may result in retaliation and a response.”

“To warrant a legal response, the effects of cyberattacks should be similar to serious retaliation-triggering non-cyber operations, that is, traditional kinetic operations,” Olejnik said. “So we are speaking about effects comparable to very serious and prolonged disruption of key systems or infrastructure, possibly cyberattacks with physical effects such as explosions or lethal effects.”

NATO has maintained for the past 15 years that a cyberattack on one of its members could constitute an assault, and equivalence with a kinetic attack has since been seen as the threshold for viewing it that way. However, last year the defensive organization appeared to widen its definition of what sort of cyberattack might merit a collective response, in a communiqué that said “the impact of significant malicious cumulative cyber activities might, in certain circumstances, be considered as amounting to an armed attack.”

In other words, it may be that multiple “low-impact cyber incidents” could be taken by NATO as cause for retaliation. This is all still a gray zone, with no formal protocols to draw on—at least, none that are public. If cyberattacks escalate beyond Ukraine in the near term, Putin may force the world to clarify its rule book for this aspect of modern warfare.