James Coker investigates the cyber-dimension in the Russia-Ukraine war and the implications for the global cyber landscape
The ongoing Russia-Ukraine war continues to send shockwaves throughout the world – a highly publicized and brutal conflict in the heart of Europe that carries the constant threat of escalating beyond the current combat zone.
In many respects, the events reinforce the true nature of war – death and destruction caused by bombs and bullets. This has rightly provided a reality check on the role of cyber in modern warfare – a supporting and even peripheral part of proceedings rather than the centerpiece, as some have previously envisioned. This even applies to Russia, a country strongly associated with malicious cyber activity against other nation-states over many years, and a country demonstrating daily that cyber weapons are not on par with the damage done by real-world ammunition, bombs and firearms.
Craig Terron, global issues team, Insikt Group, part of Recorded Future, observes: “There’s been the speculation that cyber-attacks are like nuclear bombs when they’re really not; trains aren’t going to explode based on cyber-attacks.”
Brian Honan, CEO of BH Consulting, concurs that some of the most dramatic predictions about the use of cyber in this war have proven unrealistic. “What this war has shown so far is that the dire predictions of cyber armageddon have not come true.”
Nevertheless, the cyber aspect of the Russia-Ukraine conflict is certainly not unimportant. Honan points out that there has essentially been a cyber-battle raging between Russia and Ukraine since 2014, following the annexation of Crimea. Incidents have ranged in significance, from electrical power grids being taken down in parts of Ukraine in 2016 to frequent low-level distributed denial of service (DDoS) attacks.
Information Warfare
Both in the build up to the current conflict and since it began, cyber activity has primarily revolved around disinformation and influence operations. Honan notes: “One of the first casualties of war is the truth; it’s a very old and true saying. If you can disrupt people’s abilities to get information from official sources, you can cause confusion or lack of morale on the other side.”
The build-up to Russia’s invasion on February 24 saw numerous DDoS attacks and website defacements targeting the Ukrainian government and critical services. These sometimes included sinister and threatening messages being posted on the sites. For example, just before the Ukrainian Ministry of Foreign Affairs and Education Ministry websites were taken down on January 14, a message appeared: “Ukrainians! … All information about you has become public. Be afraid and expect worse. It’s your past, present and future.”
Russia has also been very active in attempting to control the narrative around the conflict, both at home and abroad. The Kremlin has severely limited the number of outside influences reporting within Russia, including banning social media sites like Facebook and numerous international media organizations. Theresa Payton, CEO and president of Fortalice Solutions and former White House CIO, says: “[Russia] has been effective in shutting down access to outside influences such as social media and messaging apps and have used their country’s media and social media platforms to control the narrative at home but also to push a narrative in Ukraine.”
She adds: “Their social media ‘dezinformatsiya’ playbook is incredibly effective in swaying Russian citizens’ public opinion on various issues, including the invasion of Ukraine. The Russian playbook is so masterful that Latvia used to have a television show with a feature that recaps the week in ‘Russian lies.’”
However, the Kremlin’s influence operations have been effectively countered by the Ukrainian government and its supporters. For example, daily video addresses from Ukrainian President Volodymyr Zelensky have been published on social media, and the government has produced a constant stream of propaganda videos and images, including the memorable footage of Russian tanks being dragged away by Ukrainian tractors. Such media campaigns “have been morale-boosting for the Ukrainians and have a demoralizing impact on the Russian side,” says Honan.
“Their social media ‘dezinformatsiya’ playbook is incredibly effective in swaying Russian citizens’ public opinion on various issues, including the invasion of Ukraine"Theresa Payton
The Ukrainian government has been aided in the information battle by numerous individual hackers and groups. One of the most prominent groups to declare its support for Ukraine and a “cyber-war” against Vladimir Putin’s government is the hacktivist collective Anonymous, which has been very active since the conflict began. This group, which has targeted numerous governments and other entities for actions it does not agree with over the past decade, has reportedly taken down Russian government and state-affiliated news channel websites and even managed to stream independent coverage of the war on Russian TV channels.
It also apparently leaked the personal details of 120,000 Russian soldiers, which helped Ukrainians directly contact them and their families. “Such attempts are a good psyops opportunity, showing that no one is untouchable or invulnerable, and in combination with other activities on all fronts of the war, this helps,” notes Sam Curry, CSO at Cybereason.
Honan agrees that the impact of such activities should not be underestimated: “I think the lessons we have learned from this war so far have been that information is a very effective weapon when wielded properly. Russia has not been able to counteract the online information war.”
A Ramping Up of Cyber Activity?
While Russian threat actors have launched several data wiper malware attacks during the crisis, including a major one impacting hundreds of machines in Ukraine on the eve of the invasion, large-scale cyber incidents have been surprisingly few in number to date. This may be partly explained by the resilience of Ukraine’s cybersecurity posture, hardened by years of Russian state-sponsored attacks. “Partly why we haven’t seen those massive attacks is because Ukraine’s cyber defense has been strong with some support from the West and NATO,” states Insikt Group’s Terron.
Nevertheless, there are signs that Russian cyber-threat actors are ramping up their targeting of Ukrainian critical infrastructure. Notably, in April, an attempt to deploy a new version of the Industroyer malware against a Ukrainian energy supplier was thwarted by cybersecurity vendors in collaboration with the Ukrainian Computer Emergency Response Team (CERT-UA). The Russian-affiliated Sandworm APT group previously used Industroyer to cut power in Kyiv, Ukraine, in 2016. If the recent attempt had been successful, power would have been cut to a large part of Ukraine.
Will we see an escalation in these types of attacks as the conflict continues? Cybereason’s Curry speculates that Russia may be playing a waiting game, stalling until the opportune moment to strike: “I was initially surprised at how the Russian sovereign offensive cyber forces weren’t deployed fully. On reflection, it makes more sense. Some have speculated that they don’t have the capacity, which is not true. They have demonstrated with attacks like NotPetya and Sunburst that they have the capability. It’s far more likely that Russia is holding its cyber forces as a strategic reserve. But it also begs the question of what can be done, and has cyber moved higher on the escalation ladder?”
A Cyber Spillover?
Of course, cyber is a domain that does not recognize or require borders. Given the West’s powerful response to the Kremlin’s invasion, including unprecedented economic sanctions and supply of military hardware to Ukraine, there are concerns that organizations in NATO countries will face a major cyber offensive from Russian cyber-threat actors.
So far, however, this has not come to pass. According to Insikt Group’s Terron, we are seeing something of a “stand-off” between Russia and the West, with both sides warning the other against launching cyber strikes. “At the minute, it seems there’s very much this stand-off, watching to see who’s going to attack first and then it could escalate from there.”
"States and even non-state organizations dedicate time, effort and energy to conducting complex espionage campaigns. Typically, those espionage campaigns happen while we’re sleeping; we don’t know that they’re happening"Dr Tom Watson
It is a situation that has the potential to explode, leading to cyber exchanges between the West and Russia. This is why national cybersecurity agencies such as the UK’s National Cyber Security Centre (NCSC) and the US’ Cybersecurity and Infrastructure Security Agency (CISA) have repeatedly warned organizations to prepare for increased attacks from Russia.
There is also the constant risk of ‘spillover’ attacks affecting organizations anywhere in the world. This has been shown in the past with major malware attacks like Wannacry and NotPetya, which have damaged organizations far beyond the actual target. This issue has already occurred in the current conflict, with the data wiper malware launched against Ukraine on the eve of the invasion spilling over into neighboring Latvia and Lithuania.
Over the medium to long term, the global cyber-threat landscape is likely to become more dangerous due to the events in Ukraine, even once the conflict has ended. It seems inevitable that there will be a period of heightened hostilities and tensions between Russia and its allies and the West, increasing the likelihood of nation-state cyber activity. Dr Tom Watson, director of intelligence content at Dragos, expresses concern about increased threats to critical infrastructure organizations to disrupt operations and gather intelligence.
The latter, he explains, is particularly difficult to detect, as demonstrated by the SolarWinds incident in 2020. “States and even non-state organizations dedicate time, effort and energy to conducting complex espionage campaigns. Typically, those espionage campaigns happen while we’re sleeping; we don’t know that they’re happening,” he notes.
In addition, Terron expects notorious cyber-criminal groups operating in Russia to be given more free reign by the Kremlin to operate going forward. While there were signs earlier this year that the Russian government was cracking down on the activities of these gangs, including the arrest of members of REvil, the new geopolitical landscape is likely to curtail such actions. “I think the types of attacks we see from cyber-criminals based in Russia are only going to escalate,” he comments.
Terron also notes that the Russia-Ukraine conflict has seen “a resurgence of hacktivist activity,” including the actions of Anonymous. This could prompt a new wave of hacktivist activity in the future, “not just against Russia’s war against Ukraine, but other issues they feel passionately about.” A number of organizations and governments could be in the firing line for such activities.
New Security Advice for Organizations?
Despite these concerns, the overwhelming consensus among experts is that businesses shouldn’t panic. However, they should be extra vigilant and double down on current guidance. Dragos’ Watson believes critical infrastructure organizations should place a renewed emphasis on detecting and preventing initial access into systems, “as once initial access is achieved, the adversaries have capabilities to do much more – innumerate file systems, move laterally across file systems and move deeper into the infrastructure and operational technology.” Therefore, ensuring continuous monitoring, such as log file auditing, can help prevent incidents like SolarWinds from occurring.
Watson adds that any connections into or within the organization should be reinforced with multi-factor authentication (MFA) – a basic measure often neglected.
Cybereason’s Curry also believes organizations should ensure their employees are in a heightened state of readiness to quickly respond to cyber-attacks at this time. “Be on high alert. Call the employees or associates that you call for in a crisis and have them ready because they may get called in multiple directions in a crunch. If you don’t have anyone on your staff filling this role, call any cyber people you know and seek their advice,” he states.
Honan concurs, urging all organizations to regularly review and practice their incident response procedures. “Are your incident response capabilities at the level you need?” he asks.
Another area businesses should be particularly conscious of at this time is their supply chain and ensuring contingency plans are in place if any part is located in Russia or Ukraine. Honan advises: “Check your supply chain as well because you may have outsourced certain parts to companies, and they may, in turn, have outsourced to organizations based in Russia or Ukraine.”
Honan concludes: “Up your game – make sure you have the basics in place and check and verify they are working as expected.”
Cyber has undoubtedly played a significant role in the Russia-Ukraine conflict, but its impact should not be overstated when compared to the devastation caused by traditional military weapons. The cyber domain has primarily focused on influence and information operations so far, but there is undoubtedly the potential for escalation. For organizations outside of the conflict zone, particularly in Western countries, cybersecurity advice has not fundamentally changed, although increased vigilance is highly advisable in such a fast-moving situation.
Five Tips to Boost Cyber Protection in the Current Geopolitical Landscape:
- Increase monitoring of initial access points, such as log files and data historians
- Be on high alert for cyber-attacks and review incident response procedures
-
Check if any part of your supply chain is located in Russia or Ukraine, and make contingencies
-
Minimize new, risky IT projects until the situation has stabilized
-
Don’t panic! Ensure you double down on the basics