Over the past month, the U.S. government, NATO and European allies and partners have all sounded the alarm over the looming threat of a possible Russian invasion of Ukraine paired with destructive cyberattacks. And as President Vladimir Putin continues to levy threats at Washington and engages in behind the scenes diplomacy over the role of NATO and Western influence on its borders, experts are gaming out the likelihood that the the dispute could spill over into cyberspace.
More than 100,000 Russian troops have amassed along Ukrainian borders, governments and private threat intelligence companies have laid out a frightening scenario wherein an invasion is met with potentially crippling sanctions against Russia’s economy, their financial system and elites with U.S. or European business interests, which in turn spurs retaliatory cyberattacks by Russia against Western businesses and critical infrastructure.
In news first reported by CNN, the U.S. Department of Homeland Security circulated an intelligence bulletin which raised the specter of possible Russian cyberattacks against the United States and other countries who may seek to impose economic sanctions, while the U.K.’s National Cyber Security Centre released its own advisory which “encouraged” its domestic industries to bolster the cybersecurity resilience of their networks as tensions continue to mount.
But what do these alerts mean, really? Experts are still grappling with varying levels of uncertainty around each link in that chain of events and how likely such attacks are to extend beyond entities in Ukraine. The advice given to U.K. organizations by the NCSC — including keeping system patches up to date, enabling multi-factor authentication, ensuring backups are in place and implementing an “effective” incident response plan — is certainly sound advice, but represents basic cybersecurity guidance that isn't specific or unique to Russian cyber operations.
Jake Williams, a former NSA hacker and now co-founder and chief technology officer at BreachQuest, told SC Media that while he views Russian hostilities in Ukraine as “almost certain” at this point, there “seems to be a lack of credible information about what precisely the [cybersecurity] risk is” to U.S. and Western companies and what to do about it.
“I think western governments are providing general warnings rather than signaling they know anything specific,” Williams told SC Media in an email. “In any case, it's not immediately clear what actions most western organizations should take even if there were credible information that cyberattacks against Ukraine by the Russian government were imminent.”
Abundant concerns, little certainty
In the past week, officials in Ukraine — including President Volodymyr Zelensky — have pushed back on the growing Western consensus that a Russian invasion is imminent and criticized the U.S. and other international partners for engaging in “alarmism” that isn’t backed up by facts on the ground. It should be noted that this is not considered a universal view among the Ukrainian political establishment.
In some business quarters the possibility of Russia hitting U.S. organizations in a retaliatory cyberattack is being treated as a fait accompli. One company sent SC Media unsolicited quotes this week from an executive who cited the DHS bulletin last week and characterized U.S. companies as “facing imminent threat of cyberattack” due to escalation in Ukraine.
One thing is clear: the likely and primary victims of a Russian invasion and cyber operations will be Ukrainian society, its citizens and businesses. Beyond that, international policy analysts and some cybersecurity experts in the U.S. have painted a less certain picture about who else may get swept up in the wake, though several said that companies with offices in Ukraine or who do business in the country should take extra precautions.
A briefing hosted by the Center for Strategic and International Studies Tuesday included in-depth updates about ongoing movement by Russian troops, tanks and artillery around Ukrainian borders. It also raised the possibility that organizations in Europe and the U.S. could find themselves in the crosshairs of Russian hackers if subsequent U.S. or Western sanctions are levied on Moscow.
Rachel Ellehuus, deputy director, Europe, Russia and Eurasia program at CSIS, said there has been “a lot of discussion on cyber” among U.S. and Western allies and partners, who will meet next week to game out and coordinate a defensive strategy in the event of Russian cyber attacks against Ukraine and other targets in Europe.
“There is this sense that part of the Russian aggression will build on some sort of a cyberattack, so there’s been a lot of engagement…between the U.S. and NATO and allied partners next week on cybersecurity in four areas: aviation, water safety, energy and financial services,” Ellehuus said. “I think I see a lot of proactive thinking here about the types of vulnerabilities that exist in Europe that could be compromised if Russia takes this next step.”
Like much of the analysis around this issue, the briefing was prefaced by multiple disclaimers that a Russian invasion of Ukraine, while expected, is not guaranteed. Ellehuus also said she wanted more “clarity” on what specifically would constitute an invasion and trigger sanctions from the U.S. and other countries.
Beyond Ukraine, a messy picture
Entities in Ukraine are already facing destructive attacks like the WhisperGate malware and will almost certainly be at the center of future actions in cyberspace. But opinions diverge on how certain those actions are to spread to other countries and their infrastructure.
Researchers with CrowdStrike have assessed that the potential for such attacks to explicitly target entities outside of Ukraine is “unlikely” at this point but “cannot be completely discounted.” They point to NotPetya, the Russian-developed malware which quickly spread from tax companies in Ukraine to some of the largest businesses in the world in 2018, as a prime example of Moscow’s willingness to conduct widespread damaging attacks. However, while the malware had no guardrails to prevent it from quickly jumping to entities outside Ukraine, cybersecurity experts are divided on whether the Russian government intended for the malware to spread as broadly as it did.
“Destructive attacks intentionally targeted at organizations outside the country — such as those headquartered within countries supportive of Ukraine’s position against Russia, including the U.S. and those in Europe — cannot be completely discounted, although this is assessed as an unlikely scenario due to the risk of uncontrolled escalation of international tension and punitive measures, including direct retaliatory actions by other governments,” the company wrote in a Jan. 28 blog. “However, the incidental targeting of international businesses operating within Ukraine may be used by Russian-nexus adversaries to dissuade business operations and investment and destabilize the local economy.”
Mandiant, another threat intelligence firm, took the rare step of publishing a 45-page document this month detailing proactive guidance on hardening systems against destructive attacks “in light of the crisis in Ukraine.” The guidance was previously only available to paying customers, but the company felt the possibility of spillover or retaliatory cyberattacks warranted broader sharing with the public.
John Hultquist, vice president of intelligence at Mandiant, told SC Media that while it is possible that these activities will be restricted to Ukraine, history shows there is little doubt that Moscow has the capacity and willingness to leverage cyberattacks against a broad set of targets or countries in international disputes.
“I think that there are some people who think there’s a high threshold that Russia has for carrying out cyber activity; I simply don’t agree with that. This activity is useful because it’s non-violent and because it’s reversible,” Hultquist said. “I also don’t think Russia is particularly reserved in using this capability. They’ve targeted our elections once, they attempted to do it a second time…there was no massive repercussions. We’re probably not going to go to war with Russia over a cyberattack and that means it’s a tool to put pressure on the U.S. without risking all-out war.”
Hultquist singled out the energy, water, transportation and logistics sectors as particularly vulnerable targets in this scenario, flagging destructive malware like the kind used in the WhisperGate wiper attacks earlier this month as well as software supply chain attacks that compromise a broad range of targets, as activities that fall in line with previous Russian hacking campaigns.
One piece of advice Williams offered for businesses was to focus on securing virtual private networks that connect with Ukrainian businesses and other organizations, putting enhanced filters in place for network traffic coming from SMB ports, remote desktop protocol and remote procedure calls, as these have often been used by Russian hackers to conduct lateral movement across different businesses.