While the United States continues to send billions of dollars in military aid to support Ukraine in its fight against Russia, an unseen parallel conflict has simultaneously been taking place in cyberspace.
At the very start of the conflict, the Biden administration earmarked $10 billion in emergency funding from Congress in aid, including support of Ukraine’s cyber defenses, plus $28 million to bolster the FBI’s response to Russian cyber threats stemming from the war in Ukraine.
Even criminal cyber groups are joining in the escalating cyber conflict. The romantically-named Belarusian Cyber Partisans, for example, were previously known as the Belarusian Railway Ransomware gang. Early in the conflict, the Cyber Partisans used a back-door vulnerability they had identified while conducting a previous ransomware scam to take down the systems running the Belarusian national rail system, thus forcing Belarus to manage its national rail system manually and crucially delaying the delivery of much-needed arms, supplies and food rations to the Russian forces fighting in the Ukraine.
But not all cyber groups are pro-Ukraine. The Conti group, the most active of the international ransomware gangs, who were last year alone responsible for 505 major cyber-attacks on financial institutions in the United States, has already threatened America with “retaliatory measures” for its support of Ukraine. However, close to the start of the conflict, a Ukrainian cyber researcher managed to hack extremely sensitive data from Conti, thereby allowing the authorities to identify the gang’s ringleaders. Unfortunately, Conti has since regrouped.
As in the conflict taking place on the ground, hundreds of thousands of ordinary citizens have joined the fight. Viktor Zhora, deputy chief of Ukraine’s State Service of Special Communication and Information Protection, estimates that Ukraine’s volunteer IT ‘international brigade’ now includes up to 400,000 specialists from Ukraine and beyond. Members are largely recruited via Telegram with potential recruits given a free VPN line via a cooperation with ClearVPN to ensure their anonymity. Cohorts of these cyber recruits are now executing DDoS attacks on Russian targets, such as those recently conducted by the pro-Ukrainian Georgian group, BlackHawk. Conversely, the pro-Russian hacking group, The Red Bandits, have been systematically leaking all the sensitive Ukrainian intelligence they can lay their hands on.
Telegram has become a battlefield as well as a recruiting ground in the ongoing cyber conflict. Pro-Russian hacking groups have begun to orchestrate phishing campaigns that focus on important people in sectors such as healthcare, finance, utilities, and aviation. Today’s professional phishing scams can take weeks or even months to execute and we have yet to see their eventual impact. It’s still early in the global cyber conflict now starting to take place, with both sides testing one another’s defenses before a full attack. The consequences of such an attack could include widespread power outages in major American cities, hacked banks having to bar their doors to customers, and airports across the country grinding to standstill.
As yet, there have mercifully been no real full-scale attacks impacting the ordinary lives of Americans. One reason that Putin may so far have held back from using Russia’s full cyber capability for a full-scale attack in the U.S. has been a result of mutual uncertainties, shared by the U.S., about when a cyber-attack becomes serious enough to trigger the alliance's Article 5, which says that an attack against one NATO nation constitutes an attack against all.
Given the Russian leader’s increasingly reckless policy of aggression, such attacks are considered likely in the future. In an ironic parallel to the very real fight going on in cities such as Kyiv, American organizations must now shore up their cyber defenses against pro-Russian hackers. As many of the world’s most infamous hacker groups work out of Russia with the blessing of the state, it's often hard to distinguish criminal gangs from politically-motivated state-sponsored hacker groups, who frequently pose as criminals to give President Putin a spurious plausible deniability.
To defend themselves from such threat actors, organizations must make their staff fully aware of the constant danger of a full-fledged cyber-attack and stress the importance of not opening attachments in unsolicited emails, and also treating any social networks to which they personally belong with extreme caution, as they are often infiltrated by Russian hackers.
Organizations in vulnerable sectors should invest in proactive intelligence gathering. Ideally, this involves taking the fight to Russia’s cyber gangs by infiltrating the secret forums and chat rooms in the dark web and on Telegram, where they are now planning and orchestrating potentially devastating cyber-attacks on the United States.
Shmuel Gihon, threat intelligence researcher, Cyberint
