As the conflict in Ukraine continues and may do so for months if not years, cybersecurity professionals are on high alert. Alongside government and industry, they are monitoring the use of cyber threats within the conflict itself and preparing for the possibility of Russian attacks elsewhere – either for the purposes of retaliation or coercion.

The threat is not new. Russia has a long history of cyber operations against Ukraine. These began in earnest following the Euromaidan protests which began in late 2013. The cyber-antagonist VOODOO BEAR, aka. Unit 74455 of Russia’s military intelligence operation, has been a major perpetrator of these attacks. Its aim appears to degrade, delegitimize, or reduce public trust in Ukraine’s state institutions and industry sectors. 

The Russian threat has been constant

While Russia began to amass forces on the Ukrainian border, Russian cyberattacks targeting the nation also accelerated. In mid-January 2022, a campaign of government website defacement and data theft occurred, along with a wiper attack the security industry has dubbed Whispergate. The wiper attack and website defacements occurred immediately following a series of meetings between the U.S. and Russia regarding troop deployments near the Ukrainian border. Following the attacks, personas associated with the Russian-nexus threat actor EMBER BEAR emerged on the dark web, offering data stolen in the attacks for sale. 

In mid-February, Ukrainian banking and government websites were targeted by Russian military intelligence as part of a large-scale distributed denial-of-service (DDoS) attack. This included the websites of Ukraine’s Ministry of Defense and Armed Forces as well as the State Savings Bank of Ukraine (Oschadbank) and the mobile application of Ukraine’s largest commercial bank, PrivatBank. Simultaneously, banking customers were sent SMS messages falsely indicating ATM systems were not functioning, and bomb threats were made against several bank locations.

On February 23, 2022, a second wiper attack was identified, DriveSlayer. More technically sophisticated than the WhisperGate/EMBER BEAR activity from January, DriveSlayer’s characteristics are more consistent with VOODOO BEAR’s activities. 

On February 24, 2022, several Ukrainian government websites showed a defacement message before becoming unresponsive to visitors. The displayed message was almost identical to the one used in defacement activity against similar targets on January 14, 2022. 

Soon after the DriveSlayer wiper attack and website defacements, Russian troops attacked Ukraine. In the weeks since the commencement of military conflict, numerous other incidents have been identified, including additional wiper attacks, misinformation, and espionage against Ukrainian targets. 

US executive branch agencies take action

Long before the current conflict in Ukraine, U.S. national security officials and cybersecurity industry analysts have raised concerns about Russia’s demonstrated capabilities and potential intentions to attack U.S. critical infrastructure. Periodic breaches attributed to Russia-nexus actors show that U.S. infrastructure was at risk and possibly attacked, degraded, and destroyed during a time of heightened geopolitical tensions. As the war in Ukraine drags on without Russia achieving its political objectives, and as sanctions by the U.S. and allies mount in scope and impact, these risks become higher. 

U.S. critical infrastructure operators, for their part, are increasingly focused on this threat. The U.S. government, through efforts by the White House, CISA, the Department of Energy, and other agencies, has rolled out awareness and assistance campaigns over the years to help strengthen the security posture of critical infrastructure companies. There have been improvements over the past decade, albeit from a sometimes-low baseline. 

Since the start of the conflict, White House public statements, notifications, and offers of assistance to state governments, the CISA Shields Up campaign, and well-timed DOJ indictments represent an unprecedented level of cybersecurity engagement from the executive branch. These are all positive steps from an awareness perspective.

Enact security industry best practices

But even with awareness sufficiently raised, and new resources and support, critical infrastructure operators must still observe best practices for cybersecurity. This is a “last mile” problem that government and industry can’t solve through policy initiatives alone. Though not an exhaustive list, organizations should:

  • Build relationships with law enforcement or homeland security staff that can help during an incident.
  • Develop or maintain access to know-how and skilled workers or support staff. This includes having an incident response plan in place and, in many cases, a retainer with a qualified provider of incident response services. 
  • Leverage measures identified in Executive Order 14028 on Improving the Nation's Cybersecurity. This includes use of the following enterprise security tools and concepts: multi-factor authentication (MFA) and endpoint detection and response (EDR); sufficient logging; migration to cloud/Software-as-a-Service (SaaS) applications; implementation of zero-trust architectures; and proactive threat hunting for adversaries within their networks.  
  • Utilize specialized tools and capabilities required for operational technology (OT) security. 

Outside Ukraine, Russian cyber activity to date during this conflict has been modest relative to early fears. However, this could change and indeed there are indications that Russia may become more aggressive in retaliation for foreign support to Ukraine and significant sanctions on Russian individuals and entities. Critical infrastructure operators must remain on high alert. With significant media coverage and the efforts of U.S. government actions and warnings we’ve outlined, it appears that private sector organizations are increasingly taking note. 

Adam Meyers, senior vice president of intelligence, CrowdStrike