Amid horrifying images of airstrikes and armored divisions rumbling towards Kyiv, Russia’s invasion of Ukraine also heightens the threat of cyberattacks unrestrained by political borders.
Possible targets include not only Ukrainian institutions but also European infrastructure. The threat could very well extend to U.S. industrial, military, utility and retail infrastructure. Many of these targets have already been hit by Russian hackers.
As tensions grew over the last week, the Biden administration said in a Feb. 18 statement that Russia was the probable source of recent cyberattacks on Ukrainian banks. The Kremlin was also blamed for large-scale attacks in January on Ukrainian government websites. Anne Neuberger, deputy national security adviser for cybersecurity, told reporters the U.S. was helping the Ukraine government prepare for possible cyberattacks in the event that Russia invaded their country.
As U.S intelligence agencies warned for months, Russia invaded Ukraine on Feb. 23.
In January, Cisco’s Talos threat intelligence and research unit noted in a blog post that threat actors infecting Ukrainian government networks with malware likely had access for several months before launching cyberattacks. Predictably, the Kremlin has denied Russia was the source of those attacks.
Since then, threats to the U.S. and Europe have escalated. On Feb. 16, for example, the FBI, the National Security Agency and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint cybersecurity alert warning that Russian state-sponsored threat actors have been targeting U.S. military contractors for the last two years. The attacks were intended to steal sensitive U.S. military data and technology.
Russian spy agency hackers have deployed previously unseen malware infecting home and office network devices around the world. Dubbed Cyclops Blink, the malware disrupts firmware updates, turning firewalls into attack platforms for stealing confidential data while attacking other networks.
According to a recent report on crypto-crime from Chainalysis, Russian hackers were also responsible for 74 percent of ransomware payments in 2021.
Europe, U.S. vulnerable
The day before the Ukraine invasion, Sen. Mark Warner, D-Va., chairman of the Senate Select Committee on Intelligence, expressed concern that Russian cyberattacks could prompt a broader cyber-war that would involve the U.S. and other NATO members. Warner told Axios such a cyber-war would trigger NATO’s collective defense doctrine, known as Article 5.
Article 5, defined as “an attack against one Ally is considered as an attack against all Allies,” was invoked for the first time after the 9/11 terrorist attacks, highlighting the current threat posed by Russia’s invasion of Ukraine.
Warner outlined two scenarios by which Article 5 could be invoked: Either Russian President Vladimir Putin could approve cyberattacks against the Ukraine using malware such as NotPetya, which then spreads to NATO member states; or Putin could order direct cyberattacks against member states’ critical infrastructure.
Last year, NATO affirmed that Article 5 included cyberattacks, adding, “We reaffirm that a decision as to when a cyberattack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis.”
U.S. cyber risks
The U.S. Department of Homeland Security (DHS) warned in January of potential cyberattacks if Russia invaded Ukraine. In an internal bulletin to federal agencies only recently made public, DHS said attacks could come if Russia “perceived a U.S. or NATO response” to such an invasion.
The FBI, the NSA, and CISA also issued a joint cybersecurity alert, “Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure.” After warning operators of critical infrastructure to increase awareness of potential threats while proactively hunting for threats, the U.S. alert provided an overview of Russian state-sponsored cyber operations along with common tactics, techniques as well as suggested detection methods. The agencies also provided incident-response guidance and mitigation steps.
Also in January, the White House instructed government agencies to increase their cybersecurity, specifically by adopting zero-trust strategies. As we’ve reported, the zero-trust principle is gradually being adopted by operators of IT and operational technology networks, including industrial control systems, especially those used in critical infrastructure.
“The importance of cybersecurity for critical infrastructure was already high on the agenda of U.S. organizations, but now the urgency has increased even more,” Duncan Greatwood, CEO of cybersecurity provider Xage Security, told EE Times. “The zero- trust approach has a real ability to stop an attack or even contain the attack once it’s begun, and this is the approach government and industry have been working on for the last few months.”
But implementation of this “never-trust, always-verify” approach isn’t keeping pace with current threats, according to Greatwood. The good news is that Western critical infrastructure operators are implementing zero-trust security. “The bad news is that most of the resulting field implementations [remain] in the future,” he said.
Organizations remain in the planning stages for now as they ponder architectures, said Greatwood. “Some implementations will be made this year, and more next year. But most benefits of zero-trust changes don’t exist yet in critical infrastructure in energy and water, and the retail supply chain, although the electrical grid is already a little better protected.”
While the risks from cyberattacks on U.S. critical infrastructure have been ongoing for several years, the concern is that Russian attacks will increase in frequency and severity, largely in retaliation for western economic sanctions against Russia.
Russia’s critical infrastructure is also vulnerable. U.S. intelligence and military leaders are reportedly considering cyberattacks against Russia to slow its invasion of Ukraine, according to an NBC News report.
One likely outcome, said Greatwood, is “a cyber cold war, where each side knows they’re vulnerable, and each knows the other knows that they’re vulnerable.
“So, both sides may be reluctant to escalate attacks because of their mutual vulnerability,” Greatwood added. “Yet, as with any standoff like this, probing cyberattacks may continue on each side, with the ever-present risk of a sudden increase in tit-for-tat hacking.”