With the situation escalating to an invasion, we have already seen these troop movements and aerial bombardments accompanied by cyber attacks on banks and TV stations in Ukraine.
For those in the West, the Russian cyber threat is elevated but will be driven largely by the severity of sanctions placed on Russia, as well as continued aid to Ukraine or military support.
We can expect sanctions in particular- designed to cause economic damage to Russia, to be met with cyber retaliation. The objective will be an eye for an eye – economic damage in the West, along with a demonstration that Russia can reach and affect the West directly, undermining public support and causing further division.
Analysts are uncertain about what will happen next. However, in echoes of the Crimea annexation of 2014 – most believe Russia will not back away. If something does happen, they expect one of four different scenarios.
- A continuation of the escalating tension
- Paramilitary operations
- Targeted annexation
- Full-scale invasion
None of these scenarios are good for Ukraine or its allies. To date, governments have spoken up in support of Ukraine, but some believe the words as coming across as hollow with the West perceived as weaker and more divided than ever. As such, Russia believes it can push back the influence of NATO on Eastern Europe and, through the conflict, shore up domestic support for Putin’s government.
Regardless of the approach Russia takes, Ukrainian-allied governments and organizations need to be on high alert for an intensification of cyberattacks from nation-state Russian cyber hackers. In every scenario, the attacks on Ukraine will differ in intensity and focus from the attacks on its allies. The ferocity of attacks on allies will likely be proportional to the West’s response. Weapons delivery, for example, might result in disruption of minor services or media defacement, while fighting alongside Ukrainian troops could bring on a full-scale cyber assault.
Escalation of Attacks
Should Russia adopt a policy of escalation of tension, we believe Russia will use its cyber-prowess to intimidate Ukrainian citizens. These psychological operations (psyops) will attempt to influence the emotions, motives, and behavior of the Ukrainian government and its citizens. Ultimately, it will portray a Ukraine that lacks governmental control.
Meanwhile, Russian cyber hackers would work to establish footholds within the cyber-apparatus of Ukrainian allies. This would serve both short-term interests – such as espionage – with long-term interests – where Russia would have the potential to cause massive disruption should the need arise.
Should Russia move ahead to paramilitary operations, Ukraine should expect continued defacement, media targeting, and ransomware attacks. Annexation may escalate further – for example, a takedown of critical infrastructure, while a full invasion could lead to the systematic cyber takedown of government and critical infrastructure. None of this is set in stone, but the point is that as the military kinetic conflict escalates, the cyber conflict as a part of that may escalate proportionally.
For allies in the west, certain scenarios may lead to an expectation of nation-state attacks. The degree of attack likely depends on the western response. At the early stages of escalation, this may appear as nuisance-type activity, perhaps representing itself as defacement. As tension increases, we could see this escalate to attacks on local governments and disruption of minor services, with ransomware groups deploying destructive attacks as a proxy for direct Kremlin involvement.
Next, media companies may expect defacement as Russia attempts to undermine public perception and confidence. Businesses and governments must be prepared for ransomware attacks. Should escalation reach a boiling point, critical infrastructure assets may fall under attack, interrupting services like power, water, and gas lines. In an extreme circumstance, a full-scale cyber assault accompanying military action may follow.
What is all but certain is that Russia now, and as conflict escalates, will continue to gain stealthy footholds, for both espionage and the deployment of destructive attacks down the line. As such, in these early phases, it is what we cannot obviously see, that is the most critical.
A History of Successful Attacks
Russia is no stranger to perpetuating cyberattacks with hackers as a way to meet its goals. It has three primary organizations that carry out these attacks – but there are additional fringe units as well as the arms-length ransomware/crimeware gangs with Russian affiliation:
- FSB – federal security service
- GRU – Military Intelligence
- SVR – Foreign Intelligence
NotPetya, one of history’s most destructive attacks, was GRU malware that spread quickly throughout Ukraine and into companies that did business with it. It was estimated to cause over $10 billion in damages to its victims. Black Energy, another GRU construct, damaged the Ukrainian power grid.
The Solarwinds attack, which came out of Russia’s SVR, was designed to gather global intelligence, while GRU ran an intelligence-gathering operation on Germany’s critical infrastructure.
The country has sponsored nation-state attacks against South Korea during the 2018 Olympic games and interfered with democracy in the United States – with its democratic party hack – and in the Estonia and Georgia government.
In addition, Russia hides behind Russian-based ransomware gangs, giving it plausible deniability. ReVIL, one of the country’s largest cybergangs, protects Russian assets by adding code that prevents it from attacking Russian-language sites.
Over the course of 2021, REvil targeted critical US infrastructure at least four times. They attacked JBS, striking a blow against the beef and pork industry, and Invergnegy, a power generation company, in addition to the Kasaya supply chain attack and an attack on Colonial Pipeline.
Our security analysts believe that future Russian-backed attacks on American and European financial, energy, and media companies, government agencies, and other critical services are inevitable.
Guidance Moving Forward
As we wait to see what transpires between Russia and the Ukraine, organizations and government agencies should be shoring up their defenses against potential Russian cyberattacks.
The Cybersecurity & Infrastructure Security Agency (CISA) in the United States released a recommendation on January 18, 2022, urging leaders to “be on alert for malicious cyber activity.” Their guidance, which offers measures relating to reducing the likelihood of an attack, detecting a potential intrusion, ensuring organizational readiness, and maximizing resilience, should be considered to be basic cyber hygiene against a Russian hacker and cyber attack.
To take your security measures to the next level, our cybersecurity services can make a big difference in your organization’s ability to avoid catastrophic consequences. In the fight against nation-state grade cyber attacks, our security professionals are available to help you with these proactive measures:
- Validate CISA recommendations and tailor them to your environment.
- Simulate ransomware attacks to identify incident response gaps and vulnerabilities.
- Run Russia-focused red-team simulations with up-to-date techniques.
To discuss your own cyber-security defense requirements, get in touch with a HolistiCyber expert today