Join today’s leading executives online at the Data Summit on March 9th. Register here.
Amid Russia’s massive troop build-up near the borders of Ukraine — and stark warnings from the governments of the U.S. and other western nations — the possibility of a Russian invasion of Ukraine looms large.
Diplomatic efforts this weekend by world leaders including U.S. President Joe Biden were unable to deter Russian President Vladimir Putin. Estimates now put the Russian build-up at 130,000 troops, which includes armored vehicles, ships, and aircraft, according to the BBC.
What’s less apparent is what sort of cyber forces Russia could be marshaling in preparation for what’s coming next. But cybersecurity experts say that if Russia does invade, it will undoubtedly use cyberattacks as a key part of its strategy — just as the country has done in previous military campaigns over the past decade-and-a-half, including in Georgia and the Crimean Peninsula in Ukraine.
“In these previous conflicts, cyber was used to facilitate a Russian occupation that remains today in previously sovereign territory of another country,” said Christian Sorensen, former operational planning team lead for the U.S. Cyber Command, and now founder and CEO of cybersecurity firm SightGain, in an email. “In this way, cyber is tightly integrated into Russian tactics.”
In the event that an invasion does occur, “it’s not really a question of whether cyberattacks on Ukraine will take place,” said Mathieu Gorge, author of “The Cyber Elephant in the Boardroom” and the founder and CEO and of cybersecurity firm VigiTrust.
Making attacks ‘more powerful’
“Bringing down critical infrastructure in Ukraine, or any opponent’s sovereign state infrastructure, is a tactic to either proceed or augment physical attacks,” Gorge said in an email. “The idea behind it is that if you cripple the country physically at their border while crippling access to banking, electricity, health services, and IT systems, your attack is much more powerful.”
Given that there will almost certainly be a cyber component of any military action by Russia against Ukraine, this raises a number of key questions. In particular, there’s the question of whether Russia’s cyberwarfare tactics will come to include attacks against more than just Ukraine — possibly turning the conflict into a cyberwar on a more global scale than we’ve seen before.
Among the most notorious acts of cyberwar to date was the 2017 NotPetya attack — which was ordered by the Russian government and initially targeted companies in Ukraine. The NotPetya worm ended up spreading worldwide, and it remains the costliest cyberattack to date with damages of $10 billion, according to Wired.
Ever since, however, “there has been ongoing debate about whether the international victims were merely unintentional collateral damage or whether the attack targeted companies doing business with Russia’s enemies,” wrote Patrick Howell O’Neill in the MIT Technology Review.
This time around, could things be different? And if so, how? What follows are five key questions about Russia, Ukraine, and the possible cyberwar ahead.
What types of new cyberwarfare tactics could Russia deploy?
In mid-January, a day after the failure of diplomatic efforts to halt the Russian troop build-up, more than 70 Ukrainian government websites were targeted with the new “WhisperGate” family of malware. Ukraine blamed Russia for the attacks, which left many of the government’s websites inaccessible or defaced.
WhisperGate has “strategic similarities” to the NotPetya wiper, “including masquerading as ransomware and targeting and destroying the master boot record (MBR) instead of encrypting it,” researchers at Cisco Talos wrote. But, WhisperGate “notably has more components designed to inflict additional damage,” the researchers wrote.
Also noteworthy is the fact that Ukrainian officials pointed to a “high probability” that the attacks originated with a breach of the software supply chain.
Indeed, compromises of the software supply chain could be one of the new cyber tactics that Russia utilizes during any coming cyberwarfare campaigns, Sorensen said. The attackers behind the breach of SolarWinds Orion, the biggest software supply chain attack to date, have been linked to Russian intelligence by U.S. authorities.
While the specific cyber techniques used by Russia may have evolved, however, the goals have not, Sorensen said. Russia has “a playbook that they would follow again because it’s worked in the past,” he said, including in Georgia, Estonia, and Crimea.
How might acts of cyberwar by Russia coincide with military actions?
Russia’s strategy will be to generally spread fear, uncertainty, and doubt both before and during an active/shooting conflict, and to target military personnel and communications during active conflict, Sorensen said.
For instance, Russia might use cyber to “provide cover of Russian troop activities through fear, uncertainty, and doubt to cover the armed takeover of the city of Korosten, Dubrovytsya, or Sarny from Belarus, for example,” he said. “This is the same strategy as in the previous Ukraine, Georgian, and Estonian conflicts.”
In those prior attacks, cyber was used as a diversion — in order to confuse the targets enough to “not put up a big fight or get organized until it was too late,” Sorensen said.
In preparation, the Ukrainian government has taken steps to improve its cybersecurity defenses, including through holding training exercises such as “hackathons” that’ve been organized by the European Union and NATO, the Wall Street Journal reported today.
But while Ukraine is well aware of Russia’s cyber abilities, “the challenge is that the attacker only needs to get it right once to make an impact — whereas the attacked party needs to protect all of its systems,” Gorge said. “From a planning perspective, an attacker would probably spend a lot of time checking their opponents’ key systems for vulnerabilities, and they just need to wait for the right time to strike — namely right before or after a physical attack.”
Could the U.S. and other western nations be targeted?
There appears to be a strong possibility of this happening. The U.S. Department of Homeland Security (DHS) last month warned that Russia was likely considering cyberattacks against U.S. infrastructure amid the Ukraine tensions.
The DHS intelligence bulletin suggested that in the event Russia invades Ukraine, a U.S. or NATO response to the invasion might prompt a cyber offensive from Russia against targets located in the U.S. The attacks could range “from low-level denials-of-service to destructive attacks targeting critical infrastructure,” according to the January 23 bulletin, as cited by CNN.
Last week, regulators in Europe and the U.S. alerted banks that Russian cyber attacks related to the Ukraine tensions pose an imminent threat, and urged banks to make preparations, Reuters reported.
Then on Friday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) posted a warning about the potential for attacks against U.S. targets by Russian threat actors.
“While there are not currently any specific credible threats to the U.S. homeland, we are mindful of the potential for the Russian government to consider escalating its destabilizing actions in ways that may impact others outside of Ukraine,” CISA said in its “Shields Up” warning. “CISA recommends all organizations—regardless of size—adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets.”
Meanwhile, Russian cyberattacks against targets outside Ukraine have reportedly already taken place. Last month, Russia-linked threat actor is believed to have launched a cyberattack against a western government organization in Ukraine, according to researchers at Palo Alto Networks’ Unit 42. The attack involved a “targeted phishing attempt” and attempted delivery of malware, Unit 42 reported.
The leadership of the group, which Unit 42 has referred to as “Gamaredon,” includes five Russian Federal Security Service officers, the Security Service of Ukraine said previously. Unit 42 did not identify or further describe the western government entity that was targeted by Gamaredon.
What will retaliation look like in a cyberwar?
A nation state under physical attack typically retaliates, Gorge noted. But what about for acts of cyberwar?
With cyber attacks, “generally the emphasis is on containing the breach, fixing vulnerabilities, and then investigating what can be done,” Gorge said.
Thus, “there is a school of thought that says that cyber retaliation may not be as swift — and may not need to be as swift,” he said. “It’s not like traditional warfare where missiles fly from enemies to enemies in real time.”
How will AI factor in?
Artificial intelligence (AI) and machine learning (ML) have become increasingly central to both cyber attack and cyber defense capabilities. In the same way that software supply chain attacks could be a bigger factor in coming cyber warfare by Russia, AI and ML might likewise play a larger role in Russia’s cyber tactics this time around.
As one example, the threat actor known as Gamaredon has previously used the Pterodo malware strain against targets in Ukraine — which brings an “ability to evade detection and thwart analysis” in part through the use of a “dynamic Windows function hashing algorithm to map necessary API components,” Microsoft researchers said.
AI and ML “can be used to protect systems in a way that humans would not be able to detect attacks,” Gorge said. “However, it can also be used by attackers to circumvent traditional defense layers. This is where cyber warfare is heading.”