Russia's Escalation in Ukraine Sounds Cyber Defense AlarmsSectors at Greatest Risk Include Aviation, Water Safety, Energy, Financial Services
Russia's threat to Ukraine is reshaping notions of what it means to employ cyber operations as part of a conflict.
Whether Russian President Vladimir Putin has even decided what he will do next remains unclear, experts say. But a number of military options remain available, and all of them would likely involve some form of cyber escalation, and could well impact such critical infrastructure as the energy and financial services sectors, according to Washington think tank Center for Strategic and International Studies.
One military option would be "a decision, actually, not to invade but to continue to use irregular means in Ukraine, a combination of offensive cyber operations and then proxies and partners and some Russian forces operating probably out of uniform in Ukraine," said Seth G. Jones, director of CSIS's International Security Program, at a Tuesday press briefing.
But with the count of troops Russia has massed on Ukraine's border exceeding 100,000, CSIS has detailed five other potential military options, all of which involve some type of invasion. Based on the satellite imagery of Russia's forces, CSIS reports that "Russia has surrounded Ukraine on three sides with a conventional invasion force … which poses an imminent threat to Ukraine," and "Moscow has prepared Russian air and naval forces to support a possible ground invasion."
The White House continues to demand that Moscow de-escalate. Press secretary Jen Psaki told reporters Tuesday: "The door to diplomacy remains open."
If Russian forces do enter Ukraine, experts have warned of potential fallout from cyberattacks meant to support military operations, disrupt critical infrastructure and more. Depending on the response from Kyiv's allies, including the U.S. and EU, the focus of such cyberattacks might not be limited to Ukraine.
"Russia may also conduct extensive irregular operations in Ukraine and against the West, including cyber operations, subversion, and sabotage by Russia's intelligence services and special operations forces," CSIS researchers write in a recent report. "These actions could extend far beyond Eastern Europe, such as Russian cyberattacks against U.S. critical infrastructure and sabotage operations against undersea fiberoptic cables."
Accordingly, a number of "lingering questions" remain unanswered, they say, including: "How prepared are the United States and the West to deal with large-scale disruptions of critical infrastructure and their own military command and control systems as a result of direct or indirect cyberattacks?" In addition, are "redlines" being communicated to Moscow, and what will the reaction be if undersea cables get cut or satellites disrupted?
Beyond Website Defacements
Since last December, experts have been warning of an escalation in cyber operations focused on Ukraine, including information operations designed to undermine President Volodymyr Zelenskyy.
Starting on Jan. 13, multiple Ukrainian government websites were defaced and some systems destroyed by wiper malware. Security researchers subsequently reported that the affected systems appear to have been infiltrated in late summer 2021, with the destructive malware being pushed to systems a few months later.
One Ukrainian official has suggested that not just Russian attackers but also Belarusian proxies were involved. But as the operational security expert known as the Grugq has noted, the apparent failure of the wiper malware to do much damage suggests that the operation didn't go to plan. If multiple countries were involved, that would be an obvious explanation, he says, since joint operations are notoriously difficult to execute.
Psychologically, however, the defacements arguably achieved their aim, by warning Ukrainians to "be afraid and expect the worst."
"The website defacements were used to message the Ukrainian population in a sort of cyber mimicry of the old strategic 'terror bombing' theory," the Grugq writes on his blog.
This theory involves the "collective punishment of a civilian population in order to apply political pressure against their leaders," he says, adding that the aim in this case appeared to be to coerce a population into being afraid.
The risk now is that Russia will escalate beyond those types of activities, and that the damage will not be confined to Ukraine, according to John Hultquist, vice president of intelligence analysis at threat intelligence firm Mandiant.
"Russia and its allies will conduct cyber espionage, information operations and disruptive cyberattacks during this crisis," Hultquist writes in a recent report. "Though cyber espionage is already a regular facet of global activity, as the situation deteriorates, we are likely to see more aggressive information operations and disruptive cyberattacks within and outside of Ukraine." (See: Report Details Russian Cyberespionage Efforts in Ukraine.)
Russia has already demonstrated its ability to disrupt systems in Ukraine. Notable cyberattacks led to power outages in parts of Ukraine in the dead of winter in both 2015 and 2016, and the 2017 NotPetya worm, in which fake ransomware left PC hard drives destroyed, among other incidents.
While NotPetya targeted Ukraine, the malware also infected organizations worldwide, causing up to $10 billion in commercial damages.
The attacks on Ukraine's power grid demonstrate Moscow's ability to hit critical infrastructure, while NotPetya highlights its capability to hit many targets at once, experts say. Supply chain attacks attributed to Russia, such as the infiltration of SolarWinds software, also highlight Russian attackers' ability to achieve persistence on multiple systems, giving them the ability to disrupt many systems at a time of their choosing.
Thus, if Russia moves to occupy more parts of Ukraine and that provokes a response from the U.S. or NATO, experts say Moscow has the option to retaliate with more widespread cyberattacks.
The risk that cyber operations aimed at Ukraine could again spill over has led Britain's National Cyber Security Center to warn organizations to urgently review their business resilience posture.
"While we are unaware of any specific cyberthreats to U.K. organizations in relation to events in Ukraine, we are monitoring the situation closely, and it is vital that organizations follow the guidance to ensure they are resilient," Paul Chichester, the NCSC's director of operations, said last week.
Allies Focus on Critical Infrastructure
With the risk of conflict appearing to remain high, the White House this week dispatched Anne Neuberger, its senior cyber official, to Brussels to coordinate with her EU and NATO counterparts.
Talks between the U.S., EU and other NATO allies are focused on cyber defense and what happens next, in the event that Russia further escalates, says Rachel Ellehuus, deputy director and senior fellow with the Europe, Russia, and Eurasia Program at CSIS, "because there is this sense that part of the Russian aggression will build on some sort of a cyberattack."
Allies' cybersecurity defense focus now is on "four areas in particular - aviation, water safety, energy and financial services," she says. "I see a lot of proactive thinking here about the types of vulnerabilities that exist in Europe that could be compromised if Russia takes this next step."