Active Defense & Deception , Business Continuity Management / Disaster Recovery , Critical Infrastructure Security
Ukraine Reportedly Calls for Volunteer Cyberwarriors
Meanwhile, Hacktivist Collective 'Anonymous' Declares Cyberwar on RussiaOn the second full day of warfare in Ukraine, the Russians have nearly encircled the former Soviet state. Some military and foreign policy experts say the capital, Kyiv, may fall by the weekend. Meanwhile, the Ukrainian Ministry of Defense, which oversees Ukraine's military, has reportedly issued a call for Ukrainian hackers to safeguard its networks and potentially tap into Russian infrastructure.
See Also: A Strategic Roadmap for Zero Trust Security Implementation
According to Reuters, the country is looking to its underground to field a team of digital volunteers to serve as a line of Ukrainian defense, including spying on Russian troops. Sign-up requests reportedly began circulating on Thursday.
According to the report, the bulletin reads: "Ukrainian cybercommunity! It's time to get involved in the cyber defense of our country." It reportedly urges hackers to submit applications through Google docs - and to highlight any background in malware development.
The report says teams would be split between "defensive" - guarding critical infrastructure, and "offensive," including supporting the Ukrainian military in digital espionage. Reuters writes that organizers have already received hundreds of applications that they are now vetting - particularly for potential Russian agents.
The post was reportedly authored by Yegor Aushev, co-founder of the cybersecurity company Cyber Unit Technologies, which has contracted with the Ukrainian government. Aushev reportedly said the request came from the country's Defense Ministry, although the ministry did not confirm the move in initial media reports.
An anonymous representative from Cyber Unit Tech responded to Information Security Media Group's request Friday for additional details. While they were unable to comment on the strategic plans of the cyber unit, they said that thus far, "Digital volunteers have put down the Russian Ministry of Defense site," and that "invisible volunteers will keep on fighting the enemy."
Anonymous Declares Cyberwar
At the time, social media reports surfaced saying that several Russian ministries, including its Ministry of Defense, may have faced DDoS attacks. The reports came just hours after the international hacktivist collective Anonymous declared it was at (cyber) war with Russia and tweeted about the outage.
According to Politico, other websites that reportedly went offline included the Kremlin's website; the site for Duma, Russia's parliament; and Sberbank, a state-owned financial institution. It remains unclear if this was the work of cyberwarriors in support of Ukraine or Russia potentially geo-fencing its IP addresses to stave off such attacks.
In a tweet, Anonymous said it was at cyberwar with the Russian government, and claimed that it had taken down the site of RT, a Russian state-controlled network. In a tweet on Thursday, RT confirmed that it had been targeted by "strong DDoS cyberattacks" but that it was "able to repel the hit on [its] servers."
And early Friday, according to threat intelligence experts at the firm Recorded Future, Russia-linked ransomware gang Conti reportedly issued the following warning in response: "The Conti Team is officially announcing a full support of Russian government. If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use our all of our possible resources to strike back at the critical infrastructures of an enemy."
Hacktivists, APT
According to Politico, Cyber Partisans, a Belarusian hacktivist group that has resisted the Russian government, also reportedly said it has been working with volunteer hackers to aid Ukraine's military. In January, Cyber Partisans claimed to have hit Belarusian Railway with a cyberattack to disrupt troop movements.
Conversely, Ukraine's Computer Emergency Response Team, over Facebook on Friday, said that UNC1151, a Belarusian government-linked APT, has been tracked trying to compromise the email accounts of Ukraine's military personnel.
In a statement provided to ISMG, the security firm Mandiant "confirmed that the domains mentioned in the CERT.UA Facebook post are attributable to UNC1151."
Mandiant Director Ben Read said the activity matches the historical pattern of efforts targeting the Ukrainian military over the past two years.
Russian Warning
On Thursday, Russia’s National Computer Incident Response and Coordination Center issued an alert, warning of potential cyberattacks on "Russian information resources."
It read: "NCCC warns of the threat of an increase in the intensity of computer attacks on Russian information resources, including critical information infrastructure. Attacks can be aimed at disrupting the functioning of important information resources and services, causing reputational damage, including for political purposes.
"In addition, in the future, it is possible to carry out harmful influences from the Russian information space to form a negative image of the Russian Federation in the eyes of the world community."
Governmental Response
As of Friday, Western governments were continuing to monitor Russian troop advancement, while reportedly mulling harsher sanctions against the Russians. One measure that remains on the table is excluding Russia from the SWIFT banking network - the digital system that executes financial transactions worldwide. U.S. President Biden, on Thursday, announced an additional wave of sanctions against Russian finance but did not include SWIFT.
As part of the new package, Biden said that the administration will target Russia's imports of certain technologies, perhaps cutting off as much as 50% of related imports.
The White House said the restrictions would affect Russia's ability to import military technology, which could include U.S.-based software, telecommunications equipment, semiconductors and more.
Also on Friday, the NATO Response Force was activated for the first time. The multinational force consists of land, air, sea and special operations forces.
A joint statement by NATO heads of state on Friday reads: "We will make all deployments necessary to ensure strong and credible deterrence and defense across the alliance, now and in the future. Our measures are and remain preventive, proportionate and non-escalatory."
What's Next?
Many cybersecurity experts caution that a cyber spillover to Europe or the U.S. is still plausible.
"[The Russians'] motive is to make people regret joining NATO and not leave an obvious trail of breadcrumbs back to the Russian government," says Lou Steinberg, a cyber expert and founder of the firm CTM Insights. "So, their [cyber] method will be based on those motives."
On DDoS and Anonymous' new declaration, James A. Lewis, senior vice president and director of the Strategic Technologies Program at the Washington, D.C.-based think tank the Center for Strategic and International Studies, says: "Putin is not [generally] susceptible to pressure in cyberspace."
Lewis calls DDoS a political tool with limited value against a "dictatorship." He adds: "We need better tactics if we're to squeeze Russia."
Lewis also warns that it may not be in the United States' best interest to use offensive cyber weapons against Russia, since the U.S. "has cyber pressure points that Russia can exploit." He says, altogether, sanctions remain a better tactic.
Others experts say the conflict could draw in cyber defenders.
Rosa Smothers, a former CIA threat analyst and technical intelligence officer who is currently the senior vice president of cyber operations at the firm KnowBe4, says: "Global popular support of Ukraine could [also] lead to crowdsourcing cyber efforts: network defense and attack, as well as coordinated groups of people working to make viral images and videos of captured or surrendered soldiers."