The situation in Ukraine continues to fluctuate, and U.S. intelligence sources are advising that Russia is preparing for an imminent invasion. Cyberattacks have already been observed in the conflict, and I expect diversions, distractions, and false flags as tensions escalate. There is also the potential risk of other threat actors being opportunistic under the cover of Russian aggression.
Cyberattacks are certain to play a central role in combination with any traditional military action on the ground. So if never-before-seen exploits start causing issues for organizations, it could be an indication that Russia is digging into its stockpile of zero-day delivery mechanisms, payloads, and compromised assets.
Cyber is critical here. Russia needs to default to asymmetric options because they are clearly struggling with other means of achieving their nationalistic aims. This is brinkmanship at a level that is unprecedented, and the cyber factor means that just a few keystrokes could significantly raise the stakes.
The Risk from Cyberattacks in the Russia-Ukraine Conflict
The threat is fluid, and will depend on the situation on the ground. In the earliest stages of the conflict, Ukraine obviously has the most to worry about, as well as those doing business in and with Ukraine given possible collateral damage from stray cyber munitions.
There is also risk for any allied nations in the G7, NATO, and other largely non-involved countries. As the conflict evolves, any nations impacted by cyberattacks could construe the activity as an act of war, and then things could get much more serious.
While cyberwarfare operations are expected to be leveraged in order to distract, disrupt, and destroy systems critical to Ukraine's defense capabilities locally, there is a high probability that Russian operatives might also target a wide range of organizations beyond the region, including:
- Financial services organizations
- Energy producers and utilities
- Telecommunication and internet infrastructure organizations
- Public-facing entities that may be symbolic or host ‘messaging material’ (e.g. marketing, newspapers, etc.)
- Government agencies and related organizations
Cyberattacks could take many forms, some where the threat actors are clearly connected to Russia, and some more covert actions where obfuscation is employed to make direct attribution difficult if not impossible.
For example, over the last few months there has been a new wave of cyber attacks targeting Ukrainian entities involving attacks on the Ukrainian Defense Ministry website and regional banks, website defacements, DDOS attacks, and a sophisticated multi-stage attack that delivered a highly destructive wiper dubbed WhisperGate (click for video demo) disguised as ransomware that paralyzed numerous Ukrainian organizations.
Ransomware is typically a tool of cybercriminals. Designing an attack that mimics a cybercrime operation obfuscates the underlying motive and works to the advantage of the attacker, especially in a situation where geopolitical conflicts on this level are concerned.
What to Expect in Russia-Ukraine Conflict
If Russia does follow through with threats to invade Ukraine, we most likely will see an influx of cyberattacks focused primarily in and around the region, with the potential for additional cyberattacks spreading to the European Union, NATO member nations, and the United States specifically.
If an invasion does not occur, we can still expect that cyberattacks against Ukraine and allied nations will likely persist. There is also the additional risk that other state-sponsored threat actors like China and North Korea could take advantage of the situation to conduct cyberattacks to further their own geopolitical objectives.
The side that can maintain logistics, command structure and data flows faster and with less disruption has a huge advantage over their opponent. It is equivalent to having extra divisions and fleets of traditional units. If an adversary can disrupt physical command systems or get inside an opponent's decision loop through information warfare tactics, then their advantage improves significantly.
How to Prepare for the Russia-Ukraine Conflict
As the United States and European allies continue to seek a diplomatic resolution to the situation, organizations who are at risk of getting caught up in a wider conflict need to be prepared. The Cybereason team–which includes some of the world’s brightest minds from the military, government intelligence and enterprise security–is providing specific guidance to our partner organizations on how to address the heightened risk.
Cybereason customers are already protected against the most common, publicly known TTPs employed by Russian state-sponsored APT actors, and Cybereason recommends all organizations to follow the guidance issued from CISA, the FBI, and NSA. Organizations should maintain a heightened state of awareness, and conduct proactive threat hunting–especially those organizations related to critical infrastructure.
Nonetheless, there’s a larger issue at play that exposes a deep contradiction in our approach to security. To be truly resilient means eliminating single points of failure and ensuring you have options, but organizations often sacrifice security for cost or efficiency. The challenge is to find the balance between resilience and efficiency.
The question for everyone to ponder as we make our way in these uncertain times, is whether we are really ready for this new iteration of conflict. If the answer is no, then we will collectively have a lot of adapting to do and new doctrines to generate. If the answer is yes, then we have even more work to do because we have been lulled into a false sense of security.
Cybereason is dedicated to teaming with defenders to end attacks on the endpoint, across enterprise, to everywhere the battle is taking place. More resources around emerging threats tied to the Russian aggression in Ukraine can be found here.