It has been a month now since Russia invaded Ukraine. While Russia continues its unprovoked rampage into Ukraine, and the Ukrainian people heroically defend their land, the rest of the world is on high alert for Russian cyberattacks. It is a virtual certainty that the attacks are coming—if they are not already ongoing—and organizations need to be prepared.
There was a lot of speculation that Russia would engage in widespread and coordinated cyberattacks against Ukraine and its allies ahead of the military invasion. There were some website defacements in Ukraine, and malicious wipers were discovered on servers in Ukraine, but that was nowhere near the scale of attacks that was expected. As Russian forces continue to struggle, and the impact of global sanctions intensifies, the odds that Russia will become desperate and lash out against nations supporting Ukraine increase.
Just this week, President Biden issued a statement on cybersecurity. In it, Biden states: “I have previously warned about the potential that Russia could conduct malicious cyber activity against the United States, including as a response to the unprecedented economic costs we’ve imposed on Russia alongside our allies and partners. It’s part of Russia’s playbook. Today, my Administration is reiterating those warnings based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks.”
It's also likely that cyberattacks are occurring, and there has been significantly more malicious activity from Russian threat actors than we are aware of. The line between cyber and kinetic warfare remains blurry, so the US and NATO allies may avoid disclosing details of ongoing attacks to prevent any possible escalation of the conflict.
Calm Before the Storm
Whether that is the case or not, we should expect those attacks are forthcoming. Government, military, and critical infrastructure organizations would be the primary targets, but no sector is off-limits. Attackers can compromise low-hanging fruit like suppliers and partners to those organizations, and leverage the trusted relationship to gain access. There is also the potential for unintended collateral damage, like the NotPetya attack that spread around the world.
Over the past year, we saw an intense and steady stream of high-profile cyberattacks from Russia and tense exchanges between Biden and Putin over the Russian cyber aggression. However, it has been eerily quiet recently. Russia made a very public spectacle of arresting members of the REvil ransomware gang in January. Since then, the volume of ransomware attacks has plummeted to almost nothing.
At face value, it was meant to be a show of cooperation—to demonstrate that Russia was working with western nations to rein in the ransomware threat. It was more of a performance or charade, though.
In reality, we believe Russia conscripted the ransomware gangs—operationalizing their skills and experience to engage in coordinated cyberattacks on behalf of the Russian government. In the past two weeks, incident response engagements have spiked dramatically–demonstrating that Putin has control over threat actors and the ability to leverage cybercrime groups and state-controlled weapons.
With military efforts in Ukraine stalled and increasing pressure from sanctions, I believe we are going to see more ransomware attacks here in the US. Russia will employ ransomware attacks as its own “sanctions” against private businesses in the US in an effort to put pressure on the Biden Administration to back down.
We can also expect increased attacks against critical infrastructure and the financial sector. Essentially, though, they will not be very discriminating about their targets. They are going to go after everything they can.
Organizations need to follow the “Shields Up” guidance from CISA. It is important to do everything you can to proactively strengthen your security posture and to have plans and processes ready to respond quickly and effectively if a cyberattack occurs.