In a recent blog, the former head of Britain’s cyber security agency, Professor Ciaran Martin, said Russia was home to the “world’s largest concentration of cyber criminals”.
Quoting industry estimates, he said nearly three-quarters of the exponentially rising revenue from ransomware in 2021 went to cyber gangs in Russia.
Prof Martin, who hails from Omagh, Co Tyrone, said the economic and social impacts of Russia-based ransomware attacks are beyond what had been experienced before and “expose a soft underbelly” of vulnerability for disruption across the West.
He gave two examples. In the US, a criminal operation against the network of Colonial Pipeline caused the company to switch off the transportation of fuel to the eastern United States, causing major shortages at gas stations.
A professor at Blavatnik School of Government at Oxford University, Mr Martin cited a second case: “Worse, an attack by the so-called Conti ransomware group shut down the administrative body in Ireland charged with managing the national healthcare system with hugely disruptive consequences for cancer, prenatal and other critical health treatments.”
The former head of Britain’s National Cyber Security Centre, part of the signals intelligence agency GCHQ, said the Conti group recently published a statement threatening retaliation against countries that support Ukraine and “pledged loyalty to Mother Russia”.
He said this group suffered a serious internal security breach, seemingly from a pro-Ukrainian worker.
“Their statement is an unusually obvious glimpse into the strange but largely symbiotic relationship between the Russian state and organised cyber-criminality,” he said.
In the context of the war on Ukraine, Prof Martin said:
So, for both of those reasons, organisations like CISA [US Cybersecurity and Infrastructure Security Agency] and the National Cyber Security Centre in the UK warn not of any specific threats, but of a more general higher level of risk.”
Prof Martin cited the work of a leading US cyber expert: “CrowdStrike co-founder Dmitri Alperovitch, who has predicted with great precision how the conflict would begin, worries that the early underperformance of the Russian military and the strength of Western sanctions could provoke a cornered Kremlin with less to lose down this route.”
This dovetails with what some security sources have told the.
“We monitor the dark web and there’s a lot of talk out there that Russia is going to be engaging in cybersecurity ransomware attacks for funding, because sanctions are having such a huge effect,” one source said.
All state bodies tasked with combating cyber threats — the National Cyber Security Centre (NCSC), An Garda Síochána and the Defence Forces — are understood to be on high alert from possible cyber fallouts from Ukraine.
In a detailed statement issued to the, the NCSC — which is the lead cyber agency in the country — said it was operating at a “heightened state” of preparedness over “recent cyber incidents and the tensions in Eastern Europe”.
It said while potential direct risk of attack to Ireland was “low”, there was “a moderate to high risk” that second or third order effects of cyber action elsewhere could have a knock-on effect in Ireland.
And, in what may be a reference to the possibility of Russian-backed cyber ransomware attacks, it said it had cautioned companies and organisations that levels of cyber-criminal activity may increase, as threat groups may seek to profit from the tensions “or as a proxy of State activity”.
Questioned about its assessment, Garda HQ said it did not comment on domestic or international security other than to say it was working with national and foreign security agencies.
The Defence Forces said primacy for cybersecurity is vested in the Department of Communications and the NCSC, but added the DF maintains a “close working relationship” with the NCSC.
Thecontacted Prof Martin for further comment on the likelihood of Russian cyber ransomware attacks.
“With economic sanctions biting, there’s every chance criminal gangs will be getting money however they can.”
He added: “Moreover, the Russian state decides whether or not these groups can operate, and they may want to encourage them so as to harass the west and get some money out of it.
“And, some groups might find themselves corralled to the Russian war effort — the Conti group [which carried out the HSE attack] put out a statement of support for Putin’s invasion. For all these reasons, the West is right to be on heightened cyber alert.”
Eoin Keary, chief executive of Edgescan, said the concerns regarding Russian-backed ransomware attacks were “real” and “based on messages from cyber criminals aligned to Russia”.
He said while Conti has suffered a large leak, there are other groups, such as the “Fancy Bear” collective, who might aid the Russian state.
Mr Keary said “downstream” fallout of Russian cyber attacks on Ukraine, like the NotPetya attack in 2016, was a “real risk” due to interconnected systems.
“What heightens the risk is targeted attacks on the West due to sanctions,” he said, adding he would not be surprised if “nearly all larger financial, infrastructure and government institutions are being probed currently”.
He said sanctions may also result in more thefts of crypto currencies and attacks on the Swift inter-bank system, which many Russian banks have been expelled from.
Brian Honan, chief executive of BH Consulting, said the main cyber threats to Ireland are DDos (denial of service) attacks, in which attacks flood a server and prevent it from working, wiper attacks, which wipe out all data and programs, and ransomware attacks, which lock and encrypt systems pending payment.
He said with the financial sanctions on the country, it is “possible” that Russia might look to ransomware attacks to generate funds via cryptocurrencies.
But he said this “may not be a successful ploy” for Russia, as targeted companies and organisations may breach sanctions by making payment to cyber gangs.
In addition, he said there were reports the EU was looking at imposing sanctions on transfers of cryptocurrency to Russia.
Either way, he strongly advised organisations to patch their systems, lock down and secure remote access, install multi-factor authentication, have up to date anti-virus software and monitor for attacks.