On Feb. 24, 2022, Russia launched a large-scale military incursion into Ukraine. By all accounts, the Russian offensive attacked on multiple fronts, including against Ukraine’s network computers and communication systems. The cyberattacks began before the first tank crossed the border, with Ukrainian networks subjected to multiple targeted attacks involving hacking, distributed denials of service and the introduction of malware that specifically targeted Ukrainian systems and wiped data.
This isn’t the first time Russia has engaged in this type of cyberwarfare, nor is it likely to be the last. Many will remember the widespread power outages in 2015, when Russian hackers breached the Ukrainian power grid, or the 2017 NotPetya malware, which was intended to target Ukraine’s networks but quickly spread out of control, causing billions of dollars in damage around the globe.
This time, Ukraine was better prepared and, for the most part, has resisted the Russian cyber onslaught. However, one of the more interesting components of this conflict has been the international response and how a regional military dispute between countries has spread internationally. Russia’s military action in Ukraine was immediately condemned internationally, and the United States and most of Europe imposed severe economic sanctions on Russia.
Because of the sanctions and United States opposition to the war, there were concerns that Russia-aligned hackers would target U.S.-based organizations, with some groups promising retaliatory measures for interfering. The Cybersecurity and Infrastructure Security Agency (CISA) warned state and local governments and aviation and energy sector networks of the increased risk of attacks from Russia. One well-known ransomware group, Conti, publicly announced their intention to “use our full capacity to deliver retaliatory measures,” and there have been reports of prior ransomware victims having their data posted to the dark web, even after paying the ransom, as retribution for the U.S. government’s opposition to the war.
Interestingly, Russia has been on the receiving end of increased cyberattacks as well. Shortly after the Russian operation began, the Ukraine government called on volunteers to form a cyber army to help protect their critical infrastructure and spy on Russian troops. More recently, Ukrainian Vice Prime Minister Mykhailo Fedorov tweeted a link to a Telegram channel, calling for hackers and tech specialists to join the “cyber front,” which today has more than 250,000 members. These efforts appear to have yielded positive results, with several Russian websites and state online portals taken offline by the Ukrainian cyber police force. A Twitter post from an account that purports to be associated with the international hacker group Anonymous claimed credit for disabling websites belonging to the Russian oil giant Gazprom, Russian news agency RT, and several other Russian and Belarusian government agencies, including the Kremlin’s official site.
Even Russia’s allies are being targeted, as earlier this week it was announced that hackers in Belarus have attacked their country’s train system in order to hamper Russia’s ability to move troops to Ukraine. Despite the military action being isolated geographically, the cyber front operations transcend borders, with various hacker groups taking sides. One group in particular seems to be conflicted, with both pro-Russia and pro-Ukraine members. After announcing their “full support” of the Russian government, the Conti group may be having second thoughts about taking sides. On Feb. 27, an anonymous individual associated with the Conti group leaked a huge cache of internal data, including chat logs, bitcoin wallet addresses, and detailed information regarding their technical infrastructure, logistical operations and attack methodologies. The leaker made their position clear by including a message with the data stating, “Glory to Ukraine,” suggesting that the group’s earlier decision to support Russia was not unanimous. This is a significant blow to Conti’s operation and may jeopardize the group’s long-term viability. The chat logs and bitcoin wallet addresses will help law enforcement track the flow of money, while the source code leak may allow security researchers to reverse-engineer the encryption used in ransomware attacks. Of particular importance has been the group’s internal communications, which may indicate ties between Conti’s upper management and Russian intelligence agencies. This information and other intelligence will likely be used to determine whether the U.S. government will add Conti or its leaders to the list of sanctioned entities. Alternatively, it may force the group to rebrand and continue operations under a new name.
Following the leak of Conti’s internal data, a competing ransomware group, Lockbit, announced their intention to remain neutral, citing the fact that they have members around the globe and a desire not to follow in Conti’s footsteps.
Given the U.S. government’s support of Ukraine, all organizations – especially those in the finance, energy, aviation, military or supply chain industries – should be on high alert for possible cyberattacks. Understand that the goal of the attacker may be causing embarrassment or maximum disruption as opposed to being financially motivated. The Log4J exploit remains the exploit of choice for many attacker groups, so take steps to ensure all affected systems are fully patched. CISA provided access to a variety of free tools, available at cisa.gov/free-cybersecurity-services-and-tools.
Carefully consider the ramifications of any public statements. Given the cyber “firepower” on both sides of the conflict, provocative language can draw attention and potentially make your organization a target of future attacks.
If your organization is hit with ransomware, work with experienced data breach counsel to navigate potential U.S. sanctions concerns. Be especially careful when dealing with Russian-aligned attacker groups, Conti in particular. While they are not currently on the U.S. sanctions list, circumstances may change quickly as this is a volatile situation. You should also expect that your third-party partners—including payment negotiators and banks—may be reluctant to engage in payment activity tied to certain groups.
Finally, take a close look at the provisions of your cyber liability insurance policy and talk to your broker about acts of war exclusions. In 2017, Russia targeted Ukraine with its NotPetya virus, which quickly spread globally, shutting down computer systems of hundreds of companies worldwide. Acts of war exclusions were implicated in claims analysis of those entities that were collateral damage.
The current conflict provides a sneak preview of the future of modern warfare. Whatever tools, techniques and exploits are developed during this conflict are likely to be the same ones used against the U.S. by threat actors in the future.