The appalling conflict in Ukraine over the past three weeks has changed perspectives and sharpened minds in several areas, such as energy sources and military spending. The Russian invasion has also offered crucial insights into the role and use of cyber-attacks in modern warfare, and analysts are watching closely. The Russian state has been linked with numerous high-profile incidents, from NotPetya in 2017 to the SolarWinds supply chain attack in 2020. Therefore, it was always on the cards that Russian state-sponsored cyber-threat actors would be heavily involved in the conflict.
However, cyber warfare is a two-way street, and it appears numerous individual hackers and groups have flocked to the defense of Ukraine, launching their own attacks against Russia.
To gain some reflection on these developments, Infosecurity sat down with Yuval Wollman, president at CyberProof – a UST company. Yuval discussed the use of cyber in the conflict so far and what this tells us about its role in modern warfare.
What trends have you observed regarding the use of cyber-attacks during the Russia-Ukraine conflict? Has it been as prevalent as you would expect to date?
With fears of a humanitarian crisis mounting – and Ukraine’s leadership calling Russian troops “war criminals” – attitudes towards military conflict in Western Europe underwent a sea change over the past three weeks: approaches to defense spending radically shifted, according to The Economist. Germany, for example, increased its defense budget to €100bn – over 2% of its gross domestic product. In addition, Chancellor Olaf Scholz spoke about taking steps to fortify Germany with the next generation of battle tanks and aircraft.
Even prior to the Russian invasion, cybersecurity spending was increasing. The Record research mapped 2021 cyber spending: US ($2bn), Japan ($665m), UK ($350m), Germany ($240m) and France ($165m).
As a result of these growing investments, cyber wars are expected to be more dominant in future conflicts. This, in turn, can be expected to impact cyber-risk across public and private sectors.
That’s the shift: first, geopolitical tensions escalate cyber warfare. Second, governments invest in cyber defense. Third, this forces nation-state threat actors to attack private companies to try to gain access to government targets. The spillover effect in the cyber sphere is mirrored by an additional spillover effect: in the private sector. As cyber activity intensifies, the threat to enterprises grows – creating new challenges for private organizations. A third spillover effect exists, as well, on the defensive side. Knowledge of threats is transferred from intelligence communities to industry, but this happens more slowly because offensive proxies have government sponsorship; defensive capabilities are shared less directly.
These trends have obvious financial implications for enterprises, increasing cyber-risk and thus the necessary resources that are allocated for cyber detection and response.
In recent years, Russian threat actors have launched highly effective cyber-attacks on Ukraine’s critical infrastructure. Why do you think we are not seeing this now the two countries are in conflict?
Russia has a history of cyber-attacks in Ukraine. At the start, there was reason to believe their assault would include an attack on Ukrainian critical infrastructure. Assaults on Ukrainian government websites and banks – distributed denial of service (DDoS) attacks – took place on February 15 and 16. On February 23, the websites of Ukraine’s parliament and government agencies were disrupted. In January, several government sites were defaced.
Yet, to date, Russian cyber-attacks have had minimal impact, given the history: in 2016, a suspected Russian malware disrupted Ukraine’s power grid, leading to a fifth of Kyiv losing electricity. In 2017, Russia deployed NotPetya malware by means of Ukrainian accounting software, which spread internationally – causing billions of dollars in damage. In 2018, a suspected Russian attack attempted to shut down a Ukrainian chlorine plant. The painful lessons learned from these attacks perhaps spurred the security hardening of Ukrainian government-controlled systems.
The term ‘Russian roulette’ comes to mind. What are the Russians planning next? We see Russian military preparations for the next stage of the onslaught, but are cyber-attacks in the offing? There’s no way to know. According to The Economist, a cyber response would be the likeliest Russian countermeasure to the economic sanctions imposed by the West. We may be entering a cyber arms race. On the other hand, Russia is showing restraint, at least for now.
Many questions about cyber warfare are unclear. While there are known laws of war and nuclear engagement, cyber warfare has almost no established definitions. This may partly explain why Russia hasn’t released its cyber capabilities. What would be the West’s response? If Russia attacked Ukraine’s power grid, would they be able to bring back services after hostilities ended? Ann Neuberger in the White House pointed out (in the “Sway” podcast linked here) that if Russia is interested in maintaining control of Ukraine over the long term, it’s probably not in its interest to destroy the country’s critical infrastructure. However you look at it, the stakes are high; certainly, this is no time for complacency.
How effective have volunteer hackers and hacktivist groups been in counter-attacking Russian government assets online? How damaging may this be to the Russian government?
On the defensive side, 400,000 multinational hackers volunteered to counter-attack Russian digital assets, according to Ukrainian officials. Grassroots volunteers created widespread disruption – graffitiing antiwar messages on Russian media outlets and leaking data from rival hacking operations.
For the first time, cyber-attacks happening as part of geopolitical conflict were not under the strict control of any single government. Never have we seen this level of involvement by outside actors unrelated to the conflict.
Do you expect Russian state-sponsored actors to adapt their tactics in the cyber sphere, both for this conflict and longer-term?
I believe that the current cyber warfare between Russia and Ukraine reflects some of what’s being played out on the ground and establishes new norms we can expect to see in future conflicts.
Since the Russian invasion into Ukraine began, cyber warfare has escalated with more campaigns, malware strains, and attacks observed against various Ukrainian government organizations.
- SECOND WIPING ATTACK VIA ISAACWIPER OBSERVED: This new unattributed wiper was used in an attack against a Ukrainian government network just before Russia sent troops into Ukraine, while a new version of it was observed in attacks the very next day. Of note is the fact that IsaacWiper was used in attacks against a network that was unaffected by HermeticWiper. Additionally, it’s suggested that attackers are finding ways to move laterally between networks to spread the malware further. It is currently unclear whether the two wipers are linked, as IsaacWiper is a far less sophisticated piece of malware. Researchers indicate that while the method through which IssacWiper is delivered to victims is currently unknown, RemCom – a remote access tool – had been deployed at the same time as IsaacWiper attacks. They also mention that Impacket is possibly being used to move within the afflicted network, according to ESET. Thus, it is suspected that attackers utilizing IsaacWiper managed to infiltrate the target networks sometime before the attacks took place.
- HERMETICWIZARD AND HERMETICRANSOM: Researchers spotted a new worm named HermeticWizard used to drop HermeticWiper with the help of WMI and SMB spreader modules. This was detected alongside the discovery of a Golang ransomware named HermeticRansom (also known as Elections Go Ransom and PartyTicket). The new ransomware was likely used as a smokescreen for the HermeticWiper attack due to its unsophisticated style and poor implementation and was used to target assets on the same day HermeticWiper was distributed. Researchers note that the HermeticRansom malware does not use any kind of obfuscation and has straightforward functionality, suggesting it was created in a short amount of time. Researchers are moderately confident that the HermeticRansom malware is linked to HermeticWiper’s primary objectives – destroying or otherwise making Windows systems unusable due to data loss – given the circumstances under which it appeared.
- FOXBLADE: Researchers mentioned that Ukrainian networks and infrastructure were seen being targeted by a recently discovered malware mere hours before the Russian invasion began, according to Microsoft. While several researchers have noted that FoxBlade and HermeticWiper are one and the same, there seems to be discourse within the cybersecurity community regarding this issue. One primary difference between the two pieces of malware that seems to contribute to the confusion surrounding this matter is the fact that HermeticWiper was not observed to have DoS capabilities, while FoxBlade can deliver such an attack.
What has the Russia-Ukraine conflict shown us about the use of cyber in modern warfare?
Cyber warfare is cheaper, easier, more effective, clandestine and easier to deny. It also can, sometimes, be quite subtle. A look at Russia’s claimed interference in the 2016 American election illustrates this. A January 2017 assessment by US intelligence leadership concluded Russia’s interference reflected Russian aggression. Yet, the public was less certain; partly, the confusion reflected messaging coming from the White House. It’s probable that the public confusion was what Russia desired. It sowed confusion and discord, creating polarization and agitating the public.
Moreover, cyber warfare can provide significant, long-term payouts without too much pain. SolarWinds is an example of this: in December 2020, a nation-state (presumably Russia) breached this IT company, leading to nine US agencies being compromised. Approximately 100 private companies were also compromised. Many were technology companies – and these products may generate additional intrusions, creating the potential for future follow-up attacks.
On top of all of this, I think the current conflict has illustrated that cyber warfare is also unpredictable. Close to three weeks into the current conflict, Russia has yet to dismantle Ukrainian critical infrastructure through a large-scale cyber attack. This failure to obtain a swift victory in the cybersphere mirrors the parallel Russian failure to win quickly on the ground. I think at this point, the next steps by Russia are unknown.