The European Union has activated its Cyber Rapid Response Team (CRRT) on the request of Ukraine to help deal with the barrage of cyberattacks stemming from Russia which preceded the overnight invasion of the Eastern European nation. It is thought to be the first time the pan-European team has been deployed, but its intervention may have come too late to make a significant impact.
Experts from the CRRT had been due to arrive in Ukraine yesterday, but in light of Russia’s invasion their physical deployment has been postponed “for the time being,” a spokesperson for the Lithuanian Ministry of Defence told Tech Monitor. The CRRT experts will provide support virtually, and its governing council is “reconvening to assess different options of support to Ukraine […] as the situation is changeable and must be reconsidered,” the spokesperson said.
Ukraine cyberattacks continue as Russia mounts invasion
Cyberattacks on Ukrainian targets have continued as Russia forces have entered the country. Distributed denial of service (DDoS) hit Ukrainian organisations and government sites yesterday afternoon ahead of the physical invasion of the country by Russia. Internet observatory Netblox flagged network disruptions at Ukrainian ministries, saying “the incident appears consistent with recent DDoS attacks”.
Researchers at security company ESET also discovered a new data wiper malware used in Ukraine, which is thought to have been deployed on hundreds of machines across the country to destroy data.
Mykhailo Fedorov, the minister of digital transformation for Ukraine, has announced that currently “everything is stable” but that “attacks on all basic information resources have taken place and are taking place without stopping”.
⚠️ Confirmed: #Ukraine's Ministry of Foreign Affairs, Ministry of Defense, Ministry of Internal Affairs, the Security Service of Ukraine and Cabinet of Ministers websites have just been impacted by network disruptions; the incident appears consistent with recent DDOS attacks 📉 pic.twitter.com/EVyy7mzZRr
— NetBlocks (@netblocks) February 23, 2022
In a separate development today, the UK’s National Cyber Security Centre and its US counterpart, CISA, issued a joint advisory about a new malware, Cyclops Blink, which is thought to stem from Russian-backed group Sandworm. It is not known if this has been deployed against targets in Ukraine.
What is the CRRT and will it help Ukraine?
On Tuesday, the vice minister at the MoD of Lithuania announced that it had activated the CRRT at Ukraine’s request. The CRRT is composed of 12 EU member states, including Lithuania, Estonia, France, Finland, Poland, Croatia, Romania, Spain and the Netherlands. It is a permanent hub made up of IT experts from EU institutions. Once deployed, the CRRT will lend its support to incident response and boost resilience by providing a common cyber toolkit.
This is thought to be the first time the CRRT has been deployed, says Georgia Osborn, senior research analyst at Oxford Information Labs. “The blueprint seems to outline where and when a country can request assistance from CRRTs. To my knowledge, it has not been used before, at least not in a significant way.”
But anyone expecting the organisation to solve all Ukraine’s cybersecurity problems should temper their expectations, says Greg Austin, senior fellow for cyber, space and future conflict at the International Institute for Strategic Studies (IISS). “I think the CRRT will help Ukraine deal with whatever cyber incidents are occurring, but it really won’t be that significant,” he says. “It is important, however, to give them this sort of support.”
This is because cyber defences really need to be built up, over a matter of years, by the country itself, Austin says. “It takes ten or 20 years to build up a country’s cyber defences,” he explains. “It just can’t be done in a week or two weeks or a month.”
The positive effects of having experts on hand just after an attack are significant, however, argues Chris Morgan, senior threat intelligence analyst at security company Digital Shadows. “Having strong direction during the early stages of a cyber incident can make a demonstrable difference in minimising the impact of a cyberattack,” he says. “Organisations will be able to carry out preventative actions based on the recommendations of the CRRT, in addition to using best practices to improve the incident management efforts.”
The cybersecurity challenges facing Ukraine
Ukraine is likely to need some assistance in mitigating the effects of cyberattacks during its current invasion, as ransomware attacks are likely to follow the current wave of DDoS incidents, says Toby Lewis, head of threat analysis at security company Darktrace. “The greater and more likely challenge will be facing ransomware, which is a much more impactful technique because of its widespread and disruptive nature, irrespective of the target sector,” he says.
But Lewis agrees with Austin that Ukraine response to these attacks will be determined by the foundations it laid before the recent conflict began. “Beyond increasing cyber best practices and trying to stay focused on security, it is difficult for security programs to expand or grow at the moment of increased risk or threat; the core of that resourcing and effort needs to happen beforehand,” he says.