This week’s military tensions between Russia and Ukraine were foreshadowed by a string of cyberattacks on Ukrainian government targets, in a demonstration of the ‘hybrid warfare’ tactics that Russia has employed in this and other conflicts. These cyberattacks will continue, experts predict, and may spill over into attacks on NATO member states. Meanwhile, Russia’s aggressive stance may provide inspiration for the country’s cybercriminal gangs, which have both direct and indirect links to its intelligence services.
Russia’s hybrid warfare
Russia has this week moved military forces to its border with Ukraine, in an escalation of the conflict over Ukraine’s NATO membership that has roiled since 2014. These moves were preceded last week by a series of cyberattacks on more than 70 Ukrainian government agencies, IT companies and non-profit organisations.
Russia has combined ‘cyberwar‘ tactics with more traditional ‘kinetic’ warfare throughout its conflict with Ukraine. In December 2015, hackers infiltrated power stations in Ukraine, triggering a blackout that affected over 200,000 households; Ukrainian officials attributed the attack to Russia. And in 2017, malware known as NotPetya targeted financial, energy and government institutions in Ukraine; the UK’s NCSC says Russia’s military was “almost certainly” responsible for the attack.
Other conflicts, including Russia’s invasion of Georgia and tensions with Estonia, have had cybersecurity dimensions, although the degree of involvement of state forces in these is not clear.
Such attacks are likely to continue if the current confrontation with Ukraine escalates, says Franz-Stefan Gady, a fellow at security think tank the International Institute for Strategic Studies (IISS), and may spill over onto other targets. “In the event of a military conflict, it is likely that we will see hacker groups of Russia’s military intelligence agency GRU, as well as [intelligence agency] the FSB, conduct offensive cyber operations against critical information infrastructure in Ukraine and, perhaps, select European NATO member states,” he says.
US cybersecurity agency CISA, meanwhile, has issued guidance on protection of critical infrastructure in light of the attacks in Ukraine. This suggests the US has “identified a risk to themselves and allies,” says Emily Taylor, CEO of cybersecurity intelligence consultancy Oxford Information Labs and associate fellow at Chatham House. “They view critical infrastructure providers and others as vulnerable to cyberattack.” (Update: the UK’s National Cyber Security Centre has now also warned organisations to bolster their cyber security resilience in response to the malicious cyber incidents in and around Ukraine.)
Taylor views such attacks as “a continuation of Cold War tactics. Undermining the confidence and strength of the enemy is part and parcel of the way that you gain the upper hand.”
When confronting adversaries such as the US or NATO, cyberattacks “really give you an awful lot of impact for relatively little risk and relatively little financial outlay compared to actual weapons,” Taylor says. In the absence of international laws on state-backed cyberattacks, these methods pass under the threshold of activity that might provoke a full-fledged war, she explains. Russia has led attempts in the UN to establish such laws – perhaps a sign of its vulnerability, Taylor says.
Cybersecurity risks of the Russia-Ukraine conflict
IISS’s Gady is doubtful that Russia will directly target the critical infrastructure of the US or its allies as part of its conflict with Ukraine. “First, because US retaliation against Russian critical infrastructure would be massive,” he says. “After all, the US remains the number one offensive cyber power in the world.” Secondly, Gady says, because Russia “likely has no intention to deplete its most sophisticated cyber arsenals and wants to husband them for future confrontations with the West.”
Nevertheless, a cyberattack does not need to be specifically directed at Western targets to cause them harm. NotPetya, for example, caused disruption costing hundreds of millions of dollars for global companies including shipping giant Maersk, pharmaceutical company Merck, and construction materials supplier Saint Gobain. One estimate places the global cost of the NotPetya attacks at $10bn.
"The NotPetya cyberattacks from 2017 are a good example of what could lay in store: destructive malware that makes systems inoperable causing a widespread disruption of services," says Gady. "The malware spread far beyond the borders of Ukraine. So this is a real danger in the coming weeks as tensions between Russia and the West are increasing."
Furthermore, Russia's conflict with Ukraine has served as a test-bed for techniques that may be used in other contexts, says Taylor. Its reported interference in the 2016 US presidential election, for example, had precedent in Ukraine, she says.
Will the Russia-Ukraine conflict increase cybercrime?
The Russia-Ukraine conflict's potential impact on cybercrime could also increase cybersecurity risk for Western organisations. Russian intelligence agencies are linked to the country's cybercriminal underground in three ways, according to an investigation by cyber intelligence provider Recorded Future: direct and indirect links, and tacit agreements.
Russia's intelligence agencies are typically the main beneficiaries of their links with the cybercriminal underground, which it reportedly uses as a recruiting ground for cybersecurity talent. Milan Patel, the former CTO of the FBI's cyber division, once complained that tipping Russian authorities off about cybercriminals helped them recruit agents. "We basically helped the FSB identify talent and recruit them by telling them who we were after," he told BuzzFeed News in 2017.
The state also uses tools and techniques borrowed from cybercriminals to cover its tracks and ensure 'plausible deniability' for its attacks. The malware distributed last week, for example, was reportedly designed to resemble a criminal ransomware attack.
But Russia's cyberwar efforts could also contribute to cybercrime. Firstly, Russian cybercriminal groups have been known to join in with the country's cyberwar effort, whether or not they have been encouraged to do so by the government. A spate of cyberattacks on Estonian targets in 2007, following a dispute over a statue, was “orchestrated by the Kremlin, and malicious gangs then seized the opportunity to join in and do their own bit to attack Estonia," an Estonian official told the BBC.
Secondly, Russia's cyberwar activity could "normalise" certain techniques that are then adopted by criminals, says Taylor. The groups behind the ongoing ransomware crisis, for example, may well have drawn inspiration from state-backed attacks.
Russia has long been accused of turning a blind eye to the country's cybercriminal groups, but there have been indications of a hardening stance in recent months, following pressure from US president Joe Biden. Earlier this month, the FSB arrested members of the REvil ransomware group, seizing stolen funds and 20 luxury cars. It remains to be seen whether this signals a genuine crackdown on ransomware, or was a tactical measure in preparation for its moves against Ukraine.