Days, weeks, even months before Russia’s armies crossed the border into Ukraine on 24 February 2022, security experts were warning of an impending cyber war the likes of which the world had never seen.
Talk of destructive attacks against critical targets in the West that might draw Nato into the conflict grew when, prior to the invasion, increasing volumes of cyber attacks against targets in Ukraine were launched to lay the groundwork for Russia’s attack. This culminated in the discovery of multiple data wipers – malwares that look and act like ransomware lockers, but destroy data rather than encrypt it.
With the benefit of hindsight it is easy to see how so many were swept along. Russia-based threat actors have become the bête noire of the cyber security community, and not unreasonably so, for they are highly active, highly sophisticated and highly dangerous.
Recent geopolitical history also sets a precedent, littered as it is with Russian state-linked cyber attacks on Ukraine, some of which, such as NotPetya, spilled over to have global impacts.
Jamie Collier, senior threat intelligence advisor at Google Cloud’s Mandiant, looks back. “At the start of the conflict, there was definitely a lot of concern about the spill-over,” he says. “There was talk along the lines of, are we going to see another NotPetya, or wiper malwares with all kinds of propagation features spreading uncontrollably, [and] concern about critical infrastructure – not just in Ukraine but across Europe.”
But in the event, the cyber war, although extensive, did not materialise in the way that many had imagined. Collier’s colleague, Paul Tumelty, who is Mandiant’s regional consulting leader for the UK and Ireland, and practice leader for EMEA government, says: “The overwhelming threat has been inside Ukraine, against Ukrainian interests.
“[But] there has been some evidence of ongoing espionage against Russian targets outside of Ukraine, but related to Ukraine,” he adds. “We’ve done a number of incident response cases with governments in Europe, where it’s evident that the group we track as APT29 [Cozy Bear] continues to conduct cyber espionage activities against European governments and decision-making bodies, largely to track the decision-making processes around things like sanctions and diplomatic manoeuvring.”
Failure of attacks an important lesson
In the nine years since Russia’s illegal annexation of Crimea and the past 12 months of outright conflict, Ukraine’s armed forces have become a byword for bravery and heroism, and its cyber defenders have also more than held their own.
Lindy Cameron, CEO of the UK’s National Cyber Security Centre (NCSC), says the failure of Russian cyber attacks on Ukraine to achieve their intended impacts contained an important lesson, although she warns against complacency in this regard.
Speaking at a Chatham House conference in the autumn of 2022, Cameron said the established strength of Ukraine’s cyber defences built up over years, and the support Kyiv has received from friendly governments and private sector partners had stopped Russian disinformation and cyber attacks from achieving their intended effect of destabilising Ukraine still further.
“Both efforts have largely failed, thanks to the efforts of Ukrainian and western digital expertise within governments and the private sector,” she said at the time. “In many ways, the most important lesson to take from the invasion is not around the Russian attacks – which have been very significant and, in many cases, very sophisticated – it is around Russia’s lack of success. Try as they might, Russian cyber attacks simply have not had the intended impact.
“Russia has made Ukraine match fit over the past 10 years by consistently attacking them,” added Cameron. “We haven’t seen ‘cyber Armageddon’. What we have seen is a very significant conflict in cyber space – probably the most sustained and intensive cyber campaign on record.”
Clearly cyber Armageddon did not happen in the UK or Ukraine, but Ziv Dines, chief technology officer at Armis, is anxious to address the idea that all has been peaceful and quiet outside the war zone. Indeed, he says, general volumes of malicious activity emanating from Russia are through the roof.
“We’ve seen an increase of 15% in cyber attacks and malicious activity on the networks that we monitor,” says Dines. “It’s not 500% or 1,000%, but there has been an increase, so we’re trying to break that perception that nothing is happening. No, things are happening, and they are impacting networks around the world.”
Digital transformation blocked
Organisational leadership is not blind to this growth in malicious activity. A recent report compiled by Armis revealed that over 50% of UK organisations believe the threat of cyber warfare is actually hindering their digital transformation programmes. Dines says this may have something to do with a growing realisation that nobody is immune to potential spill over.
“Critical infrastructure operators were always afraid, and anybody who works with armies or the military or whatnot, but when you look at random companies, they were not afraid,” he says. “That changed in the past year. They are now afraid. They have seen the devastation. They have seen what can happen with those attacks, and they’re now afraid. That impacts their project.”
The ultimate effect of this, says Dines, customers that started a large scale digital transformation project two to five years ago are now realising that they need to pause and reassess what risks the war in Ukraine is exposing them to before proceeding, so
A tendency to overreact?
This raises questions around who is actually at risk of being dragged into the cyber war? Collier says: “If you’re a large, multinational organisation, say a bank that’s going to have some interaction with sanctions regimes, that there is concern there that Russia might target you. Those concerns were reasonable, they weren’t invalid.”
However, he has seen a tendency for some organisations to maybe overreact, or even overcorrect to the Russian threat, and while it’s important to pay attention to that and dedicate resources towards it, some may have dropped the ball on other issues that were perhaps more relevant to their organisation.
“Ransomware remains the top threat for the vast majority across Europe,” says Collier. “We’ve also seen the likes of China and other states remaining active, so zeroing in on Russia for most is a risky strategy given all the other threats out there.”
Dines argues that some security leaders may have been a bit naïve in the past, in the sense that because they were maybe not operating in a vertical that was of much interest to Russia’s espionage goals – they thought Russians did not care about them, and so they were safe. “Nobody’s safe anymore, therefore, part of my mindset has to be, ‘okay, what do I need to do or change in my day-to-day work because of it?’” he says.
He likens the current situation to how the process of flying changed dramatically – particularly in the US – in the aftermath of the 11 September 2001 terrorist attacks.
“We created new industries and new security concerns and spent hours at the airport and completely changed the way we think,” says Dines. “The fact that you can’t carry a deodorant onto a plane because it contains over 100ml of liquid would have been absurd 25 years ago, and yet it’s so common and obvious now. The same long-term effect is happening in cyber.”
Lessons learned
And as always, the old maxim that those organisations that have paid attention to the fundamentals of cyber security will withstand an attack better than those that have bought the most costly service holds true here to some extent.
“Those that focus on the fundamentals do tend to be the ones that are better set up for long-term success,” says Collier.
“What we have seen is that a lot of Russian activity over time has actually reused infrastructure and malware. We’ve got to remember that these Russian threat groups, while well-resourced, are also people with finite resources, and that means that over time we have become increasingly empowered to actually do something about it – because a lot of this does come down to locking down the basics and having good security hygiene.”
Tumelty reports that a lot of organisations have demonstrably improved their overall cyber security posture as a result of the business continuity exercises they ran during the Covid-19 pandemic.
“A lot of what I hear from board level is that they learned a lot from Covid-19 in terms of remote working, in terms of planning, and while it may not be formally documented they did adopt similar process and methodologies to adapt to the Ukraine crisis, and then it was business as usual, once they overcame the initial shock of the invasion,” he says.
But this is not to say there are other weaknesses that are still being overlooked. In many cyber warfare-linked incidents Mandiant has responded to, says Tumelty, it has found legacy unpatched or uninventoried hardware riddled with vulnerabilities, and in some cases, pirated software seeded by Russian actors ahead of time, that has been laced with malware. He recommends paying more attention to asset management, closing down legacy applications and taking steps to minimise the attack surface.
Shields up
Chief information security officers and security teams in organisations that may be more at risk of a Russian intrusion should also be paying attention to new threat intelligence as it emerges, because an additional effect of the conflict has been to cause a significant shift in the nature of the financially motivated Russian cyber criminal ecosystem, as Immanuel Chavoya, a threat detection and response specialist at SonicWall, pointed out.
This trend is perhaps best exemplified by the collapse of the Conti ransomware cartel amid supposed infighting. “Some groups have split over political allegiances and geopolitics, while others have lost prominent operators, impacting the way we think about these groups and our traditional understanding of their capabilities,” he says. “Additionally, we’ve seen a trend towards specialisation in the ransomware ecosystem, making definitive attribution more difficult. This highlights the importance of continuously monitoring and analysing the evolving threat landscape to effectively mitigate risks.”
And Trustwave security researcher Jeannette Dickens-Hale says it would be a mistake to underestimate Russia’s cyber-offensive capabilities.
“While Ukraine has been Russia’s cyber playground to try out various attack types over the years, one should not assume the current cyber offensive and physical war against Ukraine is indicative of any weakness on Russia’s part,” she says. “Russia is also learning quite a lot from this incursion and may come out on the other side with new and honed skills to implement in the real world.
“As we know, crimes usually come before the laws that govern them,” says Dickens-Hale. “Threat actors innovate and law enforcement has to draft and enact laws that mete out justice for the crime or cyber crimes committed.
“Hybrid warfare – cyber and kinetic attacks being waged simultaneously – is new to the warfare arena. However, the Tallinn Manual identifies specific rules governing cyber Rules of Engagement. Like all types of war, to what extent these rules are complied with or to what extent those rules will evolve is anyone’s guess.”
The development of modern-day computer science owes much to warfare. Indeed, there is a direct line between the development of early mainframes such as ENIAC – which was designed during the Second World War to help the US Army calculate trajectories for artillery shells – and a smartphone.
Even if peace returns to Ukraine in the short-term, absent a complete collapse of Russian forces or some form of regime change in Moscow, the end of the kinetic war will not cause the cyber threat posed by Russian threat actors, state-backed or otherwise, to diminish.
It’s a virtual certainty that Russia’s intelligence services are using the conflict to develop and refine new tactics, techniques and procedures, and as we have seen so often before, it’s likely that these attacks will trickle down into the cyber criminal underground.
On 14 February 2022, as tensions in Ukraine escalated, Jen Easterly of the US Cybersecurity and Infrastructure Security Agency issued her now-famous “Shields Up” advisory. Now is not the time to drop them.