Russia’s invasion of Ukraine could fuel an escalation in cyberwarfare with the West, experts have warned.
After Ukraine’s computers were attacked, Russia will put Western systems and platforms in its sights as deeper sanctions are imposed by the US, UK, and the European Union, it is feared.
“We expect to see that probably beyond just Ukraine, disinformation to target Western audiences, cyberespionage against key NATO members, as Russia tries to understand the next moves when it comes to sanctions or other steps that Western governments will play,” Luke McNamara, principal analyst at cybersecurity consulting firm Mandiant, told The Register.
The US on Thursday issued fresh sanctions targeting Russia’s banking and financial sectors, and also implemented “unprecedented export control measures” to cut “off more than half of Russia’s high-tech imports,” the White House said.
This round of sanctions, in response to Thursday’s conflict, will restrict Russia’s access to vital technology, hurt the industrial base, and undercut “Russia’s strategic ambitions to exert influence on the world stage,” the White House said. Specific details on the tech export control measures weren’t available, though US President Joe Biden is willing to cut chip exports to Vladimir Putin’s nation.
“While there are not any specific, credible, cyber threats to the US, we encourage all organizations – regardless of size – to take steps now to improve their cybersecurity and safeguard their critical assets,” a US Department of Homeland Security spokesperson told The Register.
Over in the UK, Prime Minister Boris Johnson said major Russian banks will be excluded from Britain’s financial system and oligarchs will face fresh sanctions as a result of the invasion.
Military malware
The US and UK governments this week warned [PDF] of Russia-linked malware called Cyclops Blink, which can infect network equipment to exfiltrate data and attack downstream devices in key targets. This software nasty appears to be a replacement for Kremlin espionage-ware dubbed VPNFilter, which for one thing could detect the presence of industrial SCADA equipment.
Uncle Sam also today issued an advisory describing Iranian government-sponsored actors, known as MuddyWater, “conducting cyber espionage and other malicious cyber operations targeting a range of government and private-sector organizations across sectors in Asia, Africa, Europe, and North America.”
“We have seen government warnings about Western banks being targets, in retaliation for sanctions on major Russian banks, but at this point, one certainly couldn’t rule out a broader range of targets,” Emily Kilcrease, senior fellow and director for energy, economics and security program at the Center for New American Security, told The Register.
Credit-ratings agency S&P Global Ratings also issued a heightened alert for possible cyberattacks on key institutions and infrastructure.
“Cyberattacks are becoming a more prevalent means of achieving foreign policy objectives, given their lower deployment costs relative to conventional military tactics and uncertain scope for retaliation,” the S&P Ratings research note, which was shared with The Register, stated.
S&P gave the example of NotPetya, which in 2017 hit Ukraine and ultimately disrupted 7,000 companies across 65 countries globally, with estimated economic losses of around $10bn. The US Department of Justice in 2020 charged six Russian intelligence officers with distributing NotPetya, among other things.
“We believe that the economic impact from such an attack for entities could be more severe now, given increased interconnectedness and digitalization.” said S&P credit analyst Zahabia Gupta, in the research note.
Computers in Ukraine this week were hit by Windows malware that wipes out data, and the country’s government and banking websites have been whacked offline over the past few weeks.
Netblocks, which tracks internet disruptions, reported network connectivity problems in Kharkiv, which has been taken over by Russian forces. The Kremlin’s website is offline for at least us here in America. Russia’s military website mil.ru is returning the joke HTTP 418 error for those connecting from outside the nation.
An eye for an eye turns the whole world blind
President Biden has been presented with retaliatory cyber-assault options, NBC News reported. The White House disputed the report.
“It’s going to be a bit of an escalation cycle, unfortunately,” Kilcrease said.
Mandiant’s McNamara is keeping a close watch on the activities of Russia-linked cyber-spy gang Temp.Isotope, which also been referred to as Berserk Bear, or Energetic Bear. This crew is known for abusing Microsoft’s SMB protocol to infiltrate energy and industrial sectors.
As a sanction, the West could block Russia from the SWIFT banking communications system, and that in turn could spark online attacks on the finance sector in response. “To disconnect Russia from SWIFT, that would certainly be a pretty significant step,” McNamara said. “Historically we’ve seen when you have a state adversary that has a capability and is disconnected from SWIFT, what they’re willing to do. We’ve seen that in the case of North Korea.”
Companies should bulk up their security posture by putting themselves in the shoes of the adversary, McNamara said. He gave the example of Colonial Pipeline, which was ransacked by a Russian ransomware group Darkside and had to shut down its oil pipelines amid gas shortages. That is to say, one should predict the kind of public-facing chaos and disruption an attacker might wish to create, and then take steps to prevent or mitigate that scenario.
“Even just some sort of panic and people running to the pump for gas, that’s something I think you have to think about how the adversary might approach this,” McNamara said.
Mandiant in 2013 outed China’s military as having siphoned hundreds of terabytes of data from computers from US corporations.
Secrets deleted
Some customers have asked Akamai for help with network security related to the situation in Ukraine. The inquiries focus mainly on the mitigation of malicious traffic, and using geoblocking to comply with new regulations and sanctions against Russian entities, a company spokesperson told The Register.
Akamai is working on mechanisms to help customers block such traffic, especially from breakaway Ukrainian regions invaded earlier this week by Russia. “As of this publication, Akamai only has tools to apply such regional blocking for Crimea, but is working to expand capabilities quickly to encompass the Donetsk and Luhansk regions,” the spokesperson said.
Meanwhile, Cloudflare has removed all “customer cryptographic material from servers in Ukraine” as a precaution, according to CEO Matthew Prince. Presumably this is so that secret keys don’t end up falling into the hands of invading forces.
Distributed denial-of-service attacks have been felt in Ukraine in recent days, and whether it’ll work on Western targets is an open question, Mandiant’s McNamara said. DDoS floods on Western financial institutions in 2012 in response to US sanctions against Iran’s financial system was successful as it disrupted bank operations. Russia may launch DDoS attacks in some instances, though defenses against these kinds of assaults have got a lot better since a decade ago.
“So it may be that the preference for disruptive or destructive attacks is something more akin to wiper malware,” McNamara said.
Kaspersky Lab, which is based in Moscow, declined to provide specifics on how it was serving customers amid the sanctions and worsening situation between Russia and the West.
The infosec biz remains focused on delivering its security expertise, and will continue to protect businesses, critical infrastructure, governments, and netizens around the globe, it told The Register in an email.
“Kaspersky’s business operations remain stable. The company guarantees the fulfillment of its obligations to partners and customers – including product delivery and support and financial transaction continuity. The global management team is monitoring the situation carefully and is ready to act very quickly if needed,” it said. ®