Does the War in Ukraine Increase the Risk of Russian Cyberattacks?
In January, the U.S. Cybersecurity and Infrastructure Security Agency issued a CISA alert, co-written with the Federal Bureau of Investigation and National Security Agency, reiterating the ongoing threat of Russian state-sponsored cybercrime on American infrastructure. Analysts cited the tension on the Russian/Ukrainian border as motivation for increased awareness.
“There’s an irony to CISA alerts; companies that already have established cybersecurity policies will most likely respond accordingly and adjust their preparedness as needed,” says Adam Levin, founder of CyberScout, author of cybersecurity book Swiped and host of the What the Hack podcast. “Companies that are limited by budget, staff or that haven’t prioritized cybersecurity will not.”
This isn’t to say analysts didn’t see appropriate responses to the CISA alert. “We have seen heightened awareness of emerging global security threats among our customers, with organizations considering how the recent conflicts may have global ramifications,” says Silas Cutler, principal reverse engineer for cybersecurity firm Stairwell and a former researcher for Google and CrowdStrike. “There is an uptick in interest in emerging threat research and intelligence and being able to rapidly assess and triage that intelligence within organizations.”
“Yes, customers across all sectors were reaching out to talk about where they are in regard to not only their proactive cybersecurity programs, but also their hygiene and responsive programs,” says Ryan Cloutier, president of risk assessment firm SecurityStudio. “We saw this across all industries: defense, manufacturing, technology, state and local governments, education, etc.”
Modern Warfare Includes Cyber Warfare
When tensions on the border erupted into all-out war, did cybersecurity experts see a commensurate increase in Russian cyberattacks?
“Attribution is the hardest part of cybersecurity. While we can take very secure guesses about who is carrying out an attack based on their sophistication and specific characteristics about the attack, it is usually very hard to provide definitive evidence to tie an attack to a specific country,” Cloutier says. “Russia, like China and North Korea, has a sophisticated cyber intelligence community and can carry out attacks that are much more complex than other nations, and given the nature of the sanctions being doled out by Western countries, we expect to see attacks from Russia propagate.”
“We are seeing cybercriminals use Russia and Ukraine-centric social engineering efforts, like phishing emails, leveraging current events to solicit an emotional response to the war,” says Rosa Smothers, former CIA cyber threat analyst and technical intelligence officer, now at KnowBe4. “In other words, people are less likely to think before they click.”
“At this time, there has been limited observed activity from previously attributed Russian advanced persistent threat (APT groups)… since the start of the Ukraine conflict. While it is suspected that WhisperGate and HermeticWiper were Russian state-sponsored, conclusive links to previous APT groups have not been established at this time,” Cutler says. “It remains unclear why we are seeing such a limited response from known groups and is something we are closely watching.”
“We have seen an increase in phishing attacks originating from Russia that are directed at specific targets,” Levin says. “Avanan, an email cybersecurity firm, reported an 800% increase since February 27. That’s almost certainly causal rather than correlative. Known hacking groups are also now more likely to be more vocal in proclaiming loyalty to Russia in their activities, but this doesn’t necessarily mean there’s been an increase.”
For example, on February 25, the Conti ransomware group, purportedly based in Russia, declared its intention to support the Russian government by striking the critical infrastructure of anybody that launches cyberattacks on Russia.
“The result here is pro-Ukraine members of the same gang leaking a year’s worth of internal messages showing that the number of cyberattacks from within Russia toward the West was already high before the attack on Ukraine,” Cloutier says.
Settle in for Long-Term Increased Russian Cyberthreats
If January’s CISA alert wasn’t enough to motivate American businesses to increase their defensive posture against Russian cybercrime, reports of even greater risk may shake them into action. If the COVID era has taught us anything, however, heightened awareness against threat generates fatigue over time. How long should businesses prepare to settle into a state of hypervigilance for signs of Russian cyberattack?
“We should expect to maintain a heightened level of security from now on as attacks, regardless of cause or current events, will continue to increase at an exponential rate over the next few years,” Cloutier says.
“The need for heightened awareness related to this conflict is not likely to go away anytime soon,” Cutler agrees.
When the situation finally cools off, whether it be through Russia or Ukrainian victory or a negotiated peace, and if-and-when wide-ranging economic sanctions against Russia lift, should we expect a return to more usual levels of awareness of Russian cybercrime?
“The Russian government has mostly turned a blind eye to major cybercrime syndicates operating within their borders for the last several years as long as they didn’t target Russian assets,” Levin says. “It’s unrealistic to assume that their stance, which has been enormously successful for them from a cyberespionage point of view, would change if every sanction were dropped and the Ukrainian government were unseated and replaced.”
“We should not take our eyes off of cybersecurity practices no matter what is happening on the world stage. As evidenced by the Conti message leak, Western businesses and organizations are constantly being attacked,” Cloutier says. “One thing to keep in mind is that we should not be so distracted by what is happening in Ukraine that we overlook other significant threats. We cannot lose sight of China, Iran, North Korea and other hostile nations. Too much focus on a single adversary leaves us with a blind spot to other attackers who are just as effective, and, in some cases, more damaging.”