Experts have warned the international community that Russia’s invasion of Ukraine could be followed by massive cyber warfare with the West.
After yesterday’s DDoS and wiper malware attack on Ukraine’s devices and computers, Western systems face the same threat from Russia in its sight to extract intelligence information as NATO nations – the US, UK, Australia, and more impose sanctions on Russia.
“We expect to see probably beyond just Ukraine, disinformation to target Western audiences and cyberespoinage against key NATO members, as Russia tries to understand the next moves when it comes to sanctions or other steps that Western governments will play,” says Luke McNamara, cybersecurity analyst at Mandiant.
The US imposed fresh sanctions targeting banking and financial institutions of Russia dealing in the western markets. The White House has also implemented measures to “cut off more than half of Russia’s high-tech imports.“
These new sanctions on Russia will restrict the county’s access to technology and affect its “strategic ambitions to exert influence on the world stage,” said the White House. They are thinking about imposing wider restrictions on sensors, semiconductors, chips, avionics, encryption security, navigation, and other technology.
In the UK, Prime Minister Boris Johnson has excluded major Russian banks from British financial systems.
Russia’s Military Malware
The US and UK cybersecurity agencies have warned of a new Russia-linked malware called Cyclops Blink. The malware is capable of infecting network equipment and exfiltrating information, and further attacking other devices on the network. The new malware is a replacement for Kremlin-espionage malware called VPNFilter, which could detect the presence of SCADA equipment.
“While there are not any specific, credible, cyber threats to the US, we encourage all organizations – regardless of size – to take steps now to improve their cybersecurity and safeguard their critical assets,” said DHS.
US’s CISA, FBI, NSA, and UK’s NCSC issued a joint advisory about a malicious threat known as MuddyWaters by Iranian government-sponsored advanced persistent threat actors (APTs). The advisory said that MuddyWaters is targeting a range of organizations and government sectors in Europe, North America, Africa, and Asia.
“We have seen government warnings about Western banks being targets, in retaliation for sanctions on major Russian banks, but at this point, one certainly couldn’t rule out a broader range of targets,” said Emily Kilcrease, director for energy, economics and security program at the Center for New American Security.
S&P Global, a credit rating agency, issues an alert for possible cyberattacks on critical infrastructure and institutions.
“Cyberattacks are becoming a more prevalent means of achieving foreign policy objectives, given their lower deployment costs relative to conventional military tactics and uncertain scope for retaliation,” notes S&P alert.
S&P quoted the example of the NotPetya incident in 2017 that hit Ukraine and resulted in a global disruption of 7000 companies across 65 countries, with a total economic loss of around $10 billion. Further investigation into the incident revealed that six Russian intelligence officers were behind distributing NotPetya.
Zahabia Gupta, S&P analyst that the economic impact of an attack like NotPetya “could be more severe now, given increases interconnectedness and digitalization.” In the recent attack on Ukrainian websites, a wiper malware was used that wiped out data.
Response from the West
There had been reports that President Joe Biden has been presented with retaliatory cyber-assault options, but the White House has denied the reports. However, Kilcrease said that unfortunately, “it’s going to be a bit of an escalation cycle.”
McNamara said that Mandiant is keeping a close eye on the activities of cyber attack groups linked with Russia, including the Berserk Bear, aka Temp.Isotope. The crew is known for infiltrating the critical energy sector using Microsoft’s SMB protocol.
According to cybersecurity analysis, as the sanctions from the Western nations increase, the West could block Russia from the SWIFT banking system and it could lead to attacks on the financial sector in response to the sanctions.
“To disconnect Russia from SWIFT, that would certainly be a pretty significant step…Historically we’ve seen when you have a state adversary that has a capability and is disconnected from SWIFT, what theyre willing to do. We’ve seen that in the case of North Korea,” says McNamara.
Whatever the response from Russia is, companies all over the world should bolster their security by putting themselves in the shoes of the adversary. McNamara gave an example of the attack on the Colonial Pipeline by a Russian ransomware group, Darkside, that resulted in the shutting down of oil pipelines due to gas shortage.
The same technique can be used by the attackers to create public chaos and disruption. One should predict these attacks and take steps to prevent and mitigate such scenarios. “Even just some sort of panic and people running to the pump for gas, that’s something I think you have to think about how the adversary might approach this,” said McNamara.
Network Security amidst the escalated Ukraine Crisis
Considering the current situation in Ukraine, customers have approached Akamai, a leading cloud security provider, to help with their network security. The main focus is on the mitigation of malicious traffic and geoblocking to comply with new sanctions, the company told The Register.
Akamai is helping customers block traffic, especially as more regions get occupied by Russian soldiers, following Donetsk and Luhansk.
Cloudflare has also followed suit and has removed all “customer cryptographic material from servers in Ukraine” as a precaution, so hostile forces don’t get access to secret keys or sensitive data.
Researchers are questioning the possibility of Distributed Denial of Service Attacks and whether they will work on targets in the West, as in Ukraine. McNamara said that in 2021 such attacks were successful when Iranian hackers retaliated against new sanctions on the country and resulted in disruptions across banks and financial institutions.
Russia could use DDoS attacks to target the West, but defense against such attacks is a lot better now than in the past.
“So it [DDoS attacks] may be that the preference for disruptive or destructive attacks is something more akin to wiper malware,” says McNamara.
Kaspersky Lab, which is based in Moscow, has not made any official statement regarding the effect of current sanctions on Russia and the decorating situation between the Western Nations and Russia. They did mention that their international teams are monitoring the situation and are ready to take action if needed.