The Threat of Russian Cyberattacks Looms Large

Fifteen days into the Russian invasion of Ukraine, Senator Angus King, of Maine, asked the director of the National Security Agency, General Paul Nakasone—who is also the commander of the United States Cyber Command—a question that was on the minds of many observers of the conflict: Why hadn’t the Russians launched a concerted cyberattack on the country? Russia, after all, is home to both sophisticated state-sanctioned hackers in its military and intelligence services and to cybercriminal gangs, loosely affiliated with the government, that have been active in Ukraine in the past. Just before Christmas of 2015, for instance, hackers believed to be Russian sabotaged parts of the power grid in western Ukraine, leaving people in the cold and the dark. Though the outage lasted only a few hours, the operating systems of the three regional power-distribution companies that had been affected remained compromised long after the lights were back on. Two years later, in June of 2017, attackers struck Ukraine again, shutting down government offices, banks, ports, and the postal service. The malware used in the attack, which the Ukrainian security service attributed to Russia, then spread from the computers of companies based in Ukraine to those of their affiliates around the world, causing damage reported to have cost ten billion dollars. Just last year, according to Microsoft’s 2021 Digital Defense Report, which tracks cyber threats against nation-states, Ukraine was second only to the U.S. in the number of cyberattacks it had experienced over the past year. Given this history, it stood to reason that future Russian incursions in Ukraine would likely involve cyber weapons. “Much can still occur,” Nakasone said. “We will be very, very vigilant to see what occurs there.” Still, the fact that devastating attacks haven’t occurred so far has raised doubts in some quarters about the viability and efficacy of using malicious software as a weapon of war.

There are many theories floating around as to why the Russians didn’t go all-out and take down Ukraine’s cellular networks, electric grid, municipal water supplies, and other crucial utilities, either in the run-up to war or in its first days. It may be that the Kremlin, high on its own propaganda, believed that the Russian army would conquer Ukraine in record time and install a puppet government that would need to have those services intact. When that didn’t happen and the Russians began bombing cities, it made cyber weapons that could turn off the lights, say, largely beside the point: a bomb dropped on a power plant is a definitive way to destroy it, with little chance that it will come back online. “If you’re already at a stage in a conflict where you’re willing to drop bombs, you’re going to drop bombs,” Jacquelyn Schneider, a fellow at the Hoover Institution who is a former Air Force intelligence analyst, told me. In other words, bombs are blunter, more peremptory instruments.

But it also may be that Russia never had the capabilities that its adversaries ascribed to it in the first place: unlike conventional weapons, which can be counted, cyber weapons are invisible until they are deployed, making it impossible for outsiders to assess the size and power of a nation’s cyber arsenal. Or it may be that the Russian generals prosecuting the war were skeptical of relying on weapons composed of zeros and ones. Or that the Russians tried to replicate their earlier attacks but that Ukraine’s digital defenses, which are much stronger now, successfully fended them off. Cyber weapons, which exploit software vulnerabilities, can take years to develop and may be held in reserve for months or years. If those vulnerabilities are patched in the meantime, the weapons become useless. After the 2017 cyberattack, Ukraine, with help from its allies, fortified its computer networks. It received ten million dollars from the U.S. State Department in 2018 to secure critical infrastructure, with an additional eight million dollars in 2020 and a pledge for thirty million more, as well as cyber assistance from the U.S. Army and from NATO. Days before the invasion, Ukraine also requested and received help from the European Union’s Cyber Rapid Response Team.

The private sector is also pitching in. Within hours of the invasion, Christopher Ahlberg, the C.E.O. of Recorded Future, a Somerville, Massachusetts-based cybersecurity company, sent out an e-mail with the subject line “We Stand With Ukraine,” promising Ukrainians his firm’s “full resources, capabilities, and intelligence to support them in their fight against Russia.” (When I spoke with Ahlberg a few days later, he told me that Recorded Future is “helping out with pertinent intelligence and providing its intelligence platform to a series of actors in and around the conflict,” adding that he could not be more specific because “there are many eyes on targets in and outside of Ukraine.”) Among other organizations that have stepped in is Bitdefender, a global cybersecurity company based in Romania, which has teamed up with the country’s National Cyber Security Directorate to provide support and intelligence to Ukraine. And Tom Burt, Microsoft’s vice-president in charge of customer security and trust, told me in an e-mail that his company’s Threat Intelligence Center has “developed and shared tools to help Ukraine be more resistant to the specific attacks we have observed,” and that this work was continuing “around the clock.”

Cyber weapons are stealthy, cheap to develop—especially compared with conventional weapons—and can be launched anonymously. This offers regimes that use them plausible deniability, and makes retaliation, at best, problematic. In some situations, that may make cyber “the perfect weapon,” as David Sanger of the Times has written, but right now the Russians appear to be spending a lot of time defending their own networks, which may be taking resources away from a cyber offensive. On February 24th, the day of the invasion, the hacker collective Anonymous declared that it “was officially in cyber war” against Russia, and has since claimed to have conducted surreptitious attacks on the Russian Ministry of Defense, its Federal Security Service, and Russian state television. Ukraine’s state-sanctioned volunteer “I.T. Army” has also been levelling countless distributed denial-of-service attacks (DDoS) against Russian businesses and government Web sites, overwhelming them with traffic in order to make them inaccessible. A weekly analysis of cyber activities from the State Service of Special Communications and Information Protection of Ukraine issued on March 19th noted that Russian propaganda “had shifted the focus of its attention from attacks against Ukraine to attacks against Russian information infrastructure.”

But that same report made clear something that has largely been lost in the musings about Russia’s failure—so far—to use cyber weapons to crippling effect in the war: Ukraine has actually been under a constant barrage of cyberattacks that began before the invasion. Since February 15th, Ukraine has experienced more than three thousand DDoS attacks, including two hundred and seventy-five in a single day. Tom Burt told me that, as early as January, his team discovered wiper malware—malicious software that erases the targeted computer’s hard drive—on Ukrainian government networks, and shortly before the invasion they detected new wiper attacks against both the government and the private sector. He also said that “there have been dozens of espionage attacks on high-value targets.” Just last week, Ukraine’s Computer Emergency Response Team detected new malware, distributed through phishing campaigns, against state bodies, most likely from a hacking group with ties to Russian intelligence. Perhaps most crucial, on the morning of the invasion, hackers jammed the satellite signal that delivered broadband satellite Internet services to much of Ukraine and other parts of Europe and, through a malicious software update, disabled Internet modems used to communicate with the satellite, taking out ten thousand terminals around Europe. The service has not been fully restored. Viasat, the company whose satellite was targeted, provides Internet service to the Ukrainian army and a number of Western militaries. (The company said that the attack did not affect the U.S. military, which relies on Viasat for some of its battle-management systems.) The source of the attack is not yet known.

In retrospect, it seems possible that the attack on Viasat was actually Russia’s opening gambit—a cyberattack intended to compromise Ukraine’s command-and-control systems—but was only marginally successful. Then, while the world was waiting for Russia to turn off the lights in Ukraine, the Kremlin was, instead, engaging in more targeted and strategic attacks. Still, Russia might do something more comprehensive and destructive going forward. A cyber weapon can only be launched once; it is possible that the Kremlin is holding its most powerful malware in reserve. As Burt told me, although Russia’s cyber activity has not caused mass destruction, “it does not in any way reduce the risk that more aggressive and destructive attacks could be deployed in the future inside or outside Ukraine.”

There is also no guarantee that, just because they haven’t done so yet, the Russians won’t retaliate against the U.S. and its allies for supporting Ukraine. On March 17th, the F.B.I. and CISA, the Cybersecurity and Infrastructure Security Agency, warned that they were “aware of possible threats to U.S. and international satellite communication (SATCOM) networks,” and they urged network providers and customers to harden their defenses. On Monday, President Biden reinforced this message. “I have previously warned about the potential that Russia could conduct malicious cyber activity against the U.S., including as a response to the unprecedented economic costs we’ve imposed on Russia alongside our allies and partners. It’s part of Russia’s playbook,” he said. “Today, my Administration is reiterating those warnings based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks.” CISA has been exhorting American entities to put their “shields up” to deter attackers, and earlier this month Congress finally overcame private-sector resistance and approved legislation that requires critical infrastructure companies to report cyber intrusions within seventy-two hours of an attack and twenty-four hours after paying a ransom. The new requirements will give CISA a better understanding of how our adversaries are targeting entities such as pipelines, dams, and the electric grid, and allow the agency to warn other entities of ongoing threats.

It is too early to know, yet, the true role that cyber weapons are playing in this particular conflict—or will play in those to come. Indeed, the only thing we know for sure is that the Internet is its own battlefield, and we’re all on it.

Source link