Russia-Ukraine War: Cyberattack Escalation Risk ContinuesMemo to CISOs: Risk of Attack Spillover - If Not Direct Attacks - Remains Notable
As the Russia-Ukraine war continues, so too does the threat of Moscow seeking to escalate online attacks or opting to launch reprisals for Western sanctions.
See Also: MITRE ATT&CK Evals Explained
While Ukraine remains at risk, of course, so too do any countries whose governments have been siding against Russia. Thankfully, however, so far the impact of online attacks has been much less than many analysts had feared, as Russia appears to remain much more focused on physical attacks.
"I'm still very worried about the threats emanating from around the Russia-Ukraine situation."
"Perhaps the concept of a 'cyber war' was over-hyped," Jeremy Fleming, director of the U.K.'s security, intelligence and cyber agency, GCHQ, said earlier this week with classic British understatement.
"But there's plenty of cyber about, including a range of activity we and partners have attributed to Russia," Fleming said Tuesday at the CyberUK conference in Wales. "We've seen what looks like some spillover of activity affecting other countries. And we've seen indications that Russia's cyber operatives continue to look for targets in countries that oppose their actions."
"What we were expecting was, of course, a massive cyber campaign with more spillovers," Juhan Lepassaar, executive director of the EU Agency of Cybersecurity, known as ENISA, said at the conference.
Satellite Communications Disrupted
Of course, there has been some notable Russian hacking, including the attack on Viasat's KA-SAT satellite communications terminals on Feb. 24 - the day Russia invaded Ukraine. This week, the EU, U.K., Ukraine and U.S. attributed that attack to Russia.
"So yes, we've seen that, but we haven't seen a sustained effort," Lepassaar said (see: Russia-Ukraine War: 7 Cybersecurity Lessons Learned).
Multiple strains of wiper malware have also been launched by Russia against Ukraine, experts say, including against energy facilities. But part of the challenge facing Moscow is that Ukraine has been devoting significant energy to shoring up its online defenses, backed by support from allies, as well as NATO. "The Ukrainians have been stress testing involuntarily since 2014," Lepassaar said of their online defenses.
Likewise, Rob Joyce, the head of cybersecurity at the U.S. National Security Agency, has lauded the state of Ukraine's online defenses and told CyberUK attendees that Ukraine offers a model for others to emulate. "One of the things they've done is, they have emergency plans, having been under pressure for years," he said at the conference. "They have been able to practice and they understand what good incident response is."
Even though so-called cyber war has failed to transpire, experts say the risk of inadvertent or intentional spillover remains high, especially for critical infrastructure sectors (see: 9 Essentials for Global CISOs During Russia's Ukraine War). "I'm still very worried about the threats emanating from around the Russia-Ukraine situation," Joyce told the BBC.
This threat is being tracked at the highest levels of government. Joyce said the White House is continuing to closely monitoring the situation, not least given the ongoing risk that there would be "spillover of nation-state activity … continuing on to impact civil society."
CISO Mandate: Stay Alert
Hence while there's so far been no all-out cyber blitzkrieg, CISOs should - and must - continue to carefully track the conflict, given the risk that organizations might be affected by cyberattack spillover, if not directly targeted.
Threat intelligence firm Flashpoint, for example, says it's been hearing this question regularly from the CISOs and other clients it continues to brief on the war: "How might decisions made by Western governments and commercial entities, such as economic sanctions, lead to an escalation in cyberspace and the physical world?" Another top concern, it says, remains which industries are most at risk and the types of attacks they should most beware.
"When it comes to the cyber domain and the potential attacks on cyber infrastructure, it's something that we have to be very concerned about," said Max Bergmann, the Europe program director at the Center for Strategic and International Studies, in a Tuesday press briefing held by the Washington-based, bipartisan, nonprofit policy research organization on Tuesday.
Flashpoint says the most likely targets for Russia remain Ukrainian government and financial services sites and "military communication networks" but that any escalation would likely focus on other countries' financial services sectors and likely include distributed denial-of-service attacks, phishing campaigns and worse.
"Russian state-backed activity has so far focused on Ukrainian banks - Privatbank and Oschadbank were targeted before the February invasion - likely with the purpose of diminishing trust in the Ukrainian financial sector both in the Ukrainian population and among Western partners," Flashpoint says. "The likeliest form of attacks include those that were used against the Ukrainian banks - DDoS attacks, self-propagating wiper attacks, or attacks leveraging banks' compromised email infrastructure - as well as attacks focusing on cyberespionage with the purpose of aiding sanctions evasion."
But Russia faces "some real challenges" if it tries to escalate, said Bergmann at CSIS.
"It's a very different environment than last year when … Russia-linked cyber actors attacked the Colonial Pipeline and took that down when the Biden administration was in the midst of trying to sort of establish a detente with Russia," he said. "That is not the environment now, and as Russia has bogged down in Ukraine, I don't think they're going to want sort of an escalatory cycle when it comes to sort of provoking us to get more involved in the conflict or to take direct action in the cyber domain against them."