Regardless of the final outcome of the war in Ukraine, all sectors of the economy will face fundamental changes in the cyber threat landscape as the war pushes the boundaries of acceptable behavior in cyberspace. Hundreds of threat cyber actors on both sides are engaged in cyber offensive activities, creating a large potential for vulnerable targets.
The analysis of Russia’s ongoing invasion of Ukraine and the consequences of the use of cyber attacks for the sectors of the Ukrainian economy allows us to draw the following conclusions:
1. The cyber component of warfare can rapidly and severely escalate, with the potential for unprecedented cyber-physical consequences, including attacks on critical telecommunications infrastructure.
2. Proper identification of cyber threats can be extremely difficult due to the widespread nature of the threat landscape. It is likely that even more threatening cyber actors from around the world will join the fray (each on their own side).
3. Russian cyberattacks will focus on demonstrating their capabilities and attacks that can be widely disseminated.
4. There is a need to focus on threat modeling of Russian Advanced Persistent Threats (APTs), tactics, techniques and procedures (TTPs) of known cybercriminal groups, as well as the experience of leading countries in cyber security.
Since the Russian invasion of Ukraine, the use of cyber attacks has played an important, albeit limited, role. Cybercriminals are targeting critical information infrastructure, government services, banks and telecommunications. Some of these cyberattacks have also spread to neighboring countries that support Ukraine. The types of cyber attacks recorded to date include (but are not limited to) Denial of Service (DdoS) attacks; data corruption and self-propagating malware; cyber disinformation campaigns.
The cyber element of this war can quickly and seriously escalate with the potential for catastrophic consequences. There are several levels of escalation to go through before a cyber disaster scenario becomes likely.
Countries around the world, along with various cybercriminal groups and distributed hacktivist teams, have sided with the global cyber war. The invasion of Ukraine prompted the most influential parties in cyberspace to reveal their capabilities in ideological, ethical and geopolitical directions (Ukraine and others against Russia). The potential for disaster caused by the rise of offensive cyber activity, including the prospect of cyber-physical attacks on critical information infrastructure, has never been greater. In addition, a serious threat from a targeted attack is the risk of self-replicating malware that infects non-targeted systems and spreads widely. Ukraine and Russia have openly enlisted global volunteer cyber groups to help attack each other’s IT systems and networks. Other established and emerging cyber threat actors are also involved. As of June 1, 2022, at least 33 different cyber threat groups have been identified that actively helped Ukraine (22 groups) or worked for Russia (9 groups). Russian APTs and their counterparts in criminal groups will be targeted randomly with the intention of demonstrating the power of Russian cyber offensive capabilities. Currently, the risk of a cyber disaster is higher because of Russia’s intent, opportunity, and ability to compromise its “single point of failure” (SPoF) targets, which give them broad and unfettered access to critical computer networks and data. Hacktivist coalitions and cybercriminals are taking sides, and cybercriminal groups are pledging to help the Russian government’s war machine.
The most realistic catastrophic scenarios from the actions of Russian cyber groups include:
1. Wide spread of malicious software around the world, whose destructive attack erases hard drives and destroys devices.
2. An attack on mobile network operators causing disruption for several hours to all affected users.
3. Bank compromise of the leading global platform for financial transactions and communications (SWIFT) and theft of funds from banks.
4. Sending a malicious update from a leading SCADA vendor causing multiple catastrophic refinery outages at the same time.
5. Infection of programmable logic controllers used in drilling rigs of leading mobile oil rig operators.
6. An attack on the electric company, resulting in a prolonged outage with consequences for most of the businesses that depend on its electricity.
7. Exploitation of software vulnerabilities in widely used medical devices, which will affect a large number of medical facilities.
8. Attack on the navigation system of the leading model aircraft in the instrument landing system and interference with the navigation controls.
The targeting matrix for Russian cyber attacks in response to Ukrainian ones is complex. The number of variables creates a narrow set of goals. Given Russia’s targeting requirements, the types of companies in the crosshairs are concentrated in a limited number of industries. Russia considers at least 5 variables when considering what targets and when to strike back:
1. Disruption of widely used (but not critical) services intended to cause loss of public support.
2. The choice of goals that are symbolic (culturally, politically) and will not be perceived by the victim as military actions.
3. Targets will be carefully selected to conceal intelligence and espionage capabilities.
4. Russia will take precautions to conduct attacks that do not expose cyber infrastructure, such as special malware, zero-day vulnerabilities, or command and control (C2) servers that could be used in future operations.
5. Targets will be selected for their relatively low impact, leaving targets for escalation.
The most likely areas to be attacked in response are: banking and financial services; IT services, including managed service providers; Internet providers; delivery and logistics; utilities.
If cyberattacks escalate between Russian APTs, Ukraine, and countries that support it, Russia will revise its targeting matrix and select larger and more disruptive targets, such as oil and gas, power grids, healthcare, defense, and aerospace. The possibility remains that Russia will use self-propagating malware to indiscriminately attack a wide range of targets.