Russia's Cyber War Operations Begin

The US Department of Homeland Security (DHS) is warning that Russia may pursue a cyber attack against the US as tensions escalate over Moscow’s buildup of forces near the border with Ukraine. In Britain, organisations are being urged to bolster their defences amid fears cyber attacks linked to the conflict in Ukraine could move beyond its borders.

The National Cyber Security Centre (NCSC) has issued urgent guidance, saying it is vital companies stay ahead of a potential threat. 

These events follow a series of cyber attacks in Ukraine which are suspected to have involved Russia, which Moscow denies, however it is thought Russian organisations are involved. Russia could launch such an attack if it believes Washington’s response to its potential invasion of Ukraine threatens its long-term national security, according to the DHS bulletin released January 23 to law enforcement partners. The bulletin said Russia “almost certainly considers cyber attacks an acceptable option to respond to adversaries” because it lacks the ability to respond with the economic and diplomatic options often preferred by other countries.

In the UK in recent weeks, critical national infrastructure - which includes energy supply, water supply, transportation, health and telecommunications - have been warned by the NCSC about specific vulnerabilities known to be exploited by Russian hackers.

Based on experience in Ukraine, energy and transport are most likely to be targeted if anything were to happen. "While we are unaware of any specific cyber threats to UK organisations in relation to events in Ukraine, we are monitoring the situation closely and it is vital that organisations follow the guidance to ensure they are resilient," Paul Chichester, the NCSC director of operations said in a statement accompanying the latest guidance issued on Friday 28th January.

Hackers, who recently unleashed destructive cyber attacks against Ukrainian government networks, have been lying in wait for months, according to new findings. The malware used to strike Ukrainian government websites has similarities to the NotPetya wiper, but has more capabilities "designed to inflict additional damage," researchers say. Ukraine has already suffered two known cyber attacks in response to the geopolitical situation with Russia. 

Called WhisperGate, the malware is a wiper that was used in cyber attacks against website domains owned by the country's government. 

The attacks led to the defacement of around 70 websites and a further 10 subject to "unauthorised interference," according to the Security Service of Ukraine, State Special Service and Cyber Police. The wave of attacks was made public on January 14th.

Websites impacted included the Ukrainian Foreign Ministry, the Ministry of Education and Science, and various state services. 

• The first round was a series of nuisance web page defacements that targeted more than 70 Ukrainian government websites. 

• The second round of attacks executed WhisperGate, a destructive wiper malware disguised as ransomware, that impacted dozens of Ukrainian entities associated with government, non-profit, and technology companies.  

Despite having the appearance of a ransomware attack it did not have a ransom recovery method, a critical part of any ransomware operation. This leads to the conclusion that the primary intention appears to be to render systems inoperable, not collecting financial compensation.

While many observers first thought that Russia to be behind the cyber attack, Ukrainian authorities attributed the attack to a group linked to Belarussian intelligence, using Russian-linked malware.

Though Moscow has denied any association with the attacks, there is some evidence suggesting a malware link. In 2017, Russian military intelligence executed the NotPetya malware attack that initially targeted Ukrainian targets before escaping into the wild. 

Financial institutions, energy companies, government ministries, the Kyiv international airport, metro systems, and other state-owned enterprises were affected in Ukraine.

In December 2015, engineers in Ukrainian power stations saw cursors on their computer screens moving by themselves. They had been hacked. Hundreds of thousands of people lost power for hours. It was the first time a power station had been taken offline, a sign that cyber intrusions were moving beyond stealing information into disrupting the infrastructure on which everyday life depends. Russia was blamed.

Following the cyber attack, the European Union said it was mobilising "all its resources" to assist Ukraine, NATO has pledged its support, and US President Biden has warned Russia of a cyber 'response' if Ukraine continues to be targeted. 

This tactic, using destructive malware, is a classic Russian move that Moscow has used countless times before as tensions with Ukraine and other countries have sparked.

Russian hackers were behind the sweeping destructive attacks of 2017 known as NotPetya, which caused billions of dollars in damages around the world. Cyber attacks rained down on Georgia in 2008, too, when Russia started a shooting war to go after some territory in the country.

According to preliminary results from a joint investigation from Ukraine’s cyber security agency, the State Service for Special Communication and Information Protection, Russia is behind these cyber attacks. 

Russia denies any involvement in the cyber attacks, and disclaims any intention to invade Ukraine. Kremlin spokesman Dmitry Peskov, said, in a CNN interview. “We have nothing to do with it. Russia has nothing to do with these cyber-attacks. Ukrainians are blaming everything on Russia, even their bad weather in their country,”

NCSC:     Palo Alto Networks / Unit 42:     BBC:   Oodaloop:     ZDNet:     Daily Beast:     Techtarget:     

Cyber Wire:      GovInfoSecurity:      I-HLS:      BBC:

You Might Also Read: 

NATO & Ukraine Agree Deeper Cyber Co-operation: