Assessing risk exposures
Since Russia invaded Ukraine on February 24, 2022, Flashpoint has been hosting a regular Community Call to provide timely updates on the war, including a Q&A session with our analysts who are regional experts. In each call, there are two questions that are most commonly asked:
- How might decisions made by Western governments and commercial entities, such as economic sanctions, lead to an escalation in cyberspace and the physical world?
- Which sectors would be targeted and through what types of attacks?
As the war inches towards the three-month mark, the answers to these questions, however fluid, will continue to be of the utmost importance to security teams at organizations across the globe. In this article, Flashpoint analysts lay out several potential escalation scenarios, current to the time of this publishing.
State-sponsored APT groups
It’s no secret that Russia has used Ukraine as a corridor of chaos, staging such destructive and disruptive attacks like BlackEnergy against Ukrainian critical infrastructure in 2015, and NotPetya against businesses with a Ukrainian presence in 2017. The greatest risk of escalation likely stems from a state-sponsored APT group, like “Sandworm.”
The Russian state-sponsored threat group dubbed “Sandworm” similarly sowed disruption in 2008 during Russia’s campaign against Georgia, and Ukraine. The Justice Department helped disrupt Sandworm’s botnet “Cyclops Blink,” severing their ability to communicate with bots. The takedown did not prompt any observable escalation, though it may have disrupted Sandworm’s ability to take further actions on objectives.
Sandworm is known for targeting industrial control systems (ICS). Russian state-backed groups are known to have explored critical infrastructure systems in Western countries: In 2018 CISA warned of Russian state-backed threat actors targeting energy companies, water supply, and other critical infrastructure facilities in the US. In the same year, German intelligence blamed a campaign against energy companies on “Berserk Bear,” a Russian APT.
In March 2022, the Department of Justice unsealed two indictments of four Russian nationals targeting the global energy sector. In April 2022, the Department of State offered a $10 million reward for the identification of six Russian military officers associated with Sandworm.
Western sanctions have taken a significant toll on Russia’s economy, leading some to speculate that Western financial services sector may be disproportionately targeted as retribution, due to its role in enforcing sanctions. Taking a cue from other sanctioned countries, Russia may also use proxies or state-sponsored adversaries to attack financial services in an attempt to bypass sanctions. Judging from previous state-sponsored attacks, disruption is a more likely scenario.
Russian state-backed activity has so far focused on Ukrainian banks (Privatbank and Oschadbank were targeted before the February invasion), likely with the purpose of diminishing trust in the Ukrainian financial sector both in the Ukrainian population and among Western partners. The likeliest form of attacks include those that were used against the Ukrainian banks—DDoS attacks, self-propagating wiper attacks, or attacks leveraging banks’ compromised email infrastructure—as well as attacks focusing on cyberespionage with the purpose of aiding sanctions evasion.
Russian-speaking financially motivated threat actors (i.e. cybercriminals) have traditionally focused on Western financial institutions—as opposed to state-backed groups, which have primarily focused on industries like energy, critical infrastructure, and state institutions. As a result, attacks may include active cooperation between state-backed actors and financially motivated actors, who may already have access to a financial institution but have not exploited it or would be reluctant to exploit it due to the risks incurred.
Russia Vs. Ukraine: A war on many fronts
Despite Russia and the West’s long-standing protracted conflict in cyberspace, the real battlespace remains within Ukraine’s besieged borders. Russian cyberattacks remain focused on Ukrainian entities with occasional spillovers.
In all likelihood, Russian attacks will continue targeting Ukrainian networks with the purpose of causing disruption and gathering information. The most evident targets, which have faced attacks before, are Ukrainian state institutions, military communication networks, and the Ukrainian financial sector. Tactics, techniques, and procedures (TTPs) would be similar to the ones already used: spear-phishing campaigns to gain initial access, privilege escalation, the use of commonly available post-exploitation frameworks, data exfiltration, and destructive wiper malware.
Western financial institutions may face a risk proportionate to their exposure to these institutions—for example, WhisperGate targets reportedly included a Lithuanian organization with exposure to Ukraine. Russia will likely continue targeting these Ukrainian institutions, and any cyberattacks may go beyond such targeting.
Cyber attacks are happening, but remain covert in nature
On April 5, speaking before Congress, General Nakasone, the commander of US Cyber Command, commented on the support to Ukraine stating that CYBERCOM and NSA together provided intelligence on the threat, bolster Ukraine’s resilience, and supported network defense activities.
In a separate talk at Vanderbilt University this month, Gen. Nakasone highlighted that although there may have not been any significant attacks observed against the West, Russia has levied attacks against satellite modems in Ukraine, disrupting internet connectivity. This attack was recently attributed to Russia by the Department of State.
The absence of major destructive or disruptive cyberattacks could in part be a sign that the Russian military command is not prioritizing this kind of attack right now. The focus of the invading troops is targeting civilian infrastructure and destroying Ukraine’s military industrial complex in order to strengthen Russia’s position in case of protracted warfare.
Related reading: How Russia Is Isolating Its Own Cybercriminals
Gen. Nakasone also commented that Ukraine has strengthened its cyber defense capabilities over the past years with the help of the US. At the same time, hacktivist attacks on Russian networks, including distributed denial of service (DDoS) attacks, data exfiltration attacks and defacement attacks directed against state institutions, state-owned companies and contractors of state entities, have forced Russia on the defensive.
A number of Russian entities have been compromised since the start of the invasion. Prior to the invasion, few adversaries had targeted Russian companies since there was an unspoken—though not universally respected—rule amongst Russian-speaking cybercriminals that you should not target Russian entities or entities in countries with close links to Russia. However, Russia had typically turned a blind eye to attacks targeting the West. This mentality changed following the invasion, as now hacktivists, cybercriminals, and other adversaries have increased targeting of Russia. It is possible that this has led to Russia adopting a more defensive position for the time being.
The Russian government has also left several other escalation possibilities open rhetorically. President Vladimir Putin talked about “consequences greater than any you have faced” for countries intervening in the war, stopping short of defining what “intervention” means. He later said that he regarded economic sanctions as “an act of war.”
A deliberate escalation in cyberspace—either more substantial attacks on Ukrainian systems or attacks on Western entities—supported or started by Russia would be most likely if and when it brings benefits either to the ongoing invasion or in the context of negotiations from a tactical point of view. In the context of the ongoing invasion, a cyber escalation could occur if the Russian military command decides to integrate cyber elements to help the ongoing military campaign on the ground, such as by frustrating Ukrainian communication channels. In the context of negotiations, the goals of a cyber escalation could include demoralizing the Ukrainian population or impacting decision-making or public opinion in EU and NATO countries (such as to push back against sanctions or to prompt the West to push for the acceptance of Russian terms in peace negotiations).
Putin has left open the possibility of cyber conflict, and it may be an avenue to escalate the war outside of physical fighting. However, continued support from US and NATO countries will likely defend against future attacks, at the risk of further escalation.
It appears that Russian state-sponsored adversaries may have the opportunity and capability to attack Western critical infrastructure, but lack the intent as a particularly disruptive attack may trigger a commensurate response from either Ukraine or the West, depending on the target.
At this stage of the war, however, it remains unlikely that Russia will carry out major disruptive or destructive attacks against Western critical infrastructure via cyber means. However, the energy, financial services, and information technology sector make for likely targets based upon previous incidents.
Throughout the war, the West has remained reticent to provide any grand gestures of support to Ukraine. However, US and NATO countries have progressively provided Ukraine with economic aid, weapons, and military intelligence, while further restricting Russia from the international financial system. The US has stopped short of providing equipment like fighter jets, and actions like staging cyberattacks against Russia for fear of potential escalation. As a result, the potential flashpoints for escalation are unclear, taking cues from oft convoluted rhetoric, but remain a threat to prepare for nonetheless.
Following this, analysts have not observed significant, successful attacks on Western entities in the context of the war, although, notably, cyberattacks are covert in nature and may not yet be known, or divulged. However, this does not mean that such attacks are going to be unlikely as Russia’s war on Ukraine continues.
Get Flashpoint intelligence on your team
Any organization’s security capabilities are only as good as its threat intelligence. Flashpoint’s suite of tools offer you a comprehensive overview of your threat landscape and the ability to proactively address risks and protect your critical data assets. To unlock the power of great threat intelligence, sign up for a demo or get started with a free trial.