Bloomberg Línea — The United States and the United Kingdom stood by Ukraine after the Russian military launched attacks against the country in the early hours of Thursday. The security agencies of those countries had already been warning the organizations to strengthen security against cyber attacks coming from Russia.
A spokesperson for the UK’s National Cybersecurity Center (NCSC) told Bloomberg Línea that the agency “is aware of reports of cyber incidents following Russia’s unprovoked, premeditated attack on Ukraine. We are urgently investigating these incidents.”
“The NCSC is not aware of any specific cyber threats to UK organizations concerning the Russian invasion, but strongly encourages organizations to follow our guidance on steps to take when the cyber threat is heightened.”
In the last two weeks, Ukraine’s website of the Ministry of Defense and Armed Services and the banks Privatbank and Oschadbank have suffered attacks. Cyber action has a lower cost in terms of reputation and response, and it is also more difficult to prove the authorship of any country for organizing a cyber attack, as Daniel Rio Tinto, Ph.D. in Political Science and International Studies from the University of Birmingham and professor of International Relations at the FGV (Getulio Vargas Foundation’s School), explains.
“It would be very implausible to imagine that Russia would land troops in the United States and the United Kingdom. On the other hand, a cyber intervention, attacking some electronic system to give a signal to a certain newspaper, bank, or government agency would be much more plausible. Not to cause any significant practical effect in those countries, but with a propagandistic effect”, he explains.
Professor at FGV Rio and Coordinator of the Center for Technology and Society at the university, Luca Belli, meanwhile, thinks it “highly unlikely” that Russia would attack UK or US infrastructure. “There is no interest from Russia to attack another country that supported Ukraine. But what is already happening is companies that are contracted by Ukraine or companies from Ukraine working in Europe that have been targeted by cyberattacks.”
The US-based CISA (Cybersecurity and Infrastructure Security Agency) recently published an insight for businesses to prepare for mitigating foreign influence operations targeting critical infrastructure.
According to CISA, historically, Russian state-sponsored cyber actors have used tactics to gain access to target networks. From at least January 2020, through February 2022, the agency, alongside the FBI (Federal Bureau of Investigation), and NSA (National Security Agency) have observed regular targeting of U.S. cleared defense contractors (CDCs) by Russian state-sponsored cyber actors.
The government-linked agencies say these actors have targeted CDCs that support contracts for the U.S. Department of Defense (DoD) and Intelligence Community in areas such as command, control, communications, and combat systems; intelligence, surveillance, reconnaissance, and targeting; weapons and missile development; vehicle and aircraft design; and software development.
Marcelo Frullani, an expert in law and information technology from the University of São Paulo, recalls that in recent years, Ukraine has been the victim of a series of cyberattacks that bring down essential systems in the country, such as energy and banking, for example.
“Although it is very difficult to identify the origin of these attacks, governments of several countries indicate that Russia is behind cyberattacks around the world,” he said.
Frullani stated that Vladimir Putin’s government has also been accused of interfering in other countries’ elections by spreading disinformation. “This power of interference in other countries using information technology tools has even been called sharp power by scholars on the subject.”
Malicious actors use influence operations, including tactics like misinformation to shape public opinion, undermine trust, amplify division, and sow discord, says CISA.
According to the agency, foreign actors engage in these actions to bias the development of policy and undermine the security of the U.S. and allies, disrupt markets, and foment unrest.
“While influence operations have historical precedent, the evolution of technology, communications, and networked systems have created new vectors for exploitation. A single misinformation narrative can seem innocuous, but when promoted consistently, to targeted audiences, and reinforced by peers and individuals with influence, it can have compounding effects,” it states.
CISA says foreign influence operations have been paired with cyber activity to derive content, create confusion, heighten anxieties, and distract from other events. “In light of developing Russia-Ukraine geopolitical tensions, the risk of foreign influence operations affecting domestic audiences has increased. Recently observed foreign influence operations abroad demonstrate that foreign governments and related actors can quickly employ sophisticated influence techniques to target U.S. audiences to disrupt U.S. critical infrastructure and undermine U.S. interests and authorities.”
The agency’s guidelines and recommendations for businesses and organizations include assessing the information environment, identifying vulnerabilities, fortifying communication channels, engaging in proactive communication, and developing an incident response plan.
Frullani explains that cyber-attacks that disrupt essential services can be varied. In some cases, websites are taken down; in others, a hijacking of data occurs through an attack called “ransomware”, with a ransom demand for the return of that information, while attacks aimed at disinformation often occur through social networks.
“The attacks do not usually come directly from the Russian government, but from hacker groups that receive encouragement and protection from Russia,” he says. For him, even if Brazil is not involved in the conflict, there is no escaping the consequences of cyberwar. “Attacks on servers located in the US, for example, can cause damage in many other countries that depend on that infrastructure.”
Besides, the expert states that even if the target of an attack is a certain company located in Ukraine, it is often not possible to avoid that companies located in other countries are also affected. “Even if the armed confrontation is limited to Ukraine, certainly the cyberwar will produce impacts around the whole world.”
According to Imperva’s cyber threat attack map, from February 22 to February 23, the top three attack origins worldwide came from the United States (52%), Germany (11%), and the United Kingdom (6%), while the top three attack targets were United States (44%), Australia (7%), and United Kingdom (5%).
Kaspersky points out that cyberattacks in Ukraine have been going on steadily for five years now and there is no indication that they will stop.
The company said that recent attacks are targeted, such as Whispergate. Kaspersky also said it has identified a new threat called HermeticWiper, which takes advantage of legitimate EaseUS Partition Master software drivers to corrupt the hard drive and compromise the file system.
“This new malicious program uses new techniques to prevent analysis and also relies on a valid digital certificate, which makes it much more complex than WhisperGate.”
According to Kaspersky, there have also been reports of attacks targeting Ukrainian banks and the malware used is a variant of the Mirai plague, known as Katana. “This malware was for sale on underground forums and can now be found for free on GitHub. Typically, Katana infects outdated home routers and IoT equipment.”
An invisible war
Some people understand that cyber warfare is not “war” but another category of use of force, as Rio Tinto explains. Cyberwar is a way of using force. It is a way of causing damage by modifying the opponent’s daily life to produce a political effect in some countries.
Ariane Roder, a political scientist at COPPEAD/UFRJ and international relations specialist, explains that in traditional warfare, the conflict is triggered when there is a military invasion of sovereign territory, while in cyberwar, hacker attacks are systematic and orchestrated on data networks with the goals of spying on critical and sensitive information and destabilizing the enemy by invading their systems.
Thiago Diogo, director of engineering at the billionaire IDTech Unico, says cyberwar is invisible, difficult to perceive, and to have its origin detected. It is not only for financial advantage but for sovereignty. “Governments have been investing in the creation of cyber armies, with teams specialized in the topic, to defend their interests in the digital world, both to monitor adversaries and radical groups and for possible attacks”.
Cyberwar is any hostile activity to information systems originated by the government of a country that may come to shake diplomatic relations with another nation, according to Raphael Tedesco, NSFOCUS alliances manager in Latin America
“The implications can be countless and far beyond those directly linked to the type of service being attacked, from power substations, water treatment, and other basic survival items, to even financial markets and companies linked to opposing governments, and can generate social collapse in the attacked country.”
Digital weapons can be malicious software, among other tools that can be used to take control of a country’s technology infrastructure against the local population.
Unlike cybercrime where hackers may try to break into banks to steal money for personal profit, cyberwarfare is mobilized by a political actor to interfere with the target country’s financial system and bring chaos to the infrastructure, such as electricity disruptions, for instance.
“The height of attacks of this nature can, for example, impede eventual defenses, counterattacks, and enemy takeover of weapons, leaving whoever is attacked totally vulnerable,” Tedesco says.
Sebastian Stranieri, CEO of VU Security, said that cyber warfare is the use of technological resources in order to extract confidential information, modify plans or communication systems of a third party.
“Some of its objectives are to hinder communications, access to the financial system or technological systems that manage natural resources. On the other hand, it is almost impossible to verify if behind an attack of this type there is a formal and trained team related to a government. Given the sovereignty of the internet, anyone could make efforts against a target. But it is true that the only way to generate massive impact is through the quantity and sophistication of the available resources”.
Russia has become known for its use of cyber means for political purposes. “It is not exclusive to Russia, China, and the United States also use cyber means constantly in offensive and defensive ways,” professor Rio Tinto adds.
Before the Russian military invasion, Ukraine had already been reporting attacks on government-related websites and financial services. Russia has not claimed authorship of these attacks. Unlike terrorist attacks, it is common for cyberattacks to have no assumed authorship.
The decision to invade Ukraine was part of a larger set of actions against the country that had already been taking place.
The risk of a fully digitized society
The recent attacks on government and bank sites in Ukraine were carried out with trivial tools: several users accessed the sites at the same time, causing a crash. For Belli, the big problem is when these attacks lead to the takeover of conventional infrastructures, such as power grids and even nuclear power plants.
In 2017, the “NotPetya” cyberattack even took control of the cooling monitoring operation of the so-called “Elephant’s Foot”, the corium mass in the reactor of the Chernobyl disaster.
At a time that digital transformation, Ukraine’s paradoxical advantage is that it still has the conventional infrastructure, with an electricity grid and airports that are not fully digitized, according to Belli.
“It’s not a state-of-the-art connected infrastructure. You can even turn it off and control it manually. Imagine in a context of fully digitized infrastructure, it’s the most vulnerable option in that kind of context. Digitization in Ukraine is much more recent and incomplete, you can still switch off the digital control and switch back to manual, analog,” he explains.
This is what happened last year when the Kyiv airport suffered an attack and some digital systems were shut down to put operations manually, which, according to the professor, would be more difficult in countries where the digital structure is connected to other services, as in the United States, when the gas pipeline was paralyzed for a few weeks by a cyber attack.
According to Stranieri, average Internet users will only be able to know if they are victims of the consequences of a cyber war in the event that communications services are interrupted and people are unable to use them, either due to massive outages or microcuts.
“Another possibility is in the case of attacks on massive targets, specifically if it happens in financial or crypto companies, as well as in other industries that maintain branches in a large part of the world or with a large number of consumers.”
On the other hand, he said that government defense forces can certainly identify if they are being targeted, based on the analysis of variables such as behavior, movement or modifications, among others.
“Events from the past tell us that the tension in the cyber world reacts in parallel to the tension in the physical world. As an expert, I recommend companies to reinforce their security policies and proactive monitoring during this sad stage for the world”, says the CEO.
According to Kaspersky, attacks are expected to continue, likely targeting national entities, large institutions, and the Ukrainian financial sector. “Companies outside Ukraine should also remain vigilant and take every precaution to avoid targeted attacks, as well as attacks on the supply chain.”
The history and what could happen from here on out
Roder highlight that warfare in the 21st century is not underpinned by the same pillars as trench warfare of the last century. “The effects of globalization and digitalization affect the very design of war strategy,” she explains.
According to the expert, the world will witness in the conflict between Russia and Ukraine a likely concomitance of military warfare with cyber attacks. “Russia, besides being the second largest military power in the world, has a highly sophisticated intelligence and cyber security system both to defend itself and to attack,” she said.
Belli says that Russia had been preparing for several years to this moment, since the annexation of Crimea in 2014, developing not only cyber-attack capability but periodically experimenting with new techniques. “One of the few consensuses there is at this moment is that everything that has happened in recent years is only the tip of the iceberg of the digital arsenal,” he said.
The professor recalls that in 2019 Russia passed a law to disconnect its internet infrastructure as a means of not being a target of attack. It is not possible to access the Russian army’s website, for example, which has been disconnected.
“It was a digital defense put in place by the Russian army, where targets that may be vulnerable are being disconnected. Few nations right now have the same level of expertise as Russia and China.”
Vinícius Rodrigues Vieira is a professor at Faap and teaches classes on technological issues and international relations in MBA courses at FGV. He recalls that in 2008, in the South Ossetia war, Russia carried out a cyberattack before the military one and tried a cyberwar with Estonia in 2007.
“In Georgia, we had the cyberattack first and then the war. Now with the conflict in Ukraine, not only countries must involve but also private actors keep an eye on potential network instabilities, as it is a weapon that big countries use because there is low cost with high potential damage.”
Jeferson D’Addario, CEO of the DARYUS Group, a risk management, business continuity, and cybersecurity firm, says that “at this point, all caution is not enough for all NATO members”, but for him, there are still no indications of a global cyberwar.
“Russia is considered a hotbed of hackers and some very good groups technically. Some linked to government and defense, others with organized crime.”
He reminds that companies doing business with both countries, linked to supply chain, software for defense and security, or linked to the critical infrastructure of the countries involved, need to increase their alertness and readiness index.
“Almost everything we use or critical infrastructures have technological connections, automation, internet links, etc. In other words, they are susceptible to hacking.”
A recently Aon study listed the top 10 global risks, according to more than 2,300 managers from 60 countries, across 16 industries in both the public and private sectors. The most cited risk was cyber security.
Thus, VU recommends changing monitoring schemes to an active model. “It is a moment that can be capitalized on, taking measures such as restricting non-priority access as much as possible, starting conversations with key cybersecurity providers and requesting their support in modifications that they recommend during this period. Also, reinforce communication and the internal alert process, such as in the coordinated work with cybersecurity teams in the event that it is possible to be affected by an attack,” adds Stranieri.
Meanwhile, Unico’s spokesman says that many nations have their cyber contingency and resilience plans for critical infrastructure. “Cybercrime feeds off the fact that there is a digital war going on. So traditional corporations (that don’t deal with critical infrastructure) also need to have their guard up and do what we call cyber hygiene. Increase monitoring, responsiveness, review accounts with the adoption of multi-factor authentication for all, and be very vigilant during this period.”
With a metaverse in development, D’Addario adds that information security and cybersecurity have become a fundamental necessity. “Those who do not invest in cybersecurity and handle a joystick in the coming decades will not be prepared to deal with crises and cyber defense.”