Keanna Grelicha, CICYBER Team
Week of Monday, March 7, 2022
Anonymous Emblem[1]
Russia has been using a hybrid warfare strategy against Ukraine consisting of cyber warfare, such as cyberattacks and disinformation campaigns, alongside conventional military action like on-the-ground troops.[2] An unknown State-sponsored cyber group targeted Ukrainian government agencies and Critical Information Infrastructure (CII), like networks and databases, with a data-wiping malware named WhisperGate which removed and overrode data on the targeted operating system (OS).[3] The cyberattacks on Ukrainian government agencies will very likely lead to the theft of sensitive information from Ukrainian servers, likely allowing for continued breaches and data theft if the OS becomes inoperable. Anonymous, an international hacker group, conducted cyberattacks against Russia soon after Ukraine requested the defense of its cyberinfrastructure.[4] The danger of country-versus-country cyber warfare will almost certainly increase, putting the involved countries’ populations at risk of cyberattacks if State-sponsored cyber groups or other countries get directly involved. The increase of cyber warfare will almost certainly impact other countries’ cyberinfrastructure if other State-sponsored cyber groups or threat actors engage.
Russian State-sponsored cyber groups used WhisperGate malware to attack Ukrainian government agencies and banks during the Russian invasion.[5] The cyberattacks on Ukrainian government agencies will very likely lead to the theft of sensitive information from Ukrainian servers and OS, likely leading to continued breaches if they become inoperable. If threat actors continue implementing Distributed Denial of Service (DDoS) attacks, they could very likely use an undetected backdoor access point on Ukrainian servers to collect data and re-enter the systems in future assaults. DDoS attacks target multiple connected devices, allowing the attacking group to flood the system with malware and create traffic within the target’s OS.[6] Threat actors seeking government data will likely use cyberattacks against Ukrainian CII, likely creating more vulnerabilities within Ukraine’s cyberspace. Vulnerabilities, like open entry points or lack of firewall protection due to CII damage, will very likely allow threat actors to infiltrate Ukrainian government infrastructures by accessing servers with limited system protection. Ukrainian servers will very likely become inaccessible due to cyberattacks, likely leaving Ukraine’s cyber capabilities unable to add software firewall protection or perform counter-attacks.
The cyber group Anonymous conducted cyberattacks that shut down the Kremlin in Russia, the Russian State Duma, and the Ministry of Defense of the Russian Federation and left their critical information database inaccessible.[7] Anonymous is known for conducting cyberattacks against Western government agencies and infrastructure, and the Islamic State (ISIS).[8] Anonymous’ cyberattacks on Russian cyber infrastructure almost certainly follows the group’s trend of targeting government agencies and infrastructure to destabilize a country’s cyber capabilities. If Anonymous continues to claim attacks against the Russian government, other international or individual hacker groups could very likely contribute to add to the cyber warfare between Russia and Ukraine. If other hacker groups involve themselves in the invasion, non-State actors that support Russia will likely contribute to the cyber warfare and retaliate against the hacker groups. If the cyber warfare escalates, it could very likely involve non-State hacker groups from other countries conducting cyberattacks against other entities as well. This escalation could likely lead to a cyber war among different hacker groups stemming from the Russian-Ukraine invasion.
Anonymous and other hacker group cyberattacks could escalate the conflict if they continue to target Russia for conducting cyberattacks against Ukraine and Western countries.[9] The ability for hacker groups to attack Russian government infrastructure demonstrates the capabilities of more groups to target Russian agencies and get involved with the invasion. Increased involvement could very likely lead to an increase in State-sponsored cyberattacks against other threat actors and Ukraine, very likely leading to further military and cyber confrontations with Ukraine. Continued military and cyber confrontation will very likely lead threat actors to physically target Ukrainian infrastructure to weaken the country’s critical infrastructure. Increased military battles will almost certainly impact Ukraine’s population if Russia gains significant control on Ukrainian critical infrastructures like nuclear power plants which supply heat to people. Attacking physical infrastructures necessary to the population will very likely lead Ukraine to ask other countries for help to respond to Russia militarily or surrender to protect Ukrainian communities from military attacks. Other countries' involvement in military escalation will almost certainly increase Ukrainian military capabilities and likely cause Russian nuclear threats, almost certainly impacting the international community.
Anonymous used DDoS attacks to flood Russian government entities’ OS with irregular data traffic to shut down the servers.[10] Anonymous developed a website permitting other cyber groups to help with the DDoS attacks by spamming Russian contact information listed on the website’s database.[11] DDoS attacks shutting down Russian OS will very likely create vulnerabilities in Russia’s cyberspace, like impeding Internet and server communications on software programs within the government’s CII, very likely allowing for other attacks on the disrupted servers to take place. Server communication problems and software vulnerabilities will very likely force Russia to focus its efforts on mitigating the impacts. These issues will very likely provide Ukraine with the timeframe to improve its cyber capabilities of defense tactics like network patches and risk assessments to protect its CII. This will likely allow Ukraine to defend its cyberspace from cyberattacks and retaliate against threat actors with cyberattacks. Anonymous targeting Russian strategic sectors, such as Russian government websites, will very likely leave entry points in the servers accessible for future use to exploit vulnerabilities and conduct cyberattacks as the conflict continues.
After Anonymous claimed credit for the cyberattacks on Russian entities, a malware attack using a new data wiper called HermeticWiper targeted a Ukrainian financial institution.[12] State-on-State cyber warfare is likely to occur as State-sponsored cyber groups target other countries' infrastructure and likely contribute to escalating the Russian-Ukraine conflict. If cyber groups like Anonymous do not claim the cyberattacks, Russia could very likely perceive that other countries who threatened Russian CII in the past and those opposing the invasion are very likely conducting the unclaimed attacks. Russia used a video showing a fake Ukrainian civilian attack against Russia which Russia used to legitimize the invasion to the international community.[13] Using a fake video or other tactics will very likely be replicated by threat actors to pursue those they deem threats. Involving other countries will very likely negatively impact Russia’s ability to effectively invade Ukraine as opposing countries will very likely assume defensive and retaliatory positions to stop the invasion via cyber warfare. Continuous cyber warfare will very likely set a precedent for future conflicts in conducting hybrid warfare strategies when retaliating against other countries to weaken and destabilize their cybersecurity.
Iran has expressed interest in strengthening ties with Russia and defending Russia’s stance on security in the region after the EU and US imposed economic sanctions on Russia for the invasion.[14] Threats to Russia’s cyberspace and the sanctions’ impact on the Russian economy will very likely encourage Russia to call for alliances with other countries, like Iran or China, to aid them in supporting their economy. Potential Chinese assistance in monetary funding and fiscal agreements would very likely help Russia sustain the negative financial impact of the sanctions. If allied countries reduce Russian economic stress through the provision of funds, Russia will very likely focus on its invasion plans without the obstacles of limited resources the economic sanctions imposed. If Anonymous or other cyber groups targeted Russian critical infrastructure, it would very likely result in retaliatory cyberattacks against Ukraine and other countries that threaten Russia’s security.
The US Department of Homeland Security (DHS) and the US Cybersecurity Infrastructure Security Agency (CISA) advised government agencies and private institutions to “Shield Up”, meaning update their security practices and policies, and protect their backups and data due to the continued Russian cyberattacks.[15] The cyberattacks on Ukraine could very likely be replicated in the cyberspaces of countries that helped Ukraine with the invasion or sanctioned Russia. Without proper cybersecurity measures in practice, organizations will almost certainly be cyberattack victims as they will lack the appropriate mechanisms to mitigate the impact. Google’s Youtube platforms[16] and Facebook implemented restrictions that limit and ban posts from Russian State news agencies like RIA Novosti and Lentra.ru, along with marking the content from those agencies as unreliable.[17] The perceived threat of escalation very likely led organizations like Facebook and Google to implement regulations responding to Russia’s disinformation campaigns. The banning of pro-Kremlin content supporting Russia’s invasion and Russian President Putin’s regime will very likely prompt responses targeting these social media platforms in future cyberattacks. The threat of cyberattacks will very likely garner a protective response from the platforms’ founding country as a cyberattack on the platforms will very likely threaten the country’s population if individuals personal data is stolen or used for identity theft to collect further intelligence.
The Counterterrorism Group (CTG) recommends that Ukraine implement State-centric cyber policies concerning cyberspace security. The State-centric cyber policies should almost certainly include regularly conducted threat and risk assessments to determine the system vulnerabilities and update protocols and network security. Implementing these policies will almost certainly allow for capacity-building of cyber defensive and offensive capabilities like firewall prevention measures and anti-virus and -malware systems to target irregular traffic within an OS. Firewall prevention measures will almost certainly allow for the defensive protection of the OS to secure data traffic flowing within the servers of the CII. The anti-virus and -malware systems will almost certainly act as offensive measures to target irregular activity and respond in retaliation to an attack on the OS. The policies will almost certainly help improve current cyber capabilities within Ukrainian CII and increase the country’s security in cyberspace to effectively prevent and mitigate Russian cyberattacks.
The CTG’s Counterintelligence and Cyber (CICYBER) Team will continue to monitor the development of cyber warfare amid the Russian invasion of Ukraine. The CICYBER Team will continue to evaluate existing countermeasures to cyber policies and capabilities that Ukrainian institutions could very likely implement to deter and mitigate attacks from Russian entities. The CTG’s Worldwide Analysis of Threats, Crime, and Hazards (W.A.T.C.H) Officers will remain vigilant on reported cyber threats made by state-sponsored groups or independent cyber actors to help monitor the situation. CICYBER Team's collaboration with CTG’S EUCOM Team will effectively monitor the regional conflict as both teams will provide analysis and recommendations if cyber warfare increases during the conflict.
________________________________________________________________________
[1] “Anonymous Emblem” by Anonymous licensed under Public Domain
[2] What is hybrid war, and is Russia waging it in Ukraine?, The Economist, February 2022, https://www.economist.com/the-economist-explains/2022/02/22/what-is-hybrid-war-and-is-russia-waging-it-in-ukraine
[3] New data-wiping malware used in destructive attacks on Ukraine, Bleeping Computer, February 2022, https://www.bleepingcomputer.com/news/security/new-data-wiping-malware-used-in-destructive-attacks-on-ukraine/
[4]Anonymous: the hacker collective that has declared cyberwar on Russia, The Guardian, February 2022, https://www.theguardian.com/world/2022/feb/27/anonymous-the-hacker-collective-that-has-declared-cyberwar-on-russia
[5] New data-wiping malware used in destructive attacks on Ukraine, Bleeping Computer, February 2022, https://www.bleepingcomputer.com/news/security/new-data-wiping-malware-used-in-destructive-attacks-on-ukraine/
[6] Distributed Denial of Service (DDoS), Imperva, 2022, https://www.imperva.com/learn/ddos/denial-of-service
[7] Anonymous: the hacker collective that has declared cyberwar on Russia, The Guardian, February 2022, https://www.theguardian.com/world/2022/feb/27/anonymous-the-hacker-collective-that-has-declared-cyberwar-on-russia
[8] Ibid
[9] Anonymous news – live: Hacking attacks and cyber warfare could lead Russia to cut itself off from the internet, The Independent, March 2022, https://www.independent.co.uk/tech/anonymous-news-hack-latest-russia-ukraine-b2029955.html
[10] Anonymous: the hacker collective that has declared cyberwar on Russia, The Guardian, February 2022, https://www.theguardian.com/world/2022/feb/27/anonymous-the-hacker-collective-that-has-declared-cyberwar-on-russia
[11] Anonymous leaks database of the Russian Ministry of Defense, Cybernews, February 2022, https://cybernews.com/news/anonymous-leaks-database-of-the-russian-ministry-of-defence/
[12] Anonymous: the hacker collective that has declared cyberwar on Russia, The Guardian, February 2022, https://www.theguardian.com/world/2022/feb/27/anonymous-the-hacker-collective-that-has-declared-cyberwar-on-russia
[13] Russia plans ‘very graphic’ fake video as pretext for Ukraine invasion, US claims, The Guardian, February 2022, https://www.theguardian.com/world/2022/feb/03/ukraine-russia-fake-attack-video-us-claims
[14] As the world shuns Russia over its invasion of Ukraine, Iran strengthens its ties with Moscow, Atlantic Council, March 2022, https://www.atlanticcouncil.org/blogs/iransource/as-the-world-shuns-russia-over-its-invasion-of-ukraine-iran-strengthens-its-ties-with-moscow
[15] Cyber officials urge agencies to armor up for potential Russian attacks, The Hill, February 2022, https://thehill.com/policy/international/russia/595945-cyber-officials-urge-federal-agencies-to-armor-up-for-potential
[16] Anonymous: the hacker collective that has declared cyberwar on Russia, The Guardian, February 2022, https://www.theguardian.com/world/2022/feb/27/anonymous-the-hacker-collective-that-has-declared-cyberwar-on-russia
[17] Russia partially restricts access to Facebook to ‘protect Russian media’, The Guardian, February 2022, https://www.theguardian.com/world/2022/feb/24/ukraine-hackers-defend-against-russia