Business Continuity Management / Disaster Recovery , Critical Infrastructure Security , Cyberwarfare / Nation-State Attacks

Cyber Activity Surges as Russia Masses on Ukraine's Border

Expert Sees 'Dramatic Increase in Cyber Intrusions'; White House Seeks De-Escalation
Cyber Activity Surges as Russia Masses on Ukraine's Border
Ukraine has blamed Russia for launching hack attacks in 2015 and 2016 that crashed parts of the country's power grid in the dead of winter.

Cybersecurity experts are warning that an increasing tempo of Russian intelligence and disinformation operations suggests a prelude to an invasion of eastern Ukraine.

See Also: Every Second Counts: 6-Step Ransomware Remediation Guide

Russia has moved 175,000 soldiers to its border with Ukraine, as Russian President Vladimir Putin has continued to criticize NATO and Ukraine's plans to join the organization.

"We have made it clear that NATO's move to the East is unacceptable," Putin said at a Thursday press conference. "The United States is standing with missiles on our doorstep. Is it an excessive requirement not to install shock systems at our house? How would the Americans react if missiles were placed at the border with Canada or Mexico?"

The White House says it's closely monitoring the moves by Moscow, together with the CIA, National Security Agency and U.S. Cyber Command.

"We are continuing to watch closely Russia's alarming movement of forces and deployments along the border with Ukraine," a senior White House official said Thursday in a background briefing with reporters.

The official said that Russia has also been running a disinformation campaign that appears to be designed to destabilize Ukraine President Volodymyr Zelenskyy's administration.

NATO members have called on Russia to withdraw from Crimea - a part of Ukraine it has occupied since 2014 - and to use "diplomatic channels" for further discussions.

"We are gravely concerned by the substantial, unprovoked and unjustified Russian military buildup on the borders of Ukraine in recent months, and reject the false Russian claims of Ukrainian and NATO provocations," NATO said last week. "We call on Russia to immediately de-escalate, pursue diplomatic channels, and abide by its international commitments on transparency of military activities."

The U.S., U.K. and allies have dispatched government cybersecurity experts to assist Ukraine as it bolsters its cyber defenses ahead of a further Russian invasion, but it's not clear how much of an impact such help might have, The New York Times reported on Monday.

On Thursday, the senior White House official said there have been no signs of de-escalation by Moscow.

"This is a Russian disinformation effort that's underway. … It's not unexpected; it fits a standard playbook."
—Senior White House official

"I think we have seen … stepped-up efforts by the Russian government to do what it has often done in advance of these sorts of incursions in the past, which is increase disinformation, try to drive a narrative publicly that it is Ukraine that is escalating, as opposed to Russia," the official told reporters. "To be clear, we see no evidence of that escalation on the Ukrainian side. And we have tried to be very clear to partners and allies that this is a Russian disinformation effort that's underway. It's not unexpected; it fits a standard playbook."

'Dramatic Increase in Cyber Intrusions'

The tempo of Russian cyber operations has continued to increase in recent weeks, says Dmitri Alperovitch, chairman of Silverado Policy Accelerator and the co-founder and former CTO of cybersecurity firm CrowdStrike.

"Since early December, there has been a dramatic increase in cyber intrusions on Ukraine government and civilian networks from Russia," including banking, government and infrastructure systems, Alperovitch says via Twitter. "The targets are precisely the ones that you'd expect to be targeted for intel collection and battlefield preparation ahead of an invasion."

Alperovitch notes that Putin is nearly 70 years old, anxious to tie up loose geopolitical ends for his country, and "likely believes the military cost will be low" if Russia occupies the eastern part of Ukraine and uses it to "establish a permanent buffer zone between Europe and Russia, as well as a land bridge to Crimea."

Hacking Ukraine's Power Grids and Infrastructure

Russia has a reputation for allegedly turning off the power in Ukraine. In December 2015, hackers crashed electricity-generating systems in eastern Ukraine - the first time power outages were ever known to have been caused by a hack attack. One year later, power-generation facilities in Ukraine were again targeted, in that case causing temporary blackouts in the country's capital of Kyiv. Ukraine's president blamed both incidents on Russia.

Other incidents have targeted government systems, including the country's treasury. In 2017, the destructive NotPetya malware attack was launched via Ukraine's primary tax software provider, causing global damage. The CIA attributed that attack to Russia's GRU military intelligence unit.

As those incidents demonstrate, Russia hasn't appeared to shy away from "live testing things," Robert Hannigan, the former head of the Government Communications Headquarters, which is the U.K.'s signals intelligence, cryptographic and information assurance agency, has said.

While some activities have looked like outright experimentation, others appear to have been testing, refining and pre-positioning to potentially launch destructive attacks, for example, against utility networks.

Ukraine: 'Russia's Cyber Playground'

"For many years, Ukraine has been Russia's cyber playground," Ciaran Martin, who ran GCHQ's National Cyber Security Center for Britain from its launch in 2014 until 2020, told the BBC on Thursday.

But as the NotPetya attack demonstrated, Russia hasn't avoided online attacks that have resulted in collateral damage for organizations outside Ukraine, and any further invasion would likely have an international impact, says Ian Thornton-Trump, CISO at threat intelligence company Cyjax.

"If or when an offensive operation occurs, the Russians will probably reveal far more significant attacks than those used in the first Ukraine invasion and 2008 Georgia campaign," he tells Information Security Media Group. "Due to the widespread VPN and multi-protocol label switching - MPLS - connections from Ukraine to outside organizations, for businesses and financial systems, any sort of significant cyberattack against Ukraine could quickly become an international cyberattack."

Putin's intentions remain a mystery. But Martin, who's now a professor of practice at the University of Oxford's Blavatnik School of Government, said that "what we do know from … Russian malign cyber activity against Ukraine is that Russia has both the capability and willingness to use it against that country."

Intelligence-gathering and disinformation efforts would move into direct support for active military operations if an invasion were to commence. "What you might expect in the event of military action is a combination of cyber-related activity and direct action against Ukrainian military communication systems, most obviously, but also possibly the sort of social disruption of things like electricity and energy supplies, disruption potentially to media, some disinformation, and so on, as well as disruption to government services," Martin said.

White House Demands De-Escalation

In the meantime, the U.S., U.K. and other NATO-allied nations have been warning Putin that they would take steps to damage Russia's economy if it further invades Ukraine.

"We've conveyed all this directly to Russia, including from President Biden to President Putin. But we've also been clear that there is a different path available should Russia choose to take it," the senior White House official said.

"The U.S. is ready to engage in diplomacy as soon as early January through multiple channels," the official added. "We've also told Russia that it's clear to us that substantive progress in these talks can only be made in an environment of de-escalation, not escalation."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.