As the crisis in Ukraine continues to escalate, it is likely that Russia’s aggressive cyber activity will increase and spread beyond their initial Ukrainian government, military, energy, and financial targets. Russia, and those aligned with its efforts, will continue to conduct disruptive and destructive cyberattacks, cyber espionage, and information operations against Ukraine and any governments or groups supporting Ukraine or opposed to Russia’s invasion of Ukraine. 

Information Operations

In the buildup to the invasion of Ukraine, Russia launched misinformation, disinformation, and malinformation (MDM) campaigns in an attempt to establish numerous pretexts for its invasion. Recently, the Russian Security Council voted to recognize the Donetsk People’s Republic (DNR) and Luhansk People’s Republic (LNR) regions of Eastern Ukraine as independent while citing the need to protect the people in those regions from purported Ukrainian genocide. Other pretexts include:

  • Requests from the DNR and LNR to protect them from Ukrainian aggression
  • Russia’s need to demilitarize Ukraine
  • Ukraine and other former USSR states being part of the “Fatherland”
  • Russian security needs
  • Alleged Ukraine-sanctioned Nazis
  • Alleged corruption and mishandling of Ukrainian affairs
  • Western degeneration of social values, US influence

These pretexts are often supported by staged videos and doctored photos claiming to document Ukrainian aggression against Russian troops. Such MDM campaigns are expected to continue using various media platforms to further support Russia’s narrative.

Cyber Espionage

Russian intelligence services have a long history of targeting government, military, diplomatic, and other organizations and businesses worldwide for intelligence that benefits Russia’s foreign policy and military decision making. Cyber espionage activity will continue to provide Russia with intelligence in support of its activities against Ukraine, as well as its situational awareness of the activities of other nations in response to it. This intelligence will also feed its information operations and be used for further disruptive and destructive cyberattacks.

Disruptive and Destructive Cyberattacks

As part of its invasion, Russia has launched supporting cyberattacks against military, government, financial, and energy targets in Ukraine. Leading up to the invasion, Russia instigated cyberattacks against various Ukrainian banks, military infrastructure, and government services to sow fear in Ukrainian citizens and undermine their confidence that the State can protect them. This activity follows a long history of Russian-attributed cyberattacks against Ukraine, dating back to at least 2013 when Russia launched attacks against Ukrainian government networks in response to pro-democracy protests throughout Ukraine. In 2014, during Russia’s annexation of Crimea, cyberattacks crippled Ukrainian military defenses, including its radar systems. In December of 2015, Russian military intelligence operatives, referred to as Sandworm, launched cyberattacks against the Ukrainian power grid, resulting in power outages for hundreds of thousands in the Kyiv region. The malware used to disable the power grid also wiped and destroyed files on infected computer systems. In 2016, Russian military intelligence refined their malware and automated their cyberattacks against Ukraine’s power grid causing more power outages. And in 2017, Russian intelligence services inserted malware into an accounting software update that resulted in the most damaging cyberattack in history; this cyberattack is known as NotPetya and resulted in over $10B of damages worldwide. As with the power grid attack, the malware used in NotPetya also wiped the computer systems it infected.

More recently, Russian state affiliated actors have launched numerous disruptive and destructive ransomware attacks against targets throughout the world but primarily targeting US institutions. In May of 2021, the Russian-affiliated ransomware group Darkside compromised Colonial Pipeline, crippling the gas supply chain in the Southeastern portion of the United States. Also in May 2021, another Russian-affiliated ransomware group Conti targeted JBS Meats, resulting in supply chain disruptions in the food industry. 

Risk Mitigation Steps

As more punitive sanctions are levied against Russia in response to its invasion of Ukraine, it is increasingly likely that these disruptive and destructive cyberattacks will spread beyond Russia’s Ukrainian targets. All organizations are advised to ensure all preventive, detective, and responsive cybersecurity controls and plans are fully implemented and updated. In particular, organizations should confirm with their respective IT and information security teams that:

  • Multi-Factor Authentication (MFA) is implemented for all remote access to internal systems and cloud services that provide critical services or host sensitive information
  • The Principle of Least Privilege is applied such that permissions for a given user account or process is restricted to only those privileges which are essential to perform their intended function
  • Critical vulnerabilities are patched, with priority given to public-facing systems and applications
  • Public-facing web applications are protected by a web application firewall
  • Internal networks are appropriately segmented to contain an attack or malware to a subset of systems and to prevent its widespread propagation
  • Endpoint Detection and Response (EDR) software is installed on all supported endpoints and cloud workloads
  • Current backups are stored offline and have been tested to confirm their viability in fully restoring systems and data
  • All end-of-life systems and applications are decommissioned and powered off
  • Incident response plans within the organization have been updated and a crisis communications contact list includes current emergency contact information for all appropriate personnel
  • Disaster Recovery and Continuity of Operations Plans are current and can be implemented in the event of a loss of services