Russia’s massive military strike against Ukraine might look like a full-scale war, but there’s one major weapon that Russia has yet to unleash — an all-out cyberattack aimed at crippling Ukraine’s economy and critical infrastructure.
The Associated Press on Thursday reported denial-of-service and ransomware attacks against Ukrainian targets, as well as sporadic Internet outages. But the digital battle has been relatively subdued so far, compared with the major cyberstrikes that Russia has been devising for years.
“Ukraine has been a battlefield that has included cyber for a long time,” said Christopher Ahlberg, chief executive of Somerville cybersecurity firm Recorded Future. But so far, “it has not looked like it had tremendous impact.”
Still, the Russians have had lots of practice. In 2015, hackers took down electrical service in Kyiv and much of western Ukraine for six hours in mid-winter and carried out a similar attack one year later. Western intelligence agencies concluded that Russia was behind both attacks, and Ahlberg said there’s no doubt the Russians are capable of repeating the feat.
So why haven’t the Russians shut everything down? Ahlberg thinks the Russians want Ukrainians to receive news reports on how badly their country’s military is being beaten.
Russian President Vladimir Putin and his army “will have every interest in keeping that running, because they want to demoralize the Ukrainian people,” Ahlberg said. “It’s clever. It’s smart.”
But Ahlberg said Putin may rethink this approach if Ukrainian resistance proves tougher than expected. “If the conflict takes a long time and if it gets bogged down,” Ahlberg said, “then you start shutting off power, you start shutting off the Internet.”
Aside from infrastructure attacks, Russian hackers have unleashed countless malware programs that have infiltrated computers throughout Ukraine’s public and private sectors. The most notorious was NotPetya, a malware program that took advantage of a security bug in Microsoft’s Windows software that was first discovered by the US National Security Agency. NotPetya originally targeted computers in Ukraine but was so infectious that it became a worldwide threat.
The malware crippled a host of major businesses, including FedEx, pharmaceutical giant Merck, shipping company Maersk, and food company Mondelez. “It spread very rapidly, first to the rest of Europe, and then to the rest of the world,” said Josephine Wolff, associate professor of cybersecurity policy at the Fletcher School at Tufts University.
Wolff said that NotPetya has helped Russian cyberwarriors better understand the potential international fallout from a digital attack on Ukraine. “This time around,” she said, “Russia has a pretty good idea of how much damage can be done.” So far, Russia hasn’t launched a similar attack. “You could take that to mean they’re going be a lot more careful,” Wolff said. “You could also take that to mean they’re just ramping up.”
US cybersecurity agencies are alerting businesses and government agencies to beef up their security practices to avoid possible splash damage from any Russian cyberattacks on Ukraine.
“Spillover from attacks against the Ukraine is definitely possible, as we saw with the NotPetya attack in 2017,” said Bob Rudis, chief data scientist at Boston cybersecurity company Rapid7. “This does not mean that non-Ukraine entities will be specifically targeted, though that too may be possible if Russia views other nation-states as adversaries in this conflict.”
Wolff recommended that all businesses make sure that they’ve installed the latest security patches on their servers because many malware programs exploit bugs that are already well-known and can be repaired with relative ease. In addition, she urged backing up critical data to protect against ransomware or “wiper” programs that can destroy vital files.
Russia isn’t the only country that can build malware, of course. Could Ukraine or one of its allies, like the United States, use a cyberattack to switch off the lights in Moscow? “I just don’t think there’s much upside for them in doing that,” Ahlberg said, since by itself such a power outage wouldn’t hamper the Russian military attack. “It’s just going to make Putin more furious.”
But Sam Curry, chief security officer of Boston data security firm Cybereason, said the United States and other NATO members have spent years studying a wide variety of responses. They might try to influence events on the battlefield by spreading disinformation via social networks, launching data-destroying malware attacks, or even hitting critical Russian infrastructure.
“It’s interesting that Russia has gone physical first and not as much cyber,” Curry said, “but the response from other countries that don’t want to put boots on the ground has to be, what cyber options do we have?”
NBC News reported on Thursday that President Biden has been briefed on possible options for a US cyberattack, including disruption of Russia’s electrical grid, railroad network, and Internet services.