Highly detailed Ukraine map with borders isolated on background. Flat style

Potential cybersecurity impacts of Russia’s invasion of Ukraine

On Thursday night, Russia launched a military invasion of its neighbor and former Soviet Union member Ukraine, drawing a broad rebuke from international leaders, along with significant protest from the Russian public.

The toll of human life from this war is unknown, and, like the many international acts of aggression that have preceded it, future figures and statistics will not, alone, make sense of it. The threats and dangers posed by this conflict will be borne by the combatants and the people of Ukraine, and they are in our thoughts. Our collective priority must be people’s physical safety, but Russia’s assault could also produce a range of cybersecurity-related risks that organizations and people will need to protect themselves against, starting today.

Here are some of the ways in which Russia’s invasion of Ukraine may impact cybersecurity, and what organizations can do to stay safe in a continually evolving crisis.

The risk of increased stakes

In tandem with the physical strikes against Ukraine, a piece of wiper malware first detected by researchers at Symantec and ESET had already begun targeting organizations in Ukraine. Analyzed by SentinelOne, this wiper malware has been given the name HermeticWiper and it differentiates itself from typical malware in one, important way: Those responsible for it aren’t looking for any payment—they just want to do damage.

(AV-Comparatives quickly testedseveral known anti-malware and antivirus products against HermeticWiper and its variants and found that Malwarebytes, among others, detected the malware.)

Current analyses of HermeticWiper reveal that the malware is being delivered in highly-targeted attacks in Ukraine, Latvia, and Lithuania. Its operators seem to leverage vulnerabilities in external-facing servers while utilizing compromised account credentials to gain access and spread the malware further.

These tactics are nothing new, and familiar cybersecurity best practices around privileged access hold true. But here, the stakes have changed. Even in the worst-case-scenario of any ransomware attack, there’s at least a promise (which could admittedly be false) of a decryption key that can be purchased for a price. With a wiper malware, there is no such opportunity.

As described by Brian Krebs on his blog:

“Having your organization’s computers and servers locked by ransomware may seem like a day at the park compared to getting hit with ‘wiper’ malware that simply overwrites or corrupts data on infected systems.”

The risk of collateral damage

Russia’s proclivity for cyber warfare is well recorded. In the past, the country has been credibly blamed or proven responsible for several cyberattacks against Ukraineand its surrounding neighbors, including DDoS attacks in Estonia in 2007, Georgia in 2008, and Kyrgyzstan in 2009. Russia is also believed to have been responsible for an email spam campaign against Georgia in 2008, and also for the delivery of the “Snake” malware against Ukraine’s government in 2014. And in 2015 and 2017, when Ukraine’s power grid suffered two separate shutdowns because of the malware variants BlackEnergy and Industroyer/CrashOverride, much of the evidence reportedly pointed back to Russia.

Though these attacks, like the current attacks involving HermeticWiper, were highly targeted, the idea of “tidy” cyber warfare is a farce.

In June 2017, Russia—as concluded by the CIA just months later—unleashed a cyberattack on Ukraine that spilled out into the world. The cyberattack involved a piece of malware reportedly developed by Russia’s military intelligence agency the GRU, called NotPetya. Though it presented itself as a common piece of ransomware, it actually worked more like a wiper, destroying the data of its victims, which included banks, energy firms, and government officials.

But the attack, which was reportedly carried out to harm Ukraine’s financial system, spread out, hitting networks in Denmark, India, and the United States.

It was at the time the most devastating cyberattack in history, costing the shipping company Maersk a reported $300 million, and the pharmaceutical giant Merck a reported $870 million.

Though it’s impossible to predict what type of collateral damage could occur, the US Cybersecurity and Infrastructure Security Agency has released a cybersecurity guide for all organizations in the US to follow during this turbulent time. You can read that guide, called Shields Up, here.

The risk of escalation

As Ukraine defends itself against Russian forces, world leaders are faced with a difficult decision. Should they deliver support to Ukraine in any material way, Russia may then retaliate against them with its own cyber-attacks, and these attacks are unlikely to be borne by world leaders. Instead, the “crossfire” between national cyber-fronts will likely inflict harm on everyday individuals and businesses.

Already, this decision has produced a wrinkle, as world leaders are not just defending themselves against Russia’s cyber-offensive regimes, but also against known ransomware gangs that have quickly sworn allegiance to Russia’s cause.

On February 25, the Conti ransomware group announced that it would retaliate against any known physical or cyberattacks against Russia. As we wrote on Malwarebytes Labs:

“Any doubt that some of the world’s most damaging ransomware groups were aligned with the Kremlin, this sort of allegiance will put an end to it.”

Despite a clarification about an hour later, which attempted to reframe the group’s “full support of Russian government” into “we do not ally with any government”, there can be no doubt about the threat the group poses.

Unfortunately, the risk of escalation seems likely, as countries ramp up economic sanctions against Russia, and as the US is walking a delicate balance about its own cyber initiatives. On February 24, multiple White House officials denied, as NBC News had earlier reported, that the Biden Administration was considering multiple “options” of cyber engagement “on a scale never before contemplated.”

According to White House Press Secretary Jen Psaki, who wrote on Twitter, NBC’s “report on cyber options being presented to @POTUSis off base and does not reflect what is actually being discussed in any shape or form.”

These denials, however, preceded a more recent statement made by President Joe Biden this week, in which he said that “If Russia pursues cyberattacks against our companies, our critical infrastructure, we’re prepared to respond. For months, we’ve been working closely with the private sector to harden our cyber defenses [and] sharpen our response to Russian cyberattacks.”

The risk of misinformation

Already, countless videos have begun circulating online that either make unproven claims or make claims that have specifically been debunked. Earlier today, a video that purports to show a Ukrainian fighter pilot shooting down Russian air forces in the sky was proven to be fake—a product of a simulation game called Digital Combat Simulator.

Though that video was developed as an “homage” to the so-called “Ghost of Kyiv,” social media companies have been combatting a Kremlin-backed disinformation campaign taking place on Twitter, Facebook, YouTube, and TikTok.

According to recent reporting from Politico:

“Russia-backed media reports falsely claiming that the Ukrainian government is conducting genocide of civilians ran unchecked and unchallenged on Twitter and on Facebook. Videos from the Russian government — including speeches from Vladimir Putin — on YouTube received dollars from Western advertisers. Unverified TikTok videos of alleged real-time battles were instead historical footage, including doctored conflict-zone images and sounds.”

Users should digest any viral videos and news with caution, particularly during this conflict, as the primary aggressor has a proven history with information warfare. It is also worth remembering that during wartime even reporting from reputable sources may be based on innaccurate, incomplete or out-of-date information.

The risk of scams

In 2020, as infections of COVID-19 dramatically increased to the point of officially creating a global pandemic, online scammers pounced, sending bogus emails asking for donations to fake charities and registering thousands of COVID-19-related domains to trick unwitting victims into swiping their money or their account credentials.

With Russia’s invasion of Ukraine, the same strategy will likely happen, as online scammers constantly seek the latest crisis to leverage for an attack.

When asked on Twitter for advice on which organizations to donate to in order to help Ukraine, the user @RegGBlinker said that, after she’d read through a list of such organizations, she found many that raised suspicions.

The same Twitter user has already compiled a thread that links to multiple other Twitter users who have personally offered their cybersecurity help to small-to-medium-sized businesses (SMBs) affected by the attacks in Ukraine.

At the same time, several companies and organizations have begun offering their own support. F-Secure, for example, is offering its VPN tool for free to anyone in Ukraine, and The Tor Project has released a support channel for Russian-speaking userswho want help in setting up Tor.

The full thread on support can be found here.

For any other donation offers that users think might be a scam, trust the same rules that apply to phishing emails—are there any misspellings, grammar mistakes, unknown senders, or unknown charities involved in the request? Check yourself before handing over any money.

The risk of focusing too heavily on Ukraine

While Ukraine is in crisis, several online threat actors have continued their own assault campaigns.

On February 24, multiple outlets reported that a ransomware gang that the cybersecurity firm Mandiant tracks as “UNC2596” was exploiting vulnerabilities in Microsoft Exchange to deliver its preferred ransomware, colloquially dubbed “Cuba.”On the same day, the US Cybersecurity and Infrastructure Security Agency (CISA) announced that it had spotted “malicious cyber operations by Iranian government-sponsored advanced persistent threat (APT) actors known as MuddyWater.” Those attacks were targeting both government and private-sector organizations in Asia, Africa, Europe, and North America.

An international human crisis is in no way a cause for inaction from online threat actors. Organizations should follow the same guidance they have before in protecting themselves from the most common online threats.

As CISA Director Jen Easterly warned on Twitter:

“Even as we remain laser-focused on Russian malicious cyber activity, we cannot fail to see around the corners.”

ABOUT THE AUTHOR

David Ruiz

Pro-privacy, pro-security writer. Former journalist turned advocate turned cybersecurity defender. Still a little bit of each. Failing book club member.