Report: Ukrainian Government Prepared to Wipe ServersHas Contingency Plans in Place to Avoid Handing Critical Data to Russians
Tensions between Russia and Ukraine have come to a boiling point. This week, Russian President Vladimir Putin began what the West has since labeled an "invasion" of the former Soviet state, starting with two pro-Russia breakaway territories in the eastern Donbas region. The move has tasked Ukrainian network defenders with safeguarding the nation's critical assets, which are now centrally stored in its capital, Kyiv.
The Ukrainian government is reportedly prepared to wipe its servers and transfer sensitive data out of Kyiv if Putin moves on the capital, according to a new report from Politico. The contingency accounts for an IT decision it made in 2014, following the invasion of Crimea in southern Ukraine and separatists' seizure of parts of Donbas. At the time, Politico says, Ukraine centralized its computer systems so that Russian threat actors were unable to siphon critical data or disable government services from territorial outposts, or even turn locally run networks against Kyiv with regular attacks.
While the move shifted critical assets away from pro-Russian separatists and perhaps farther from Russia-backed hackers, it has placed a target on Kyiv - which is now a repository of sensitive documents and citizen data.
Fears of Full-Scale Invasion
Politico reports that Ukraine's government, under President Volodymyr Zelenskyy, now intends to move, save or delete data to prevent its capture. And Ukrainian Deputy Chief of State Service of Special Communications and Information Protection Victor Zhora, told the publication that there are plans to avoid mass exposure of Ukrainian data should Putin seize the capital.
In regard to the latter, Newsweek on Wednesday reported that the administration of U.S. President Joe Biden has informed Zelenskyy of intelligence pointing to a broader invasion within the next 48 hours. A U.S. official told the publication that Russia had reportedly violated Ukrainian airspace, possibly flying reconnaissance missions.
A U.S. intelligence official told Newsweek that the campaign could include airstrikes, cruise missiles and a ground invasion. What's more, U.S. intelligence points to a Russian move toward Kyiv from Ukraine's northern neighbor, Belarus. The official also reportedly predicted that Russia may initiate a cyberattack on Ukraine that could enable other military operations.
The U.S. National Security Council and the Pentagon did not immediately respond to Information Security Media Group's request for further details.
According to the Politico report, Ukrainian cyber teams have been ordered to "cut off" access to any compromised accounts. And with a centralized, Kyiv-based system, Ukrainians reportedly say they are prepared to "disable" infrastructure and transfer to backups in "fallback positions."
Zhora also told the political outlet that, thanks to faster internet and technological advancement, the country is now more equipped to safeguard its systems and backups than it was eight years ago, when the Russians first crossed into Ukraine.
Rapid Response Team
On Tuesday, the European Union confirmed that it had activated its elite Cyber Rapid Response Team to help safeguard Ukrainian networks. The six-nation cyber unit will dispatch some 10 cyber military experts, perhaps to Ukraine, to hunt for vulnerabilities and provide additional technical support and IT equipment (see: EU Activates Cyber Rapid Response Team Amid Ukraine Crisis).
Croatia, Estonia, Lithuania, the Netherlands, Poland and Romania currently make up the team, which is part of the EU's Permanent Structured Cooperation; this is its first deployment.
Calling the activation of the Rapid Response Team "extremely positive," John Fokker, head of cyber investigations and principal engineer with the security firm Trellix, tells ISMG: "Any [future] attacks will [now] be incredibly discreet as attackers seek to conceal their activity and ultimate objectives. … It is a concerning time for many across the EU, but we're stronger together and must continue to fight against cyberwarfare."
Monthslong Guessing Game
Putin has for months hinted at an invasion and has gradually amassed more than 100,000 troops along Ukraine's border. The actions stem from Putin's grievances with Ukraine's plan to join NATO. He initially demanded Ukraine renounce such plans and directed NATO to remove its troops from Eastern Europe.
The escalation also follows a string of cyberattacks suspected to have been carried out by the Russians - including a defacement campaign on Ukrainian government sites in January, and a DDoS attack on the country's Ministry of Defense - and two banks - just last week. U.S. and U.K. officials later attributed the activity to Russian actors.
The cyber uncertainty also dates back years. Ukraine's electric grid was the target of Russian cyberattacks during peak winter season in 2015 and 2016. The following year, Russia allegedly leveled its crippling NotPetya malware on Ukrainian systems.
Foreign policy experts contend that Russia views Ukraine - which gained its independence at the fall of the Soviet Union in 1991 - as part of its sphere of influence.
And as Putin moved on the Donetsk and Luhansk regions this week, the U.S. was quick to respond - announcing sanctions on two large Russian banks and against individual members of the Russian elite. The Pentagon on Tuesday confirmed that it will be sending additional troops to Ukraine's eastern flank to deter Russian aggression.
Carefully Watching Baltic States
With fears of potentially crippling cyberattacks mounting - including those inside and outside of Ukraine - the European Parliament is warning that the neighboring Baltic states could become collateral damage or be wedged into Putin's political aims.
Bart Groothuis, a member of the European Parliament and a former cybersecurity official at the Dutch Ministry of Defense, said on Tuesday that Estonia, Latvia and Lithuania may experience cyberattacks or disinformation efforts. Also according to Politico, Groothuis said the Baltic region is an "easy way to put pressure on the EU and NATO."
A European Parliament delegation visited Estonia and Lithuania this week as part of its defense and diplomatic efforts. The officials warn of cyber damage to Ukrainian networks carrying over to the neighboring countries or targeted attacks on those allied with the West.
Other cybersecurity experts say unintended, or even intended, consequences of the campaign could easily move abroad.
David Simon, a former special counsel at the U.S. Department of Defense and a leading member of the global cybersecurity and data privacy practice at the law firm Mayer Brown, tells ISMG: "A spike in ransomware and other cyberattacks is expected. And companies, particularly related to critical infrastructure and related supply chains, should ensure that data is backed up in a secure location, update software and prioritize patching of known exploited vulnerabilities, and, as cybersecurity is a team sport, confirm that their internal and external team of cyber incident responders are available ... to assist."
Lisa Plaggemier, interim executive director of the National Cybersecurity Alliance, says the interconnectivity of today's digital ecosystem means comparable cyberattacks on government stakeholders could have knock-on effects for private stakeholders.
"Because this conflict is expected to feature more cyberwarfare than we have ever seen before, security professionals are losing a ton of sleep as they do not know how widespread the impacts of an attack on Ukraine could ultimately be, and whether their organizations will be caught up in the fallout," she says.
Update - Feb. 23, 3:30 p.m. EST: Shortly after news of the warning was made public, Ukraine reported several DDoS attacks on both government and banking websites. This is a breaking story.