Business Continuity Management / Disaster Recovery , Critical Infrastructure Security , Cybercrime
US Officials Tracking Russian Cyberattack Escalation Risk
Experts: Threat of Sanctions Driving Russia to Respond With Online Attacks ContinuesAmid what is now a prolonged struggle in Ukraine, cybersecurity officials in the U.S. and European Union have expressed some surprise over Russia's lack of pervasive cyber strikes to date. But they warn that these actions could follow as its economy reels from sanctions.
See Also: Gartner Guide for Digital Forensics and Incident Response
This comes as the war's kinetic campaign has worsened, and the conflict has devolved into the underground - with high-profile ransomware groups backing the Russian government, and the decentralized hacking collective Anonymous waging all-out cyberwar on Russia and those supporting it. Anonymous claimed to have hacked and knocked offline dozens of Russian government, state media and banking sites (see: Anonymous Extends Its Russian Cyberwar to State-Run Media).
U.S. President Joe Biden has continually called for de-escalation. U.S. cyber officials, however, appear keenly aware that sanctions meant to choke the Russian economy could spur Russia to retaliate, perhaps targeting networks of U.S. critical infrastructure providers. Such moves, though, may trigger Article 5 of the NATO treaty - thus spurring global conflict.
On Twitter, Sen. Mark Warner, D-Va., chairman of the Senate Intelligence Committee, wrote: "I'm relieved that Russia's cyberattacks have been fairly limited thus far, but it is clear they have the capacity to do much more, and that it could be potentially devastating for neighboring NATO allies. I'm monitoring this closely and getting continuous briefings."
Warner is also urging his colleagues to pass bipartisan cyber reporting legislation that would require more communication between the federal government and the private sector in the case of an attack. He tweeted: "We can and should get this done this week."
On Tuesday, Information Security Media Group tried to contact key cybersecurity leaders on Capitol Hill, including Sens. Warner and Gary Peters, D-Mich., chairman of the Senate Homeland Security and Governmental Affairs Committee, for more information about potential cyber escalation, but did not immediately hear back.
But, calling the potential for cyber escalation "significant," Rep. Jim Langevin, D-R.I., chairman of the Congressional Cybersecurity Caucus, tells ISMG: "As the West's crippling sanctions continue to hobble Russia's economy, it is possible that Putin will use cyber means to lash out in response. While we have seen no specific, credible threats against the U.S., we need to be prepared to defend our critical infrastructure from Russian intrusions."
Blowback Against the West?
Offering his take on potential military-driven cyberwarfare, Dmitri Alperovitch, executive director of the Silverado Policy Accelerator, told CNBC: "So far, Russia has indeed not used much of its cyberwarfare capabilities in Ukraine, in part because they don't need to. Obviously, they have an overwhelming kinetic advantage with ground forces, tactical aviation. … So, I don't expect that we will see a lot in cyberspace in Ukraine itself.
"But, I do worry a lot about blowback on the West with all these sanctions that are going into place on Russia. They're going to choke their economy. … There's no way that Russia is going to take it lying down. They're going to respond, and cyber is one of the ways."
Alperovitch says the Russians could target Europe's energy sector or the U.S. financial system because of the aggressive sanctions.
"And there's no doubt that we're going to have to respond if cyberattacks are launched against us," he told CNBC. "The challenge, of course, is that you don't want to get into a 'tit for tat' cyberwar with Russia, because there's no way that the conflict will stay just in cyberspace."
Other experts, including Chris Morgan, senior cyber threat intelligence analyst at the firm Digital Shadows, agree. He tells ISMG: "The financial services sector and energy sector would be at particular risk should Russian-aligned threat groups target organizations they assess as equivalent to those impacted by Western sanctions."
And Casey Ellis, founder and CTO of the security firm Bugcrowd, says: "The cost and risk asymmetry of cyberattacks in comparison to traditional combat, along with the ease with which national borders may be crossed over the internet, [still] make it extremely difficult to forecast who will enter the conflict and how."
He adds: "My primary concern … is the relative difficulty of attribution in cyberattacks, as well as the possibility of incorrect attribution or even an intentional false flag operation escalating the conflict internationally."
Pleas in the Digital Domain
Ukraine this week formally announced its "IT Army" after an unprecedented call for sign-ups from volunteers. The Ukrainian Defense Ministry reportedly sought cyberwarriors with expertise in malware development (see: Ukraine Assembles IT Army to Perform DDoS on Russia).
Ukraine, atop its request for expedited entry into the EU and NATO, has also reportedly urged the Internet Corporation for Assigned Names and Numbers, or ICANN, to cut off top Russian domains (.ru).
The news was first reported by Rolling Stone, which said the request reportedly came from Andrii Nabok, head of a group developing fixed broadband at Ukraine's Ministry of Digital Transformation and the country's representative to ICANN, which is a multistakeholder group and nonprofit maintaining namespace and numerical databases for the internet.
Nabok reportedly asked ICANN to revoke Russian domains and identification certificates and shut down DNS root servers within Russia.
Any inability for Russia to access these servers would bar internet service providers from linking web users and websites. Some pundits and security experts claim, however, that the move could harm Russian citizens currently dependent on web services. Russia has reportedly already worked on developing its own domestic internet system.
Security Vendors Step In
As war rages and tensions escalate - including threats of a surge in ransomware - security vendors are also entering the fray, offering free cyber services to individuals and organizations.
According to a crowdsourced GitHub repository, at least a dozen companies, nonprofits and cyber experts are offering their expertise free of charge.
Companies such as GreyNoise are offering threat intelligence services, including access to a list of IPs performing reconnaissance against Ukrainian IPs.
Managed service provider Kontinuum is reportedly offering free security assessments and potentially free remediation to journalists, Ukrainians and "anyone helping the Ukrainian effort or any company stateside," the listing says.
Intelligence X says on its Twitter feed that it is offering the Ukrainian government access to its open-source intelligence platform.
And the Open Technology Fund, an independent nonprofit focused on "global internet freedom," is reportedly offering DDoS mitigation and secure web hosting services to people and organizations in Ukraine.
Also, according to the Twitter feed of Christopher Ahlberg, co-founder of the security firm Recorded Future, the company is offering its threat intelligence services to "support [Ukraine] in their fight."
Robert M. Lee, co-founder and CEO of the industrial cybersecurity company Dragos, said on Twitter that the company's platform, managed industrial control system cybersecurity services and incident response services will be offered to small co-op/municipal utilities in the U.S., U.K., Australia and New Zealand.
And in a statement to ISMG, the threat detection and response firm Vectra AI said it is offering its tools and services to those "who believe they may be targeted as a result of this conflict." Vectra says it's offering free scans of Microsoft Azure AD and Microsoft 365 environments, AWS infrastructure monitoring and other services.
++
Update - March 1, 8:15 p.m. EST - This article has been updated to include comments from Rep. Jim Langevin, D-R.I., a cybersecurity leader on the Hill.