State of Cyberwar One Month into Russian Invasion of Ukraine

Key Takeaways

  • Ukraine continues to suffer minor cyberattacks but has been able to keep its most important networks online.

  • American and British cyberwarfare experts visited Ukraine just months before the invasion to help strengthen its defenses.

  • Anonymous has successfully led several offensive attacks against the Russian government and Russian companies.

  • On March 21, President Biden warned the private sector that US intelligence suggests Russia is planning cyberattacks against the US, and CISA has released the ‘Shields Up’ initiative to bolster our country’s defenses.

As expected, cyber warfare continues to be a vector of attack in Russia’s siege on Ukraine. So far in March 2022 there have been 10 major cyberattacks on Ukraine, including different phishing campaigns, disinformation spreading, and malware. For a full timeline of all reported cyberattacks on Ukraine and a short description of each checkout the CyberPeace Institute

Despite the constant Russian cyber threat, Ukrainian networks have largely remained online. Russian attacks have been blunted because “the Ukrainian government has taken appropriate measures to counteract and protect our networks”, said Victor Zhora, a senior Ukrainian government official.

How has Ukraine managed to face down one of the world’s cyber superpowers?

 

American Help Before the Invasion

The United States has been helping to bolster Ukraine’s cybersecurity capabilities since long before the Russian invasion. The State Department in early 2022 announced that the US would give Ukraine $8 million in cybersecurity assistance funds. 

A December 2021 article from the New York Times claims that months before the Russian invasion, a team of American and British cyberwarfare experts fanned out across Ukraine looking for ways to patch and defend key networks before the looming invasion. Some were soldiers, with the US Army’s Cyber Command. Others were civilian contractors and some employees of American companies that help defend critical infrastructure.

The operation also urgently hunted for hidden malware, the kind which Russia could have planted, then left dormant in preparation to launch a devastating cyber attack alongside a more conventional ground invasion. 

It’s impossible to say which attacks were deterred by the help from these British and American cyber consultants before the war, but it’s easy to imagine much worse attacks than what have happened so far.

Anonymous Declares War on Russia

Help from the international community has also come on the offensive side of cyber operations. It’s been nearly 4 weeks since the infamous hacking group Anonymous declared war on Russia. What damage have they been able to inflict since then?

The biggest victories have been disabling prominent Russian government, news and corporate websites and leaking data from Roskomnadzor, the federal agency responsible for censoring Russian media.

Recently, Anonymous claims to have hacked into vulnerable printers across Russia in order to print 'anti-propaganda' messages about the invasion of Ukraine. A member of Anonymous tweeted: "We have been printing anti-propaganda and Tor installation instructions to printers all over Russia for 2 hours, and printed 100,000+ copies so far. 15 people working on this op as we speak." The idea of printing Tor instructions is that Russian citizens will be able to install the Tor multi-layer encryption software to access news outlets not controlled by the Russian government while retaining anonymity. 

Anonymous hacktivists warned that the next target will be corporations that refuse to pull their business from Russia. “We call on all companies that continue to operate in Russia by paying taxes to the budget of the Kremlin’s criminal regime: Pull out of Russia! We give you 48 hours to reflect and withdraw from Russia or else you will be under our target!” a prominent Anonymous account tweeted.

Anonymous is also providing free penetration testing for Ukraine. One hacker announced that they had conducted penetration testing on 14,000 cameras around Kyiv — because “if we can, the Russians can as well” — and found vulnerabilities in 300. “We’ll bring this to the attention of #Ukraine IT as soon as possible. But it’s a lot better than we were expecting,” they tweeted, adding that they would be moving on to doing pentesting for other major Ukrainian cities’ cameras too.

Open Source Sabotage

In an unprecedented act of hacktivism, the maintainer of a popular open source networking software called “node-ipc” deliberately coded bugs into his software to wipe computers in Russia and Belarus. The maintainer of the open source code, known by his online name RIAEvangelist, does not regret his decision to compromise his own code because he sees it as his way of contributing to world peace. The rest of the FOSS (Free and Open Source Software) community, however, is infuriated that he would break the number one rule of open source maintenance. 

The open source community is built on the vision of an altruistic online world where maintainers of projects can be trusted to keep malware away from their users. For the maintainer of a program as widespread as “node-ipc” (sometimes downloaded over a million times a week) to deliberately upload malware to his users dismantles the trust of the open source model that has worked for decades. One comment on his GitHub pages reads, “You just destroyed your work, career and probably your online life”.  

America’s “Shields Up” Response

On March 21, 2022, President Biden announced that Russia was considering waging cyber attacks on the US in retaliation to the heavy economic sanctions. Biden urged the private sector to double down on security as evidence for “preparatory activity” for hacking was supposedly detected.

In response to the pending threat of either a direct or indirect cyberattack from Russia, the Cybersecurity and Infrastructure Security Agency (CISA) has launched the “Shields Up” initiative to prepare U.S. organizations against more sophisticated attacks. CISA’s website states, “Evolving intelligence indicates that the Russian Government is exploring options for potential cyberattacks. Every organization—large and small—must be prepared to respond to disruptive cyber incidents”.

CISA’s website has specific guidance for all organizations, recommendations for CEOs, tips on how to deal with ransomware, guidance for individuals, and technical guides. The website also urges organizations to report anomalous cyber activity and/or cyber incidents 24/7 to report@cisa.gov or (888) 282-0870.

The White House’s push for fast incident reporting is empowered with a timely bill that was just signed. On March 15 2022, President Biden signed the Consolidated Appropriations Act, 2022 into law. One Section of the new bill is titled The Cyber Incident Reporting for Critical Infrastructure Act of 2022. This act significantly expands federal cybersecurity incident and ransom demand reporting requirements for critical infrastructure entities. 

Looking Ahead

As with the rest of the invasion, Russia’s cyber attacks have not led to the swift victory that Putin was hoping for. Experts continue to assess why Russia has not unleashed a broader or more powerful arsenal of cyber weapons thus far in the war.  It could be that Russia does not want to reveal its most powerful exploits if it doesn’t have to. It’s possible that if a stalemate occurs and Russia is desperate we could see much more powerful cyber action, and if U.S. intelligence is correct we could see direct attacks on U.S. companies and infrastructure which would significantly escalate tensions between the U.S. and Russia. Cyber warfare has been present but somewhat underwhelming to date during the invasion of Ukraine. That said, cyber warfare could easily become what turns the tide or evolves this into a much bigger conflict.