This important update provides an expert analysis of the emerging cyber-risks associated with the recent escalation of tensions on the border between Russia, Belarus, and Ukraine. It is intended to support any Western business with interests in the region that is seeking to understand and respond to the potential threats that they face.
In recent weeks the world has seen a clear escalation of tensions on the border between Ukraine and Russia. 100,000 troops massing on an international border is always going to generate headlines and lead TV news reports.
However, as Western nations and businesses advise their nationals and employees to leave Ukraine, the focus on the risk of conventional military action may potentially be missing the continuing, underlying threat that Russian-led or supported cyber-attacks could have on Western interests in the region. This is already a live concern for NATO countries and others with bodies such as the European Central Bank already putting preparations in place for Russian cyber-aggression.
Whilst the primary focus of international diplomacy has been on reducing the likelihood of a conventional military operation, Russia’s increasing experience and expertise in cyber-warfare means that businesses with interests in the region need to be prepared for the widescale disruption that cyber-attacks could generate.
Such attacks could not only directly impact on commercial interests in the country but, as we have seen with previous attacks, also have the potential to jump international borders causing widespread disruption in other nation-states. To help our clients, Elicius Intelligence analysts have been speaking to experts on the ground to assess the likelihood and impact of cyber-attacks on Western businesses.
A Holistic Approach
It is increasingly difficult to define a hard boundary between cyber and conventional attacks. Russia itself now clearly regards the two as forming a single strategic approach to achieving its military objectives. What this means in practice is that any movements on the ground would almost certainly be accompanied by cyberattacks focused on disabling key infrastructure, causing disruption at a local level, and projecting Russian power. These have the potential to cause disruption and cost for businesses with interests in the region.
Our intelligence indicates that the key Russian objective in coordinating cyber- and kinetic methods would be localised disruption, for instance reducing the ability of Ukrainian forces to communicate by disabling local communication networks. This is a strategy that Russia has adopted before. During Russia’s attacks on Georgia in 2008, conventional military attack was preceded by cyber-attacks to disable local communication networks.
In over a decade since this attack, Russia is widely known to have invested heavily in electronic warfare capabilities. This means that Russian technology and expertise have increased exponentially, boosting their capacity to mount coordinated attacks. It is also important to note that these capabilities have developed to allow much more targeted attacks that are focused on very specific localities (a town or city) or very specific objectives (such as disrupting military communication channels). This ability to focus attacks more effectively potentially reduces the wider risks to commercial interests in the region, but it does not eliminate them.
Risks of Contagion
It would be wrong for businesses to entirely dismiss the risks of their interests being hurt by cyber-attacks that spill beyond the intended target. The potential for this to happen has been seen relatively recently with the 2017 NotPetya attack. This attack specifically targeted Ukrainian businesses with a variant of the Petya ransomware virus. Because it impacted on financial services, shipping, and logistics the consequences of this attack were far-reaching, affecting supply chains globally.
It achieved this by infiltrating a popular Ukrainian accounting software called M.E.Doc. Although this was intended to be a targeted cyber weapon against Ukraine, it ended up “escaping” and hurting the global economy, including Russia itself (though not as much as Ukraine or Germany). Total damage to the world economy was estimated to be USD 10 billion from this attack.
However, there are several reasons why our analysts and experts believe that an attack similar to NotPetya is unlikely as part of the current conflict.
Firstly, one of the reasons that attack was so destructive was that it focused on software that was installed on machines located on the premises of Ukrainian businesses. The recent shift to cloud-based systems for similar software packages reduces the number of vulnerabilities to exploit and consequently reduces the level of risk.
Secondly, such sophisticated attacks require meticulous preparation and infiltration. This makes them very difficult to deploy in the short time frames demanded by military operations. In fact, data analysis of 1,841 cyber and 26,289 kinetic operations identifies only a very small number where attacks appear to be directly coordinated. This suggests that synchronisation is a bigger challenge than is often assumed. It also strongly indicates that a continuous use of sophisticated cyber-attacks would be unlikely during an on-the-ground operation.
Finally, there is also a question as to whether such large-scale attacks would deliver the objectives that they are designed to achieve. It is important to note that the spread of NotPetya to other territories (including Russia itself) was fundamentally accidental, and actually damaged Russia’s own economy and undermined the achievement of Russia’s wider strategic objectives. This means that such a tactic is unlikely to be repeated in the same way as part of the current conflict.
A Targeted Approach
So, if sophisticated and widely dispersed attacks are unlikely, what is the Russian cyber-strategy in Ukraine likely to be?
Our intelligence suggests that any cyberattack is likely to be much more localised within Ukraine, for instance seeking to achieve a large-scale network disruption. Such an attack would acutely hurt companies within Ukraine but would be designed to not spill over the borders. This was the model used by Russia both in Georgia in 2008 and Ukraine itself in 2014. In these cases, Russia adopted targeted but relatively unsophisticated approaches such as DDoS attacks, defacement of strategic websites, and disruption of communication. We anticipate that it is these sorts of approaches that could be used to support or supplement on the ground military action in Ukraine.
However, Ukraine is anticipating such attacks and has received significant help from the US and NATO countries to strengthen its cyber-defences reducing its vulnerability to attack. This is unlikely to eliminate risk entirely, but it does mean that the economic damage from any attacks is likely to be less severe than was experienced as a result of Petya, NotPetya, and WannaCry ransomware attacks.
Understanding Russia’s Objectives
In seeking to anticipate Russia’s likely approach and tactics, it is vital to have a clear understanding of the potential short- and long-term goals that Russia is ultimately seeking to achieve through coordinated cyber-attacks alongside conventional military activity.
If the strategic goal is to discourage Western investment in Ukraine, which would starve the country of money, then the approach would be a low-level but sustained attack on investors’ interests. This could be masked as regular criminal activity or may even simply entail allowing cyber-criminals in the country to operate without interference.
An alternative strategic goal may simply use cyber as an additional tool to increase pressure on Ukraine. Building up troop numbers on the border is one way of achieving this, but if this tactic does not deliver the outcomes that Russia desires then they may increasingly turn to cyber approaches. Our expert sources indicate that Russian infiltration into Ukrainian IT systems is already a widespread problem in the country. This means that an operation to exert pressure through disabling key network infrastructure could be deployed in a very short timescale. The current defacing of Ukrainian government websites can be regarded as an early probing to see the response times and the reactions to a later, larger attack.
A third objective is simply causing disruption and chaos – almost as an outlet for anger that carries less risk than a ground invasion. This final objective has less to do with strategy and logic and more to do with finding a safe and relatively risk-free approach to signalling aggression and power.
One of the features that has characterised the international response so far, particularly from the US, is the willingness to speak very publicly about the emerging risks in the region. This tactic is partly intended to anticipate Russia finding a ‘pretext’ for aggressive military incursions into Ukraine.
Our analysis indicates that Western powers would be similarly willing to call out Russia on cyberattacks and to attribute those attacks to the Russian state or those acting on its behalf. Since the NotPetya attack, Western powers have been much more prepared to make such attributions for cyberattacks than previously. In part, this is because of the increase in the number and severity of Chinese and Russian attacks (both government-sponsored and by organised criminals).
This means that it is highly likely that if there was a large-scale cyberattack on Ukraine, the US and other NATO members would act swiftly in pinning the blame for such attacks on the Kremlin. This is a departure from the past where, if it happened at all, attribution often happened late and was usually very limited, – sanctioning individuals but not organisations or governments.
However, potential attribution of blame is unlikely to overly concern the Russian state apparatus. In fact, it may well be something that they welcome, – both in applying pressure to Ukraine and in demonstrating to a domestic audience their emerging status as a technological as well as a military superpower.
Of more concern to Russia would be retaliatory cyber-attacks from the US or others (either directly or via indirect proxies). However, our intelligence suggests that such action remains relatively unlikely. That said, it cannot be entirely discounted. In making this decision, Western powers will also need to manage a wider series of risks. For instance, if Russian cyber aggression faces no consequences, then that sends a message to other nations with expansionist ambitions such as China (especially in relation to Taiwan). This could create future challenges for the West. US domestic voters may well also create pressure for action, although our analysts suggest that this is unlikely.
The more likely response to an attributed cyberattack would be the imposition of sanctions on key Russian individuals and organisations. This too carries potential risk for the West, – opening up the possibility of an escalation that ultimately damages economies in Western Europe. In particular, Russia’s ability to retaliate by targeting energy supplies into Western Europe (for instance by stopping the flow of gas through the Nordstream 2 pipeline) would have major consequences for European businesses and consumers.
Implications for Western Interests
Western companies with interests in Ukraine should already be taking steps to minimise and manage the risks that the recent escalation of tensions has created. These will initially be about ensuring that personnel are safe and that key assets are protected.
However, it is also vital that companies understand and plan for the disruption that likely Russian cyberattacks could cause to their interests, in both the short and long term. Our analysis indicates that these are much more likely to be in the form of collateral damage caused by network and infrastructure disruption than either a targeted attack on Western interests or the sort of contagion that we saw with the “escape” of the NotPetya cyber-attack.
Whilst such attacks are unlikely to be national, our intelligence indicates that such a scenario has a high likelihood of happening locally (e.g. focused on a single region or city). Such attacks could be employed to apply pressure to Ukraine, particularly if other approaches do not deliver the strategic objectives that Russia is seeking, causing damage to business interests.
How Elicius Intelligence Can Help
These attacks are likely to lead to disruptions to key infrastructure such as energy distribution, water supply, transportation, and internet traffic. It is these sorts of disruptions that businesses active in the region should urgently be developing plans to address.
Elicius Intelligence has assets on the ground in both Ukraine and Russia and unparalleled expertise in dark web analysis. This means that our experts can help any business with interests in Ukraine identify and mitigate the sorts of cyber threats that we are likely to see emerge in the coming weeks and months.