Wiper Malware in Ukraine Ties to Summer 2021 IntrusionsNo Attribution for Attack, But White House Warns Russia Is Running Active Measures
When it comes to cyber intrusions launched by one nation-state against another, where's the red line?
Multiple systems at two Ukrainian government agencies were infected by wiper malware disguised as ransomware, as Microsoft first warned Saturday. Two days prior, on Jan. 13, a number of Ukrainian government websites were defaced, possibly in a coordinated effort, and displayed messages warning Ukrainians to "be afraid and expect the worst."
Neither attack has been attributed to any group or nation-state. Ukrainian government officials in Kyiv say early signs point to Russia, possibly working with ally and fellow NATO critic Belarus. Attribution, however, always carries a caveat: When a government casts blame for an attack, it does so for political purposes.
But this cyber malfeasance certainly fits a previously seen pattern. Indeed, the Russian government has deep experience running information warfare efforts or "active measures" that experts often refer to as 4D campaigns - for dismiss, distort, distract and dismay.
In terms of potential "dismay" tactics being practiced by Russia, the infecting of the Ukrainian government websites ties to intrusions that began not last week, when the malware first appears to have been spotted, but rather last summer, says Matt Olney, director of threat intelligence and interdiction at Cisco Talos.
The firm has now traced "attacker access to government networks with the wiper malware as far back as late summer 2021," Olney says. "The wiper malware was deployed several months after initial access was secured, depending on the network."
Spike in Cyber Activity
Timing-wise, Russia's troop buildup began early last year. On March 31, 2021, "U.S. European Command raised its awareness level to 'potential imminent crisis' in response to estimates that over 100,000 Russian troops had been positioned along its border with Ukraine and within Crimea, in addition to its naval forces in the Sea of Azov," the Center for Strategic and International Studies reported at the time.
Moscow's threat to invade has obviously continued. Last month, however, cybersecurity experts warned that they were seeing a significant increase in online intrusions targeting both government and civilian networks in Ukraine, emanating from Russia.
Moscow has denied being behind any online attacks targeting Ukraine.
But the Russian government - and other nation-states, no doubt including the U.S. - also prepositions code on foreign critical infrastructure systems, to give them the ability to access those systems during times of conflict, to support military or intelligence aims.
U.S. cybersecurity officials have previously warned that Russian nation-state attackers have a proven ability to infiltrate networks and remain undetected for long periods of time.
Western officials have also long warned that Russia has a propensity for reckless behavior. That includes a predilection for "live testing things," not least in Ukraine, Robert Hannigan, the former head of the Government Communications Headquarters, which is the U.K.'s signals intelligence, cryptographic and information assurance agency, has said.
Previously, for example, attacks attributed to Russia shut down power to parts of Ukraine in the dead of winter in 2015 and 2016. Russia has also been blamed for launching the devastating NotPetya wiper malware outbreak, which was disguised as ransomware, and which destroyed systems worldwide, causing $10 billion worth of damage.
Indicting Alleged Foreign Hackers
The U.S. Department of Justice in October 2020 indicted six Russian military intelligence agents for perpetrating the 2017 NotPetya campaign that initially targeted Ukraine, as well as many other attacks, including attempting to interfere in U.S. and French elections.
"No country has weaponized its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite," John C. Demers, then the assistant attorney general for national security, said in 2020, when the indictments were unsealed.
But the suspects remain at large and are unlikely to ever appear in a U.S. courtroom, since Russia never extradites its citizens.
What's notable is that none of those attacks triggered a military response, but rather are being treated as criminal matters.
Threat of Military Conflict Remains High
In terms of the military threat to Ukraine now posed by Russia, unfortunately, the situation appears to be deteriorating, says Hugo Crosthwaite, lead analyst for Eurasia at private security intelligence firm Dragonfly, which is the former intelligence and analysis practice of U.K.-based The Risk Advisory Group consultancy.
"A Russian invasion of Ukraine is a likely scenario in the coming weeks," Crosthwaite says. "There have been several military and diplomatic developments that point to a sustained severe interstate conflict risk, including Russian troops deploying to Belarus and further efforts by the Kremlin to create a pretext for an attack."
Many experts believe that Russian President Vladimir Putin would not order an invasion to advance as far as Ukraine's capital of Kyiv in the northern-central part of the country but rather would push forces into the east, up past the Crimean Peninsula, which has been occupied by Russia since 2014. Putin has said he wants to create a buffer, given Ukraine's stated intention to join NATO.
U.S. President Joe Biden, in a Wednesday press conference, said his administration is continuing to track disinformation efforts by Russia aimed at building its case for invading, including via clandestine Federal Security Service - aka FSB - and other intelligence agents. "They have FSB people in Ukraine now trying to undermine the solidarity within Ukraine about Russia and to try to promote Russian interest," he said.
On Thursday, the Treasury Department sanctioned four Ukrainian individuals, including two Ukrainian Members of Parliament, that it said had been recruited by the FSB and were "engaged in Russian government-directed influence activities to destabilize Ukraine."
"This action is intended to target, highlight and undercut Russia's ongoing destabilization effort in Ukraine," said U.S. Secretary of State Antony J. Blinken of the sanctions. "In 2020, Kremlin officials launched a comprehensive information operation plan designed in part to degrade the ability of the Ukrainian state to independently function; the individuals designated today played key roles in that campaign."
How to Respond to Cyber Conflict?
How to respond to cyber incursions as Russia threatens to further invade Ukraine, however, remains an open question.
"You can be a little bit cyber in a way you can't be a little bit nuclear," as Ciaran Martin, Britain's cybersecurity czar from 2014 to 2020, has said.
In his Wednesday press conference, Biden said that "Russia will be held accountable if it invades," but said what form that might take remains to be seen. "It depends on what it does," he said. "It's one thing if it's a minor incursion and then we end up having a fight about what to do and not do."
Pressed by a reporter about what might trigger a response, Biden suggested it would be proportional, even in the event that Russia didn't move major military forces over the border. "If they continue to use cyber efforts, well, we can respond the same way, with cyber," he offered as one example.
Biden's remarks are now being viewed as a political flub because he highlighted disagreement between NATO members about how they might respond in the event of a "minor incursion."
Appearing Thursday on NBC's "Today Show," Vice President Kamala Harris attempted to reframe the answer. "The president of the United States has been very clear, and we as the United States are very clear: If Putin takes aggressive action, we are prepared to levy serious and severe costs. Period," she said.
But do NATO members count cyber incursions as aggressive action? If so, how much cyber is too much cyber? These and other questions, not for the first time, remain difficult to answer, even as Moscow appears to be actively testing the limits.