Whether or not Russian President Vladimir Putin decides to invade Ukraine this winter, he has already achieved one of his goals — the ongoing destabilization of Ukraine, so that he may continue to leverage power in the region. As the world’s media reports on geopolitical tensions resulting from the crisis, most of the attention has been on troop buildups along Ukraine’s borders. But a serious cyberattack against Ukraine involving a “destructive malware operation targeting multiple organizations” has come to the attention of the world’s governments, regional bodies and the North Atlantic Treaty Organization.
Beyond the immediate chaos that a large cyberattack may generate, there are important reasons to be concerned. Ukraine has often been a test lab for Russian cyber capabilities that may be used elsewhere. Already this month, the United States, the United Kingdom and Canada have released warnings about Russian-backed actors targeting critical infrastructure in the West. In this sense, actions in Ukraine may pose a threat to other nations as Russia hones its arsenal against Ukrainian targets.
In this latest attack, preliminary research suggests that the malware has been disguised as ransomware but in reality damages computers by overwriting the master boot record and files. Researchers at Microsoft suggest that the attack was “intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom.”
The discovery of the malware coincided with the defacement of Ukrainian government websites that displayed a message in Ukrainian, Russian and Polish suggesting the personal information of Ukrainians had been seized and that they should “be afraid and expect worse.”
At time of publication of this article, no culprit behind these incidents has come forward or been identified. However, much of the commentary has taken note of Russia’s long history of using cyber weapons against Ukraine. Foreign ministry officials in Kiev have suggested that “all the evidence points to Russia being behind the cyber-attack,” but have also pointed to cyber actors linked to Belarussian intelligence as being responsible for the website defacements that may have been used to cover the larger malware attack.
While technical analysis continues, the non-technical aspects (the intention of the malware to destroy, and the identity of the victim) are telling. Not to mention that cyberattacks have been anticipated for months as tensions in the region have grown. Both the United States and the United Kingdom sent cybersecurity experts to help Ukraine prepare for such an eventuality in 2021.
But even if those behind the attacks are not Russian, a close ally or orchestrated proxies, a history of Russia’s cyber activities, often aimed at bolstering its military efforts or to send a less-than-diplomatic message about its displeasure, is useful for thinking through what could befall Ukraine in the days and weeks ahead.
For example, Russia used large-scale distributed denial of service (DDoS) attacks against Estonia after the latter took actions Russia deemed discriminatory against the former Soviet republic’s Russian-speaking population. In 2008, a similar large-scale DDoS attack was launched against Georgia, effectively taking the government offline. This was part of a larger military operation to degrade Georgian communication systems. The resulting Russian information dominance helped establish the first and prevailing narratives of the conflict. It also prevented Georgians from communicating with one another, with the aim of generating a sense of helplessness. Ukraine has also suffered a number of DDOS attacks, believed to be from Russia, since 2014.
But Russia has also experimented with attacks that go beyond denying access to information, to seeking to destroy information entirely. After France decided against selling military ships to Russia in 2015, Russian hackers were alleged to have carried out a widespread cyberattack that sought to destroy the computer network of French television broadcaster TV5Monde. Importantly, the attack was conducted under the guise of an Islamic State “Cyber Caliphate,” likely to create confusion and heighten fear. In 2016, “Russian nation-state cyber actors” launched a major cyberattack against Ukrainian critical infrastructure, which targeted the supervisory control and data acquisition systems of the power grid.
And although ransomware is often considered a form of cybercrime, Russia has weaponized such techniques against Ukraine. In 2017, Russian hackers used NotPetya ransomware to disrupt financial software used in key Ukrainian institutions. Employing two powerful exploits, the ransomware attacked vulnerable computers and was designed to spread quickly within and across networks. The attack brought down banks and pharmaceutical and shipping companies and is believed to have cost its victims more than US$10 billion.
The NotPetya attack stands out as an example of how a state can combine crime and cyberattacks for the purpose of engaging in clandestine foreign interference. Such attacks are relatively cheap to conduct but financially devastating for their victims. These costs are entailed not only in paying ransom, but also in the hiring of professionals to stop the attacks and replace IT equipment and in lost productivity while systems are down. More importantly, NotPetya furthered Russia’s goals of the continued destabilization of Ukraine.
Moreover, ransomware — often viewed through the lens of crime — can hide other strategic purposes, such as destroying computer networks vital to the functioning of a country. Additionally, there is the potential to encrypt and exfiltrate large amount of information about a country or its citizens. This may include data from hospitals, law firms, banks and universities.
There are several takeaways from this history. First, because cyberweapons are relatively cheap and accessible tools, it is almost certain that Russia will continue to use cyberweapons either to support an eventual invasion or in efforts to destabilize Ukraine. Additionally, Russia continues to use proxies in sophisticated ways — either sanctioning their behaviour, because doing so suits its geopolitical ends (as with recent ransomware campaigns), or in attacks orchestrated with them. For this reason, we should not take recent news that Russia arrested members of a notorious ransomware gang, REvil, as an indication it will be taking a stronger stance against cybercriminal activity emanating from its territory any time soon.
For Western countries, it is clear that the threat does not end with Ukraine. Some intelligence services assess that Russian use of such tools will increase in the event of hostilities. Providing cyber defence assistance against Ukraine will help develop defences against aggressive malicious cyber campaigns.
Russian cyberattacks should be understood as a menacing form of diplomatic language employed against states deemed to have crossed it. Russian cyberattacks have become as much about generating fear as about any other objective. While these cyberattacks fall short of an armed attack, they can cause great damage and confusion, and they do violate international law.
It is unlikely that “active” or offensive cyber will solve this problem. Rather, states that oppose such measures must work together to use a range of diplomatic and law enforcement tools, including naming-and-shaming and criminal indictments of proxy gangs, to defend international norms.