Ukraine war sanctions could spur Russian cyberattacks on U.S., expert warns
As Russian tanks rolled into Ukraine last week, military and security experts anticipated both conventional warfare attacks — missiles, bombs, gunfire — and devastating cyber strikes targeting Ukraine's critical infrastructure as well as digital networks in allied countries.
Indeed, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a "shields up" alert well ahead of Russia's invasion of Ukraine on February 23, warning IT departments everywhere to monitor for suspicious activity that could disrupt their business or government operations. The technology consulting firm Wedbush affirmed the alert and issued a report warning U.S. financial institutions, enterprise data centers and logistics companies to prepare for Russia-directed cyberattacks.
Aside from a handful of denial of service attacks and wiper malware that deletes data, the Kremlin's formidable hacker army has remained relatively quiet since the invasion. But don't expect Russian restraint to last, said Chris Krebs, partner at the Krebs Stamos Group and former head of CISA.
As the West's economic sanctions intensify and damage Russia's economy, Krebs explained, "you may see retaliation where the Russian government says, 'Hey, you're hitting our banks, so we're gonna go hit your banks.' It could be different techniques or even different actors, outside of official agencies" like ransomware gangs.
"I think it's entirely possible that as the sanctions continue to ratchet down on the Russian economy you could see ransomware actors lash out in retaliation," says former CISA director @C_C_Krebs. pic.twitter.com/pRkyVLCJp7
— Dan Patterson (@DanPatterson) March 3, 2022
CBS MoneyWatch spoke with Krebs, who said Russian cyberattacks are not limited to Ukraine. "The internet has collapsed the spaces between us. So even though Ukraine seems very far away, every company should be on high alert." The interview below has been edited for clarity and brevity.
How might Russia target the U.S. with cyberattacks?
Chris Krebs: It's important to start off with the fact that there is no specific intelligence, as far as I know, to indicate any sort of attack is imminent. They're basing these advisories on a historic understanding of Russian cyber activity targeting the West. In Ukraine, they've gone after the power grid. In 2015 and 2016, the Russians disabled the electric grid in the dead of winter.
Russia has also used other techniques, including using software supply-chain attacks. For example, the Russians were able to exploit accounting software and tunnel their way into global businesses.
There's a lot of talk about 'cyberwar' right now. How real is this threat?
I think there's been a lot of mythology built up around a Cyber Pearl Harbor and a Cyber 9/11, trying to evoke images of exploding pipelines and buildings.
At this point in the Russia and Ukraine conflict, cyber as a military capability is obviously nowhere near the kinetic world with bombs. Cyber's not killing people right now. I think we need to step back, maybe take a deep breath about how severe and significant the threat is. There's no question that there's a risk, there's a threat. But obviously on the order of missiles and fighter jets and things like that, cyber is nowhere near that level.
But speaking to the broader attack surface — whether it's your phones, your computers, your servers, cloud-based software — those are things that a bad guy could exploit. That could mean stealing sensitive data including intellectual property, and it could mean locking up a network with ransomware.
The United States is a leading technology innovator, globally. And as a result, we are at the very tip of the spear in terms of connecting devices to the internet. I hear a lot of questions about how vulnerable we are. You know, everyone has some degree of exposure. I think the important question we have to ask is "how resilient are we?" Realistically, it's all about doing the best you can on the prevention and the protection side, but understand that everyone has bad days.
Importantly, how quickly can you spot, isolate and respond to security incidents? Can you continue to operate and perform critical functions? It's not about stopping every single threat.
There are reports by CBS News, the Associate Press and other news agencies that Russia has launched propaganda campaigns across social media. How resilient are U.S. social networks to disinformation?
I recognize some of the efforts of the social media platforms — Facebook, Twitter — that have increased their monitoring to identify campaigns and inauthentic behavior. This includes both covert, meaning they're attempting to look like someone else, and overt, where you have state media that posts information that's false. So, U.S. social networks have done a great job so far: Facebook last week announced they had identified covert activity where hackers based out of Belarus were trying to compromise government officials and journalist accounts in Ukraine, then take over those accounts and post fake videos and fake news of Ukrainian soldiers. So that's an example of these techniques being in play.
And you have another aspect, where the social media platforms are taking actions to reduce the viewership of RT and Sputnik, which are the two of the well-known, state-sponsored media outlets from Russia. Microsoft President Brad Smith last week announced steps that included de-ranking or delisting state media in Bing search results. These are important steps that technology firms can take.
What lessons should business and government agencies learn from this moment of heightened cyber activity?
Let's be perfectly clear: We are in uncharted territories. This is not a business-as-usual situation. I'm not sure that there are many companies that have well developed playbooks for an event of such geopolitical gravity as we're seeing right now.
You're seeing consumer brands really responding. Formula 1 canceled its Russian circuit. FIFA suspended Russia from World Cup participation in 2022. Same with Russia and Eurovision, the popular music show.
In terms of the hard infrastructure, security researchers and what I call ethical hackers are mapping out Russian supply-chain connections. If anyone is profiteering off war, they're going to get called out.
Business leaders should really be thinking long and hard about if you have any connectivity, what sort of engagement you have with Russia. I think the real responsible corporate leaders are making a move in support of Ukraine now, because history's going to judge all of us, one way or another. You want to be on the right side of history here.
What does the future of cyber conflict look like?
As Thomas Friedman says, the world is flat. The internet has collapsed the spaces between us. So even though Ukraine seems very far away, every company should be on high alert. We're connecting with the citizens of Ukraine on a very personal level. And so we need to be careful that we're also not falling prey to some of the disinformation that's flowing around.
It's not just the government agencies and it's not just the large companies that are potential targets of bad cyber actors. I think it's entirely possible that as the sanctions continue to ratchet down on the Russian economy, that you could see ransomware actors lash out in retaliation. There have been some indications that one group in particular said that if you attack us, Russia, we're going to respond; we're going to go after your critical infrastructure.
The challenge here is that the actors are not necessarily strategic. They're not necessarily going after just the people with money, or the organizations with money. They're opportunistic. And so, whether it's someone in New York City or it's someone in Omaha, Nebraska, if you're connected to the internet there is a degree of risk exposure.