Infrastructure Attacks on Ukraine and its Western Allies may Precede an Invasion

Update: This just in from Reuters. Ukraine reports cyber attack on defence ministry website, banks

Three weeks before Vladimir Putin sent Russian troops into Georgia in August of 2008, the Russian government launched a massive cyber attack. The first attack was a DDoS (Distributive Denial of Service) attack on the Georgian president’s website. It succeeded in bringing it down for 24 hours, but bringing the site down was not really the point. The point was to show how powerful they were and to intimidate the Georgian government.

By coincidence (?),two days before Russia launched its all out attack on Ossetia, an explosion occurred on a pipeline that delivers oil to Georgia. This pipeline, the Baku–Tbilisi–Ceyhan pipeline, had been opposed by Russia because it was seen to undermine their control of the Georgian oil supply. There is some disagreement as to whether this was a terrorist attack or a cyber attack. A cyber attack could cause an explosion by manipulating safety parameters on control devices. This would be similar to the Stuxnet attack that compromised control systems on Iran’s nuclear centrifuges and eventually led to their destruction. However, the Stuxnet attack was not discovered until 2010. That said, Stuxnet-like malware had been in development in many countries since 2005, so the cyber attack angle can’t be completely ruled out.

The physical invasion of Georgia coincided with numerous cyber attacks on Georgian government websites. News sites were also compromised and used to transmit pro-Russian information. Servers in Georgia and other countries were taken over. If servers in other countries were hosting Georgian sites, they were taken down as well. This attack on the communication infrastructure, combined with the bombing of cell towers, quickly isolated Georgia from the rest of the world. News could only be disseminated through independent bloggers using foreign servers. The invasion itself was scheduled to coincide with the summer Olympics in Beijing. Putin likes to attack when the world’s attention is directed elsewhere. He seems to think the Olympics suits this purpose. Putin waited until the end of the 2014 Sochi Olympics to send troops into Crimea. The 2022 winter Olympics is now in progress…just saying.

Russia already launched a cyber attack on Ukraine in January. Just as in the Georgia scenario, the purpose was to send a message and destabilize government websites. In fact, these attackers left an actual message that read, “be afraid and wait for the worst”. Microsoft believes that the attack may be more than it seemed on the surface. They claimed that “the malware, which is designed to look like ransomware but lacking a ransom recovery mechanism, is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom.” Microsoft concluded that this attack is far more extensive than has been reported and can be far more devastating. They reported that the malware used rewrites the Master Boot Record (MBR) forcing it to produce a ransom note. In fact, the ransom note is only used to hide the true intentions of the attack, which is to destroy the machine or network the malware is installed on. They also suspect the malware is lying in wait on multiple networks and will be triggered at the appropriate time.

And don’t think that other countries, including the U.S., will be spared. In fact, recently, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) issued an advisory warning of serious cyber attacks from Russia. Look at this from the Russian point of view. Will the U.S. worry about the infrastructure in Ukraine being destroyed when they have to deal with their own infrastructure attacks? Yes, Russian malware is already in networks around the world. The Colonial Pipeline attack was perpetrated by a Russia-based ransomware gang. Yes, it’s true that Russian law enforcement arrested members of the REvil ransomware gang that were behind the attack, but what punishment will they receive? Wouldn’t it be far better for Putin to reach an agreement with these hackers through which they assent to work with government affiliated cyberattack groups rather than spend useless time in prison? It’s well known that many Russian ransomware groups are populated by government hackers who are looking to make some extra money on the side. How hard will it be to unite these criminals under one banner, especially now when they may be needed in a massive cyber attack on Ukraine?

If past performance is any indication, Russia will begin its main attack by taking down Ukraine’s communication network. They may blow up cell towers and take out some of the electrical grid. They may stop all oil coming in to the country or blow up relay stations. They are quite capable of launching cyber attacks that can shut down water supply and water treatment facilities. Connect all of this with disabling military communication networks and you have a country tossed into mass confusion, unable to respond to an invasion by tens of thousands of heavily armed troops. Russia could, if they so desired, seize the capitol, Kiev, in a day or two. Once there, they could take over the media and disseminate propaganda. They will, then, likely install government officials who are sympathetic to Russia. It will all happen so quickly that the West can do nothing but wring its hand, condemn in the strongest terms, and declare sanctions. Emboldened by such a weak response, they may set their sites on Estonia or other Baltic nations.

Ukraine probably realizes that servers within their country may be the first to be compromised and may at least have mirrors on servers in other countries. It’s possible that Russian intelligence knows all about this as well and has positioned itself to take out those servers if necessary. Little concern will be shown to people in those countries who may lose internet access because of such attacks. In fact, this may be part of Russia’s plan. Confusion among NATO members and Ukraine’s Western allies would make it unable for them to give any coordinated response.

And what will the U.S. do? Traditionally, the U.S. believes in proportionality. They are committed to the idea that any counterattack must roughly mimic the attack that they suffered. Russia, however, doesn’t play by this rule. As such, they can control the narrative. They are, thus, positioned to put the U.S. on the back foot, reacting rather than ‘proacting’. Make no mistake about it. The U.S. can easily match Russia in any cyber attack. They, too, have malware in Russia’s networks ready to deploy that could bring down Russia’s infrastructure and, in fact, they may even be able to deliver a more devastating blow. According to a 2021 report by the International Institute for Strategic Studies, the U.S. remains the world’s top cyber power.

Russia and other adversaries know not to push the U.S. too far. However, they continue to test the U.S.’s resolve. If they feel they can withstand any counterattack, they may be willing to take the risk.

Russian state-sponsored hackers were behind the SolarWinds attack on the U.S. which compromised thousands of networks including those of federal and state government agencies. So what did the U.S. do in response? In short, nothing. Oh, sure, they put on some sanctions and publicly released information on the hackers, but, so what? Russia itself suffered nothing close to the millions of dollars in damages that American companies and government agencies suffered. The result? The same hacking group, Cozy Bear, is in the process of upgrading the SolarWinds supply chain attack, according to cybersecurity firm, CrowdStrike. You have to wonder how long it will take the U.S. and its allies to understand that waiting to react simply isn’t working.

Cyber attacks on both sides have ramped up in the last few days. The U.S. released information on a false flag attack that Russia planned to stage in order to have a rationale for invading Ukraine. The fact that the information was released effectively ended this ploy, no doubt frustrating the Russian government and making them question how the U.S. learned of this plan. There are only two ways this was possible: They had an informant inside the Russian government or they were in the government’s networks. My guess is it would have to be the latter. They would not release such information if they had someone on the inside because it would endanger that person. On the other hand, releasing information they gleaned by being within the network would send a signal to the Russian government on how deeply their networks were compromised.

On the Russian side, Microsoft just released information on an extensive attack on Ukraine by the Russian government’s ACTINIUM hacking group. Microsoft observed that, for the last six months, this group has been “targeting organizations in Ukraine spanning government, military, non-government organizations (NGO), judiciary, law enforcement, and non-profit, with the primary intent of exfiltrating sensitive information, maintaining access, and using acquired access to move laterally into related organizations.”  In other words, all the architecture for a cyberwar is in place. The only question is whether it will be a world cyberwar or not. But heed the advice given in the CISA report and “enhance your organization’s cyber posture.” And that all starts here.

2 thoughts on “Infrastructure Attacks on Ukraine and its Western Allies may Precede an Invasion

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s