The Ukraine Cyber Crisis: We Should Prepare, But Not Panic
Mandiant
Written by: Sandra Joyce
As the situation in Ukraine unfolds, the prospect of serious cyber attacks has captured the attention of cyber intelligence professionals like myself and the many organizations we work with in both the public and private sectors. Concerns are reasonable and valid; Russia has a well-established history of aggressively using their considerable cyber capabilities in Ukraine and abroad. We are concerned that as the situation escalates, serious cyber events will not merely affect Ukraine. But while we are warning our customers to prepare themselves and their operations, we are confident that we can weather these cyber attacks. We should prepare, but not panic because our perceptions are also the target.
Russia has twice turned off power to Kyiv in the middle of winter, they have carried out a global destructive attack that froze global shipping and vaccine production, and they have even fielded tools to target critical infrastructure technology that could have fatal consequences. The U.S. and Europe have seen wave after wave of attempts to burrow into our sensitive critical infrastructure—attempts we believe were designed to prepare for a scenario such as the crisis that is unfolding in Ukraine today. Without a doubt, the threat they pose is serious, especially for the defenders tasked with defending their networks from some of the most formidable intelligence services on the planet.
This isn’t just a Ukraine problem. In fact, we believe that after attacking U.S. and French elections, Western media, the Olympics, and many other targets with limited repercussions, Russia is emboldened to use their most aggressive cyber capabilities throughout the West. While they are unlikely to engage the West in combat, these tools give Russia the means to aggressively compete with others without risking open armed conflict. Should U.S. and allies deploy sanctions in the event of a full invasion, the risk of this only increases.
We are imploring our customers and community to prepare for disruptive and destructive attacks, similar to those that have recently transpired in Ukraine. We are concerned about scenarios like a destructive attack that leverages broad access from the software supply chain or other means to gain access to multiple networks simultaneously. Even an automated, simplistic data wiping attack at this scale could have serious consequences for public and private networks; but those consequences are not a foregone conclusion. Many of the same steps defenders might take to harden their networks against ransomware crime will serve to prepare them from a determined state actor, if they take them now.
Cyber attacks can be costly for individual organizations and may even seem frightening to some, but their real target is our perceptions. The purpose of these cyber attacks is not simply to wipe hard drives or turn out the lights, but to frighten those who cannot help but notice. The audience of these attacks is broad, but it is also empowered to determine how effective they are. While these incidents can be quite serious for many, we must remain mindful of their limitations. We only do the adversary a service by overestimating their reach.
Destructive and disruptive attacks are adjacent to other tools of influence. Some of the very same actors who carry out these cyber attacks also carry out hack and leak activity or promote false narratives. All of these operations have the same effect; they corrode and undermine institutions by spreading doubt and uncertainty.
Within the context of this crisis, we will have to be careful consumers of information; suspicious to the possibility of active measures designed to fool us. The media will also be especially challenged—they will be asked to shed light on active measures while adversaries simultaneously attempt to leverage them to launder their narratives and content.
Russia, seeking to maintain the illusion of parity with others, will lean on asymmetric tools like their cyber capabilities in this crisis. Unfortunately, these tools are already being utilized, and this is likely to continue. Fortunately, they are unlikely to seriously escalate the situation because they are limited. With this in mind, we should prepare without succumbing to paranoia, and remain mindful that, when it comes to cyber attacks, the bang is often worse than the blast.