Businesses are on high alert following Russia’s invasion of Ukraine in February. As the conflict began, many experts predicted Russia would unleash a significant cyber attack on Western businesses. Others warned organisations they could become collateral damage in a devastating Russian cyber assault similar to the infamous 2017 NotPetya attack.
Russian activity, so far, has been limited to minor distributed denial of service (DDoS) attacks, but that’s not to say bigger and targeted cyber assaults won’t take place. In March, US President Joe Biden warned businesses in critical sectors to be on alert amid the growing Russian cyber threat. The National Cyber Security Centre (NCSC) also recently warned that wiper malware, known as HermeticWiper, was in use against Ukrainian organisations. This, too, has the potential to impact firms outside the country.
A report from Forrester, meanwhile, says every organisation must prepare for a “new era of cyber threats” as a result of Russia’s invasion of Ukraine. Indeed, CISOs from every industry must prepare for increased cyber attacks and cyber espionage, according to the analyst house. So what is the real cyber security threat to UK organisations from Russia, and how can businesses prepare amid an uncertain economic and cyber security landscape?
Threats to the West
Russian cyber attacks on the West are nothing new, and the country has been active in the cyber landscape for many years. Incidents attributed to Russian state-sponsored adversaries include attacks targeting the electrical sector in Ukraine in 2015 and 2016, the NotPetya incident in 2017 and the SolarWinds hack in 2020.
Attacks perpetrated by Russia tend to be geopolitical in motivation, says Ciaran Martin, professor of practice in the management of public organisations, Blavatnik School of Government. He cites examples of Russian operatives spying on critical infrastructure in 2018 and electoral interference during the 2016 US election.
Russian cyber attacks often include DDoS and ransomware, but its state cyber capabilities are a mixture of intelligence and military, says Martin. “They are tightly controlled and very capable. Some of it is used exclusively for spying, and that is sophisticated. The more disruptive stuff is also generally highly sophistication too, because the hackers need to lurk for ages to develop their plans. The ransomware criminals don’t work for the state but they are tolerated by them; otherwise they couldn’t operate. They are much less sophisticated technically, but well organised.”
Although not directly related to the conflict, the NCSC has warned businesses about a new malware called Cyclops Blink attributed to the well-known Sandworm threat actor linked to the GRU, the Russian intelligence service. “This sheds light on the evolution of Russia’s cyber capabilities,” says Daniel dos Santos, head of research at Forescout, Vedere Labs.
Quantifying the cyber risk
It hasn’t happened yet, but one obvious risk as the conflict continues is that Western networks are unintentionally impacted as part of Russian attacks against Ukraine – as seen in the NotPetya attack.
Even so, there’s no need to panic, Ian Thornton-Trump, CISO at cyber security firm Cyjax says, adding there’s minimal chance of a “mass replicating, zero-day exploit with a destructive payload” being launched. “I think there’s restraint on Russia’s part because NATO has made it very clear they would invoke Article 5 if there was a significant Russian attributed cyber attack. Putin does not want to take on NATO in a cyber war, or a kinetic one.”
This has been evident so far: Russian cyber attacks have been basic and dealt with very quickly. “While cyber attacks have happened, most have been unsophisticated DDoS and there hasn’t been anything that would fit into a cyber war level,” says Philip Ingram, MBE, a former colonel in British military intelligence.
Since the start of the conflict, the cyber threat landscape has been “suspiciously quiet”, says Jamal Elmellas, COO at Focus-On-Security. “The only attacks have been DDoS – which are rudimentary and not sophisticated. In the past, we thought Russia would use cyber as a softener in physical warfare – for example, cripple Ukraine’s grid and then go in with tanks.”
Despite the lack of major cyber action so far, some industries are at more risk of attack than others, especially those that operate in critical national infrastructure (CNI) such as energy firms or financial services. Sectors affected by Western sanctions could be at a heightened risk of being targeted by retaliatory cyber attacks, says Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows.
Elmellas thinks Russia could target organisations helping the Ukrainian army, such as defence or military-linked firms. “Those businesses would be more at risk than before. Russia might try to cripple certain key systems.”
Further down the line, Russian cyber criminals could up the ante and conduct financial-based attacks on cryptocurrency to “try and prop up the economy and circumvent the severe financial sanctions”, says Thornton-Trump. “My prediction seems to fall in line with how increased financial sanctions and trade restrictions directed the response of Iranian and North Korean threat actors.”
How can businesses protect themselves?
As a result of the conflict, the NCSC says all UK organisations should bolster their online defences and follow its guidance on steps to take when the cyber threat is heightened. This includes basic steps such as patching, putting incident response plans in place and ensuring backups.
Overall, it’s important not to panic while at the same time being aware the Russian threat is out there, but it’s not the only country active in the cyber space. The main cyber powers to be aware of are China, Russia, Iran and North Korea, which each have their own aims and agendas.
Taking this is into account, should businesses pay any more attention to Russian-sourced threats than others? In the short term, some firms should, says Martin. “Critical infrastructure, for example, should be on higher alert,” he advises. In the long run, though, he says this isn’t necessary. “There are loads of threat actors out there.”
Thornton-Trump concurs. “I think it’s very short-sighted to only pay attention to Russian threats, as crime and criminal actors are not exclusive to Russia. Like most things in cyber defence, an intelligence-led risk-based approach is required.”
If businesses are involved in military or CNI they should invest in DDoS prevention, says Elmellas. At the same time, he says: “All companies should be making sure they invest in their infrastructure. Check everything is up to date and most recent patches are applied.”
