Russia may be still holding off its most powerful cyber weapons, as such attacks add little to the already ongoing “hot war.” Furthermore, doing this could expose their “cutting edge capabilities,” international U.S. cyberwarfare specialist and ex-U.S. Cyber Command lead Christian Sorensen told the Security Ledger in a podcast over the weekend.
“Two Weeks in, We Have Yet to See”
Even before the Russia-Ukraine conflict developed into a full-blown war, Ukraine’s government was already reporting cyberattacks on its government computer systems, networks and websites. Now, two weeks later, the expected cyberwar “unanimously” predicted by “Western experts” has yet to be seen. “But that doesn’t mean cyber is off the table,” The Security Ledger said. The U.S. Cybersecurity & Infrastructure Agency (CISA) has raised the “Shields Up” program in anticipation of such events, which aims to prepare organizations of all sizes to respond to disruptive cyber activity. With soldiers and tanks surrounding major Ukrainian cities, Russia’s “objective is clear,” Sorensen said. Although cyberattacks “may come to play a more important role down the line — including against Ukraine’s Western Allies.” “They are [still] achieving their objectives the traditional way” Sorensen added.
What Have Cybersecurity Experts Learned so Far?
Cybersecurity experts have realized now that “Twenty-first-century cyber attacks, relatively, have taken a back seat to the 20th century’s planes, bombs and bullets.” In a heightened threat environment, the question of whether cyberwar is “on simmer in Ukraine” cannot be answered at this point, though there may be “things we are not seeing,” Sorensen said. The U.S., as a major target, needs to do everything to protect itself at this point. Having backups to protect against ransomware and allow organizations to quickly resume workflow if disrupted, as well as practicing threat scenarios for better cyber resilience ahead of time are key factors, Sorensen said.
The Wiper Viruses
One current example of sophisticated cyber offensive tools is wiper malware — HermeticWiper and IsaacWiper. In late February just before the start of the crisis, destructive campaigns that included HermeticWiper, HermeticWizard, and HermeticRansom were already targeting Ukrainian organizations, supplementing the already ongoing DDoS attacks. These viruses include “anti-forensic” capabilities in that they wipe themselves from the disk, leaving no trace. Furthermore, malware developers managed to register these viruses by impersonating a Cypriot company to acquire a DigiCert certificate. Last week, new and improved forms of wiping malware such as IsaacWiper were detected by ESET. At present, wiper attacks are ripping through Ukraine and targeting local financial institutions and government entities.
The “Pucker Factor” is High Right Now
This is the “first-ever hybrid-war that bridges both the physical and online realms” Ukrainian cybersecurity specialist Viktor Zhora said today. Hybrid war is when cyber-kinetic attacks target cyber-physical systems (CPSes) hosting critical infrastructure and other sensitive data, supplementing real-world war. High-profile cyber weapons such as wiper and those like Petya in 2017 could be in the works. “The pucker factor is high,” remarked Sorensen. Ukraine was targeted by the Petya viruses, an attack felt around the world in June 2017, after which NATO helped set up the NATO-Ukraine Platform on Countering Hybrid Warfare and the Cyber Defence (sp) Trust Fund. With so many “false positives” right now, it is difficult to ascertain whether sophisticated cyberweapons will spread globally, however organizations in the U.S. and in allied countries that have IT operations or connections with Ukraine have been recommended to isolate these pathways for security purposes.
U.S. Cyber Command’s Thoughts
“We are witnessing history and at the same time creating history.” The U.S. vs Russia is “spy versus spy, what they do versus what you do,” Sorensen remarked. Organizations that could be on the “hit list” are those that are part of industries with ISACS as well as U.S. government entities like the DHS (Department of Homeland Security). Phishing schemes and website compromise are big, and will continue to be present during this crisis, Sorensen said. Experts will have to see whether more new techniques emerge which means “keeping pace of the drumbeat,” Sorensen added. If you are a journalist or activist and need help reporting or accessing information during the crisis, read our guide on how to circumvent censorship. Likewise, have a look at our best VPNs for Russia to secure and anonymize your connection.