Insight
Bracing for Cyber War: The Global Ramifications of Rising Tension Between Russia and Ukraine
In January of 2022, the Ukrainian government accused Russia of launching a cyber attack on dozens of government websites. Before the sites went offline a simple warning message appeared: “Be afraid and expect the worst”. Although access to most of the sites was restored within hours, some experts have implied that this was a hybrid attack operation, combining ongoing military conflicts with coordinated cyber threats from non-state actors. Experts suggest that the overall goal was to influence or cause instability within Ukraine using the camouflage of the internet to support the agenda of the Russian government.
In a world of internet-connected countries, nation states and communities, cyber crime is the perfect weapon of anonymity. Cyber attacks can take down a city’s power grid or poison its water supply in seconds with resounding ripple effects that can carry on for years, similar to the devastation of a natural disaster. Recent cyber attacks on Ukraine from Russia have suggested the possibility that digital conflict will only increase and likely expand to the United States and Europe in the days to come.
Ghostwriter: Cyber Warfare Against NATO
Several cyber espionage actors have been working to inflict disruption on North Atlantic Treaty Organization (NATO) members and supporters. In July of 2020, these threat actors created an ongoing campaign title “Ghostwriter” supporting cyber-enabled influence in Ukraine. The cybersecurity firm Mandiant Threat Intelligence released evidence revealing that a sympathizer known as UNC1151 has been linked to Ghostwriter activities, likely including the 2022 attack on Ukraine’s government websites.
Ghostwriter has continuously demonstrated that their goal is cyberwar against NATO. They have targeted Eastern European NATO sympathizers like Poland, Lithuania and Latvia. Make no qualms about it, their efforts are full-on cyber espionage and include stalking social media accounts, compromising websites and email spoofing. Their entire effort appears to focus on Putin’s anti-NATO campaign.
While some may see these threats as idle, the combination of cyber conflict and military action threatens a large-scale invasion. Russia continues to deploy even more troops to the borders of Ukraine. Many believe Putin may want to take control of the shale deposits in Ukraine in lieu of the sanctions that are slowing down new pipeline developments between Russia and Europe (Nord Stream2). In short, Russia sees Ukraine as a way to maintain its economic standing, which is aided by supplying gas and oil to Europe.
Although cyber warfare has escalated in recent years, Ukraine is no stranger to these attacks. As we take a deep dive into this intricate timeline, including Russia’s potential cyber retaliation against the United States, the need to implement cybersecurity in the Industrial Control Systems (ICS) and Operational Technology (OT) networks of critical infrastructure and organizations alike will emerge as critical.
Losing Power: Previous Russian-Based Cyber Attacks
In December of 2015, a non-state threat actor named Sandworm conducted a cyber attack that disrupted multiple power suppliers in the Ukraine leaving around 230,000 people without electricity for one to six hours. This attack directly impacted the production of Ukraine’s Olesska shale gas deposit, a natural resource they were planning on putting into production to reduce dependency on Russia.
In 2016, a report from FireEye revealed that on top of destroying computers and causing a Distributed Denial of Service (DDoS), the threat actors were able to open or close power system breakers by using compromised passwords. An OT system malware called BlackEnergy3 was utilized during the attack and was traced back to previous events as early as 2011 by the Department of Homeland Security (DHS). The threat actors used malware to steal credentials (usernames and passwords) to Supervisory Control and Data Acquisition (SCADA) systems; from there, their knowledge of the poor security protocols allowed them to simply turn the power off!
This explains the ease of the cyber attack in 2015; the malware was already created, backdoors identified and the credentials compromised. These threat actors were using the third installment of malware called BlackEngergy3 and KillDisk. The first iteration, BlackEnergy, was used to cause DDoS attacks. Then BlackEngergy2 was upgraded to steal credentials in OT. Finally, BlackEngergy3 took down not one, or two, but three Ukrainian power companies in the 2015 attack.
Although there was some fair warning that the attacks would occur, Ukraine’s power companies were defenseless. Each of the attacked power companies was left restoring its systems manually which took months of recovery resulting in an effective cyber attack from suspected Russian-based threat actors.
Gas Tug-of-War: Russia and the EU
So why is Russia currently in Ukraine executing cyber attacks? Even today, Ukraine is heavily reliant on Russia for energy supplies, including much-needed gas. Because of this reliance on Russia, whenever Ukrainians looked towards the EU, Russia is historically known to temporarily cut the gas supplies causing crippling effects.
Ukraine was striving to become more self-sufficient and while doing so discovered massive amounts of shale oil and gas in the country. It was estimated that the deposits were the third-largest in Europe. These deposits caught the eyes of Royal Dutch Shell and Chevron which meant that the reliance of not only Ukraine but also the rest of Europe upon Russian gas supplies was threatened by non-Russian companies. In addition, Russia’s major pipeline (Yamal) supply to Europe runs through Ukraine. If produced, Ukraine would not rely as much on Russia for gas supplies and Russia would no longer be able to exert as much leverage to prevent Ukraine from joining the EU.
In response, Russia employed military force to halt this production through the annexation of Crimea, increasing its military presence in eastern Ukraine, the Black Sea and at the border. This caused alarm for NATO, as Russia’s military personnel and strategic disruption of energy development persisted, including the 2015 cyber attack from Sandworm in support of the Russian agenda.
As previously mentioned, those cyber attacks disrupted the power grids halting the shale mining and fracking opportunities in Ukraine at the time. Russia effectively mitigated the Ukrainian threat to their economy and retained its hold on the gas supplies to the rest of Europe.
Ukraine Cyber Attacks: Lessons Learned
In both the 2015 and 2022 attacks, non-state threat actors conducted cyber attacks that were directly aligned with the Russian state agenda at the time. Based on previous lessons learned one thing is almost certain: the objectives and outcomes of everyone involved will likely be decided in cyberspace.
This statement highlights the United States’ role in this ongoing equation. As NATO and President Biden send military supplies to Ukraine in defense of Russian threats, it is not unreasonable to suggest that U.S. energy providers could become targets of these same types of cyber attacks. In response, The Department of Homeland Security (DHS) has announced that the US must be prepared for an all-out cyber conflict this year.
We know that with cyber attacks often comes the issue of attribution—years may pass before we know if any critical infrastructure has been hacked. In 2021 Russian cyber threats were able to conduct major cyber attacks with very little effort against companies like Colonial Pipeline and JBS food packing. To better protect your organization against these types of cyber threats, we would advise taking action sooner rather than later and be prepared to protect, defend, respond and recover from your next cyber-incident.
Why SWOT24?
We're the Experts
SWOT24™, OT Cybersecurity by ABS Group, provides a comprehensive portfolio of OT cybersecurity consulting, implementation and risk management services. We help organizations, like yours, identify and mitigate critical cyber threats in real-time. We focus on stopping the bad guys so you can focus on what really matters: Your Operations.