Overview
Current trends seemingly indicate Russia is amid conducting damage and media control, psychological attacks, disrupting public order and pushing false narratives and disinformation. Whilst Russia are set back in their goals, it has only been 5 days into the conflict. Retaliatory aggression is a common theme that is not just applicable to Russian diplomacy but also in their conflict, both physically and in the cyberspace. Sanctions and asset seizures are currently mounting, and the pressure is building on Putin; it is only a matter of time before the retaliatory measures threatened both before and during the conflict are taken.
The invasion was the last straw to break the camel’s back, and as Russia will find it difficult to distribute its forces to attack Western and EU forces, it must rely on cyber attacks and cyber warfare to retaliate against its opposing forces. Putin’s long streak of unpredictable political behaviour has already come to a point and no one option can be ruled out. If the order for placing nuclear deterrence forces on “special alert” has already been made, who is to say the extremes in the cyberspace aren’t possible? This analysis will thus peek at identifying trends and provide a brief overview of anticipated future attacks and trends.
Enlisting Non State-Sponsored Groups
It is entirely possible that Russia will enlist and sponsor criminal groups outside the scope of their state-sponsored APTs. This is most likely truer for enlisting hacker groups who deal specifically or are financially motivated, as currently identified Russian APTs are not known to have targeted the financial industry. Whilst speculative, it is not out of the scope to conditionally release and employ cybercriminal gangs such as REvil (if they haven’t done so already) in response to U.S. and EU-led sanctions. According to U.S. officials, Russia is known to tolerate and encourage cyber-criminal gangs; Putin abstained the neutralisation of REvil for a considerable length of time until a warning was issued by Biden in July 2021, as well as established informal alliances and co-operation with non state-sponsored actors, such as the military mercenary group Wagner.
Adopting this frame of mind would thus call for hardening systems based on attacks synonymous with the attack patterns and behaviour of these hacker groups. Of particular interest will be employment of financially motivated hacker groups to target U.S. and EU banks on the account of recently imposed sanctions.
Crowdsourced, Open and Co-operative Cyber Warfare
Plausible deniability seems to be a distant past. The pretense that largely veils accountable cyberattacks has been dropped. There are no precedent models of simultaneous hybrid warfare such that this is observably the first time cyber-attacks have been conducted openly in a modern warfare setting. The Ukrainian stance on this does not emerge as incriminating from a defensive perspective, which hails a new chapter of cyber warfare.
Recent news shows Ukraine urging cyber professionals to congregate and volunteer towards concerted cyberattacks and defence efforts. Ukrainian government cybersecurity contractor Cyber Unit Technologies was engaged by the Ukraine Ministry of Defense to lead the effort in building a cyber military force to help protect national critical infrastructure and reverse positions to mount cyber espionage missions on selective Russian targets. A few hours later, hacktivist group Anonymous also released a message to declare war on Russian government targets, as well as announcing crowdsourcing efforts to pool resources. They were actively looking to target Russian banking, transportation, military and energy infrastructure, all whilst avoiding health and education-related infrastructure. These tactics are also present in the newly created Ukrainian cyber task force.
This highlights a unique form of hybrid warfare: the collective skills, tools and information of the community backed by the resources and knowledge of the government. Although it may sound strikingly similar to the concept of state-sponsored APTs, there are some notable differences. State-sponsored APTs would generally have multiple tens, if not hundreds of 0-day vulnerabilities at their disposal. It is only a matter of time before the possibility emerges where a government agency co-operates and shares information on 0-day vulnerabilities to crowdsourced and volunteer seasoned penetration testers who have a collectively significant amount of knowledge of systems, infrastructure and services. This is a heightened play in contrast to the already well-established collaborative efforts between criminal gangs as witnessed in Crowdstrike’s Global Threat Report 2021.
Whilst not new, the conflict has also spread awareness of crowdsourced DDOSing, which extends request for assistance to the wider non-hacker community beyond the geographical boundaries of the conflict. A notable example is disBalancer.
This mode of collaborative and open cyber warfare is not without its own issues and risks, which Ukraine is seemingly aware of. Collateral damage and spillover effect are guaranteed to occur, especially in an uncontrolled environment. Further to this, hackers and hacker groups left unchecked are volatile and unpredictable due to two reasons that come to mind: Vigilantism, and that cyber operations are prone to escalation as it is inherently escalatory. The likelihood of escalation is increased with historical disputes. Signals are easily misinterpreted. This is evident in the retaliatory altercation between non state-sponsored pro-Ukraine and pro-Russian hacker groups, such as GhostSec, Anonymous, and Conti, Coomi respectively. As a case in point, internal conflicts have led to disagreement and ultimately, a leak of conversations from the Conti Team.
The world is navigating in murky waters in this new era. It may ultimately lead to a type of collective cyber attack force along the lines of a dedicated NATO cyber unit, with shared resources and knowledge between member countries. This follows the same line of thinking of collective defense for ICS, with Dragos, NSA and CISA recently joining the Neighbourhood Keeper program to view and contribute to shared insights.
You can follow updates and keep track of the timeline of events during the Russia-Ukraine conflict here.
All facts and links in this post are represented and referenced as accurately as possible. All views and opinions expressed are my own.