Since the Russia-Ukraine conflict broke out, war on the ground has been brutal and catastrophic. Cyber warfare has been comparably insignificant, and projections about mass online shutdowns have not materialised.
However, there has been some intervention from hostile state actors. Just last week, the Foreign, Commonwealth and Development Office (FCDO) announced that Russia was “almost certainly” behind a major cyber operation targeting the US commercial communications and internet satellite company Viasat, which happened an hour before the invasion on 24 February.
After months of analysis, the UK government’s National Cyber Security Centre (NCSC) has now attributed the hacks to the Russian state. While the primary target was the Ukrainian military, the attacks also impacted Ukrainian Viasat customers, and caused disruption to wind farms and internet users across central Europe. Additionally, the NCSC has ascertained that Russia was also behind an earlier attack on the Ukrainian government on 13 January, which involved defacing government websites and the deployment of destructive malware.
Interestingly, global sanctions on Russia have caused ransomware attacks to decrease since March, noted Rob Joyce, cyber security director of the US National Security Agency (NSA), at the NCSC’s CyberUK conference in Wales this week. Sanctions have made it harder for criminals to organise attacks and move money in the West, he said.
But cyber threats do not only come from hostile states. Speaking in a panel discussion, Joyce highlighted the rise of cyber vigilantes – lone actors on both sides of the conflict who are taking matters into their own hands to infiltrate and destroy their enemy’s systems.
While activism in support of Ukraine might seem commendable, Joyce warned that such an approach is not conducive to ethical behaviour. “You want to sit back and root for the folks who are trying to do noble things but it is problematic,” he said. “We are trying to hold bad actors accountable in other nations [and] we have to be good international citizens in the cyber arena.”
Abigail Bradshaw, head of the Australian Cyber Security Centre (ACSC), said that roughly 300,000 hactivists related to the Russia-Ukraine conflict have been identified so far, and added that the extent of cyber vigilantism has “taken [government] by surprise”.
There is an “extreme unpredictability” associated with these exploits that make it difficult to attribute, contain and stop them, she said. Hactivism can also impact regular citizens quite significantly, due to “spillover” onto non-primary targets (such as with the Viasat campaign) and breaches on public tools like Google Maps, impeding people’s ability to travel and infiltrating personal location data.
Some hactivists do not act alone and have the advantage of an organisation behind them, making them even more of a threat. Perhaps the best-known is Anonymous, the pro-Ukraine collective that has vowed to keep attacking Russia until its aggression stops. The group’s actions have caused Russia to become the most hacked country in the world in 2022 so far, with breaches affecting 3.5 million people, according to research from virtual private network (VPN) provider Surfshark.
But hactivist collectives exist on both sides. Conti, a group of pro-Russia ransomware cyber criminals, have now “restyled themselves as political activists”, said Jonathan Hope, senior technology evangelist at cyber security firm Sophos, who spoke in another session at CyberUK on ransomware.
Vigilantes can be more ruthless and chaotic than other cyber criminals, he noted, as they destroy data for the sake of it rather than for financial gain, meaning victims are less likely to get their information back. “They’re hacking for ‘Mother Russia’ with no checks, controls or balances,” Hope said. “It’s a tool, a weapon to destroy data.”
The rise in such sporadic hacking makes it ever more important that governments secure and stress-test their critical national infrastructure, said Juhan Lepassaar, executive director of the European Union Agency for Cyber Security.
He said that the UK has done “great work” in securing its telecoms sector, and other industries and countries need to follow suit. “It pays off to build a framework where you stress-test the most critical sectors in society. [The sectors should be] incentivised to do it themselves.”
There was consensus that both organisations and individuals need to be encouraged to undertake basic steps in cyber security. Joyce said that attitudes are changing, albeit a little late – intelligence agencies have focused on counter-insurgency and terrorism for the past two decades, he said, which has caused cyber defence to fall by the wayside.
“We’ve not been investing in IT and now China is threatening those systems,” he said. “We will now do the things that we should have done ten or 20 years ago. The narrative has shifted.”
Moving the onus of cyber security from response to prevention is key, added Lepassaar. In fact, Ukraine’s thorough preparations are what has helped the country stay online despite multiple setbacks and has even enabled them to host “press conferences in besieged cities”, he said. “There has been a good deal of resilience from the Ukrainian state around maintaining connectivity. [This shows] the value of building partnerships early on and making sure you build distributed systems that are difficult to take down and attack.”