On 27 June 2017 Ukraine’s largest airport, its energy authority and national bank suffered a devastating cyber attack. Within hours the “NotPetya” virus used in the attack had spread around the world, bringing down several major businesses. NotPetya caused chaos within the advertising firm WPP, the pharmaceutical company Merck and the transportation giants Maersk and FedEx.
These companies were never the intended targets of the attack. They were merely collateral damage in a campaign launched by the Russian government with the aim of wreaking havoc in its neighbouring state. After Russian troops entered Ukraine last week, businesses and governments have been asking if a similar attack could spread beyond the country, and the Business Secretary, Kwasi Kwarteng, is expected to meet with the chair of the National Grid this week to discuss the risk to Britain’s infrastructure.
Russia has already conducted three rounds of cyber attacks on Ukrainian institutions since the beginning of this year. The latest and most intense wave began on Wednesday (23 February), when several Ukrainian banks and government organisations’ websites were rendered inaccessible by distributed denial of service (DDoS) attacks. The campaign coincided with the emergence of a new “wiper” virus, which was designed to destroy targets’ data, in a similar way to the NotPetya attack.
The UK’s National Cyber Security Centre (NCSC) has been warning for several weeks that attacks could “spill over”, unintentionally ensnaring British victims. Last week, the agency – a division of GCHQ – said that while it was “not aware of any current threats to UK organisations in relation to events in and around Ukraine, there has been a historical pattern of cyber attacks on Ukraine with international consequences”. The GCHQ director, Jeremy Fleming, met leaders representing Britain’s critical national infrastructure organisations on 17 February.
The NotPetya attack gained access to victims’ computers using a critical software vulnerability or “exploit” that was already widely known. Microsoft had already released an update to secure against the vulnerability, but millions of computers hadn’t been updated. Alan Woodward, a computer security professor at the University of Surrey, says no similar exploits have emerged into the public domain since – but that doesn’t mean they don’t exist. It is possible, he says, that Russia’s military intelligence unit, the GRU, could have developed new vulnerabilities (so-called “zero-day exploits”) which are not yet known to software vendors: “You don’t know what you don’t know.”
However, Woodward says Russia wouldn’t need to develop an entirely new exploit in order to cause chaos. It could simply adapt previous viruses – and NCSC warned on 23 February that a GRU unit, referred to as “Sandworm”, had done just that. In an advisory note security officials said: “The malware dubbed Cyclops Blink appears to be a replacement for the VPNFilter malware exposed in 2018, and its deployment could allow Sandworm to remotely access networks.”
It is possible, says Woodward, that Russia could respond to economic sanctions by carrying out retaliatory cyber attacks aimed at Western financial organisations. “Because cyber attacks are so difficult to attribute, are they going to launch something against the West anyway? Might they do something to harm Western economies as a reprisal?” This is considered a less likely scenario, however; the difficulty of carrying out such attacks makes a “spillover” attack the most likely cyber threat facing Western organisations.
One consolation is that British organisations are likely to be better protected than those in some other European nations. NCSC is among the most advanced organisations of its kind in the world, and has been working for years to build up the country’s cyber resilience; Woodward says that Britain’s new offensive cyber force may also act as a deterrent to Russian aggression. The Defence Secretary, Ben Wallace, has already signalled that the government would be prepared to carry out retaliatory cyber attacks on Russia.
Nevertheless, while the risk of cyber attacks will be front of mind for some British security officials and business leaders, it will be of lesser concern to Ukrainian citizens. “When it gets to this stage, it becomes secondary to military action and reverts to what we’ve seen with electronic warfare for decades,” says Woodward. “It’s a way of disrupting things and the economy of somewhere, but primarily it’s a way of spreading misinformation and disinformation.”
[See also: Russia’s invasion of Ukraine changes everything]