Even before Russia moved its troops into Ukraine this week it was softening the ground with waves of cyber attacks on banks and government websites.
Then, as the invasion began, a US digital security firm discovered a new piece of disc-wiping malware deployed against financial, defence, aviation, and IT businesses in Ukraine. Russian disinformation also began running wild online, spreading false claims that the Ukrainian president had fled, or certain cities had fallen to sow chaos as its troops advanced over the borders. Now Ukraine has reportedly called on its own hacking underground to shore up critical infrastructure like power grids.
Cyber attacks, when digital systems are compromised by external actors or “hackers”, can do more than inconvenience. They can unplug cities, scramble military communications and blind radar systems before you’ve even fired a shot. In Ukraine, which has long been used as a testing ground for Russia’s digital weapons, hacks linked back to Moscow have knocked out the lights during the dead of winter, shut down ATMs and trains, and even throttled major shipping firms when the 2017 NotPetya worm spread further than intended, out of Ukraine and into computer systems around the globe.
This time experts warn a major cyber offensive inside Ukraine could again spill over the border into NATO countries, ratcheting up tensions. Russia may even be planning a separate wave of cyber attacks on Western countries enforcing tough new financial sanctions.
How are cyber attacks part of war?
The first act of major conflicts now usually play out in cyberspace, experts say. Just nine countries have nuclear weapons but most have state-sponsored hackers. Russia is widely considered to have some of the most advanced cyber capabilities in the world, and has launched some of the most brazen attacks in history, such as the recent SolarWinds breach that made it into Western government agencies, including in the US and Australia.
Running cyber campaigns alongside regular physical warfare is a common Kremlin tactic. NotPetya hit during fighting in Ukraine’s east with Russian-backed separatists in an earlier iteration of the war in Donbas. In the former Soviet republic of Georgia in 2008, cyber attacks seemed to strike towns just ahead of Russian soldiers arriving to back pro-Russian separatists there.
What is considered the world’s first digital weapon was unleashed in 2009, a highly advanced computer worm known as Stuxnet, built by the US and Israel to damage an Iranian nuclear enrichment facility. An arms race has been under way ever since among security agencies looking to patch vulnerabilities faster than hackers and rival nation states can exploit them.
But cyber weapons are still mostly deployed as “short of war” tools, in the grey zone between peace and war. They are cheap, effective and often difficult to trace back to the state behind them in comparison to boots on the ground, making retaliation complicated.
Can a cyber attack be an act of war?
That’s a thorny question, and one countries are still determining, according to international law expert and former Navy captain Professor Dale Stephens. While the Geneva Conventions and other treaties set out clear definitions for traditional warfare, the threshold for when cyber attacks cross the line and so justify a military response is often unclear. Some countries have kept it deliberately vague to keep enemies wary of crossing an invisible line and avoid the risk of defining their own offensive cyber operations as warlike.
In 2009, when Estonia’s government websites were shut down and defaced in Russian cyber attacks dubbed “Web War One”, it went to NATO for help. There was even (brief) talk of invoking Article 5, which demands all other nations in the alliance defend one another from enemy assaults. Big hacks have triggered sanctions, but the world did not see a direct military retaliation to a cyber attack until 2019, when Israel attributed its decision to bomb a building in Gaza to Hamas hacking links.
Still, in 2018, NATO said it could invoke Article 5 in the event of a serious cyber assault against an ally (the mode of retaliation depending on the severity.)In 2019, Australia solidified its own position. The gist is that when a cyber attack poses an imminent risk of damage equivalent to a traditional armed attack, such as significant loss of life or critical infrastructure, then a country should be able to defend itself. That’s generally the standard most countries accept as crossing the line, Stephens says.
Could cyber attacks get to that level beyond Ukraine?
It’s possible. If a major cyber attack did spill across Ukraine’s border into a NATO member state, that would test nations’ views on the right to self-defence, chair of the US Senate Intelligence Committee Mark Warner told NPR. It could even force them to come to Ukraine’s defence if serious enough. Cyber attacks don’t recognise borders, Warner said. And if an attack in Ukraine also “shut down Polish hospitals … you’re rapidly approaching what could be viewed as an Article 5 violation of NATO. We are in an uncharted territory.”
The disc-wiping bug detected this week in Ukrainian machines has already spread over the border to NATO members Lithuania and Latvia, but only at organisations with a major presence in Ukraine, according to the company tracking the malware. And this appears to be accidental, not deliberate targeting.
Russia has yet to unleash the full extent of its cyber weapons in Ukraine. Experts say it may escalate attacks as Ukrainians resist the invading force. And some have suggested that Russia might look to target the “weaker links in NATO” with cyber attacks in retaliation for Western sanctions, inflicting economic pain of its own.
One of the West’s strongest weapons in response has been greater transparency than usual. Intelligence services in the US and the UK have been quick to attribute hacking to Russia and made plain their invasion prediction in advance of tanks rolling over the border, in part to rebut Russian misinformation.
What does it mean for Australia?
There are three scenarios where Australia could be hit with a cyber attack stemming from the Ukraine conflict, according to the director of the International Cyber Policy Centre at the Australian Strategic Policy Institute, Fergus Hanson. The first, and least likely, is if Russia turned its highest-level hacking tools directly on Australia.
“That’s the most unlikely because it’d be very obvious that Russia was doing it and it’d invite more countries to band together in more offensive ways against Russia’s activities,” Hanson says.
The second scenario is if a major self-spreading hacking tool is deployed by Russia in Ukraine and gets out of hand, as NotPetya did. “We could see that type of attack … spreads globally,” Hanson says. “I think that’s pretty likely.”
Finally, there are sophisticated criminal hacking groups that operate with the tacit authorisation of the Kremlin as they run financial crimes online, locking up data and demanding ransoms for its return, for example (known as ransomware). “They could be given the nod to step up malicious activities against particular countries that need to be punished in Russia’s view,” Hanson says. “That’s the most likely activity in my view.”
Australia is likely well down the list of countries that Russia is interested in, though. Ukraine, the United States and European NATO powers are all above it, in Hanson’s estimation. Still Australia, which is part of the Five Eyes military alliance, has been providing remote technical assistance and cyber training to Ukraine to bolster its digital defences.
Even if Russia does not focus on Australia, security experts have warned our proximity to other contested territory in Asia and role in the new AUKUS security alliance between Australia, United Kingdom, and United States means other countries have a greater interest in cyber surveillance in Australia. Late last year, federal Parliament passed legislation to allow Australia’s cyber agencies to go into private companies under digital attack. A second tranche of laws putting more obligations on firms in critical sectors to beef up their defences is under consideration.
Intelligence chief at cyber security firm CrowdStrike, Adam Meyers, said countries such as North Korea and China had a greater incentive to conduct online espionage in Australia to understand how the alliance had altered their security positions.
“They’ll be targeting things related to the ports, they’ll be targeting things related to marine engineering, they’ll be targeting things related to supply chain and movement of things,” Meyers said from Washington DC last week, before the Russian invasion.