In this transcript from a recent Q&A session on April 29, Chris Kubecka, the distinguished chair of MEI’s Cyber Security and Emerging Technology Program, provides insights on key issues and developments in the Ukraine-Russia cyber war. The text has been edited for length and clarity.
What is the potential for cyberattacks on U.S. companies and critical infrastructure?
KUBECKA: Cyberattacks have already begun affecting U.S. companies, with Russian malware found on some critical infrastructure. Some companies that have supported Russian sanctions have experienced a rise in cyberattacks, while U.S. companies that have been listed as continuing business operations in Russia have been included as potential targets for attack by pro-Ukrainian hacktivist groups.
Public-private data sharing has been touted by numerous administrations as a way to minimize or mitigate nation-state cyberattacks against critical infrastructure. However, the reality is the U.S. government does not have the resources, roles assigned, or personnel to do that. Nor has it approved a budget or a series of adequate processes to handle large quantities of data from privately owned critical infrastructure. There are major business considerations that the U.S. government needs to think through. How will the data be stored, and for how long? What if it leads to regulatory fines? What are the implications regarding privacy regulations? What other concerns will the legal departments, executives, and shareholders of the organizations have? Will the U.S. government utilize the data for other purposes?
Another consideration is the effect on elected officials and the voting public. After the list of members of Congress sanctioned by Russia was published, some hacktivist groups began looking at those who weren’t included as targets — looking into them, their business ties, and their family members, viewing them as collaborators with Russia. There is concern that campaign donors might also be targeted. For the voting public, we have seen Iran using digital harassment against voters in Florida during the 2020 election cycle. Pro-Ukrainian and Russian hacktivists could utilize the information to further disenfranchise voters in the midterms.
Other analysts have stated Russia is avoiding attacking NATO countries for a wide variety of reasons, but you just said they have been carrying out attacks. Can you expand on what they’ve done? Is there any hard evidence of this?
KUBECKA: A number of attacks have been carried out in NATO countries. Some examples include:
Dutch military intelligence disrupted an attack on routers by the Russian military hacking group 74455. The agency decided to make the information public to help Netherlands residents understand that even routers owned by “the bakery on the corner” can be used by a state actor.
The director of the Romanian National Cyber Security Center (NCSC), Dan Cimpean, has said Romania was hit with a “spectacular rise” in cyberattacks aimed at its infrastructure just after the war began. There was a roughly 100-fold rise in attacks, with most IP addresses originating in Russia.
According to Polish cyber security official Janusz Cieszynski, “The website of the (Polish) national clearing system, and servers dedicated to the government email network have been attacked.” The IT networks of Poland’s leading power utility were also attacked, according to the firm’s CEO.
As troops moved into Ukraine and towards Kiev, the KA-SAT system communications group Viasat, a U.S. company, was hit with a cyberattack that had far-reaching ramifications well beyond Ukraine. The French space program, German wind turbines, and broadband communications were interrupted, sending companies scrambling to replace the modems to restore communications. Germany, France, the U.K., Italy, Morocco, the Czech Republic, Poland, and other countries were affected. This is the same tactic Russia used against Georgia; one could say it’s part of their playbook during conflicts. Currently, many Romanian government websites can only be viewed by those physically in Romania — access has been cut from outside the country.
What are the implications for the MENA region and what do you see changing as a result of the war? Has Iran been emboldened, for example?
KUBECKA: Iran has been emboldened in terms of both physical and cyberattacks. On March 14, 2022, Israel declared a state of emergency due to a wide range of cyberattacks against the state health, justice, and welfare ministries, which prompted the authorities to request information from power and water utility companies. While the attention has been on Ukraine, Iran has been hammering Israel with cyber weapons, prompting Israeli officials to call for the creation of a “cyber Iron Dome” to protect against cyberattacks.
When we say “Russia” is attacking the West, does that mean the Russian military and intelligence apparatus or private actors?
KUBECKA: There are a mix of actors involved in the cyberattacks: Russian military and intelligence groups, patriotic hackers supported in a variety of ways by the Russian government, hacktivists, and private citizens who generally are independent of the Russian government. There has also been an increase in Russian cyber-crime, as criminals exploit the fog of cyber war.
Leading up to the invasion of Ukraine, we saw a lot of Ukrainian organizations being targeted by wiper attacks, data leaks, DDoS attacks, defacements, and so on. With the war spilling over to Moldova now, are cyberattacks taking place there as well?
KUBECKA: Moldovan media reported on Feb. 29 that a Russian hacking group with military ties posted a list of Moldovan targets they plan on hitting with cyberattacks on a surveilled Telegram group. Romanian authorities have verified this information. The authorities are on high alert, expecting similar attacks as those that affected Ukraine to be carried out in Moldova. According to my contacts in the European computer emergency response team (CERT) network, Moldova has worked hard to increase its cyber security to achieve E.U. standards. This should give the country an advantage when it comes to mitigating cyberattacks due to thorough and diligent preparation prior to this crisis. However, Moldova is seeing a sharp increase in cyberattacks overall, covering a wide range of government and banking websites.
Have there been any attacks on Ukrainian critical infrastructure, including power generation and distribution infrastructure, manufacturing, and supply chains?
KUBECKA: There have been continuing attempts against various manufacturers, which have added to supply chain issues. However, teams of European CERTs, security companies big and small, and some U.S. tech companies and organizations have been assisting Ukraine to minimize the damage from cyberattacks. Ukraine took a monumental step to protect its power generation and distribution by disconnecting from the Russian power grid and moving to the E.U. power grid. If Russia were to launch cyberattacks against Ukrainian power generation causing a de-harmonization with the E.U. grid, this could potentially be viewed as an escalation of the war, depending on the effects on E.U. and NATO member countries.
Supply chain digital security is of great concern. Open-source libraries at organizations big and small might not be properly maintained or have basic security testing, leaving them wide open for exploitation to a wide range of intentional and unintentional targets, like the Heartbleed or Log4J conundrum. Not all suppliers have adequate cyber security or monitoring to handle an incident or report to their customers or authorities. Legal contracts and procurement must incorporate cyber security and privacy provisions for suppliers. However, cyber security law is a new discipline in the legal field and experienced cyber lawyers are few and far between.
Can you comment on what steps the Ukrainian government is taking to verify the alleged attacks against its border stations and border management software, given the implications of the conflict on migration in general?
KUBECKA: Attribution is a difficult challenge, despite the enormous amount of cyber assistance Ukraine has received. Microsoft’s CEO has publicly stated that the attack against the Ukraine border control system is attributed to Russia, was a targeted attack, and is now considered the first known instance of a Geneva Convention violation by digital means. Other firms have also attributed this cyberattack to Russia. When it comes to attribution, Microsoft is uniquely placed in certain cases due to the types of data it collects from operating systems and its cloud services.
Can you comment on the tactics and methods employed by the Ukrainian government to conduct cyber operations against the Russian military, and the extent to which operations conducted either by the government or individual groups might pose an escalation risk for Western governments?
KUBECKA: One of the methods used by the Ukrainians has been to ask for assistance from everyday citizens the world over to join the Ukrainian IT Cyber Army. This has prompted over 300,000 people from all walks of life to assist in a global effort to pinpoint targets, determine which type of attack to use, organize information, and more. This includes everything from DDoS attacks to hacking the identification and route information of a Russian military ship and showing it in a different location in the Black Sea.
What implications can we draw about the relationship between cyber operations and conventional maneuvers? How do information operations impact the Russian public’s understanding of the conflict?
KUBECKA: Disinformation, misinformation, and malinformation are a challenge in normal times. During a crisis, they can be overwhelming. Within days of the outbreak of war in Ukraine, an online rumor spread like wildfire to bordering countries that only wealthy Ukrainian refugees fled the war. I experienced this firsthand when a hotel clerk in Bucharest boldly repeated this malinformation to me, while I was arranging a hotel room for a Ukrainian family that fled with me from Kyiv with little more than the clothes on their backs. Hate group forums in Slovakia spread rumors that international students in Ukraine from the Global South were criminals that came over the Belarusian border, which led to one student in Bratislava I was housing being denied a hotel room. Some international students and Ukrainian refugees were attacked by hate groups near border crossings in Hungary. It has gone beyond the deepfake of President Volodymyr Zelenskyy supposedly surrendering to Russia and is impacting the most vulnerable. Countries that border Ukraine must take the threat of propaganda seriously and counter Russian information operations.
Has cryptocurrency played a role in the Ukraine conflict? What role does it play in cybercrime and the cyber crisis in the Middle East? Is there a relationship between the two?
KUBECKA: Cryptocurrency-driven cybercrime is on the rise in both the West and the MENA region. There is a direct correlation between higher cryptocurrency values and cybercrime. Even criminals look at the return on investment when they carry out cyberattacks.
Chris Kubecka is the distinguished chair of MEI’s Cyber Security and Emerging Technology Program and the founder and CEO of Hypasec. The opinions expressed here are her own.
Photo by GENYA SAVILOV/AFP via Getty Images