Fears are rising that the boundaries of the cyber war between Russia and NATO could soon spread beyond Europe.
Eight cybersecurity authorities from the so-called “Five Eye” nations (United States, United Kingdom, Australia, Canada and New Zealand) released a joint statement on Thursday warning that more malicious cyber activity is on the way as Russia’s invasion of Ukraine continues to impact geopolitical stability.
Before we look at the statement in any depth, an important five-pronged caveat is needed: both the US and the UK are among the primary antagonists in NATO’s ongoing war with Russia; they both have significant offensive cyber war capabilities of their own; US intelligence agencies, at Obama’s behest, have drawn up a list of potential overseas targets for cyber attacks; both countries have surreptitiously conducted vast surveillance programs, targeting not only their own populations but also citizens and government leaders of other countries; and the world right now is in the grip of the biggest information war of this century.
Make volatility work to your advantagAs such, any information coming out of the Five Eyes’ intelligence services should be treated with a healthy dose of skepticism. That having been said, here are the first three paragraphs of the missive:
The cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom are releasing this joint Cybersecurity Advisory. The intent of this joint CSA is to warn organizations that Russia’s invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity. This activity may occur as a response to the unprecedented economic costs imposed on Russia as well as materiel support provided by the United States and U.S. allies and partners.
Evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks (see the March 21, 2022, Statement by U.S. President Biden for more information). Recent Russian state-sponsored cyber operations have included distributed denial-of-service (DDoS) attacks, and older operations have included deployment of destructive malware against Ukrainian government and critical infrastructure organizations.
Additionally, some cybercrime groups have recently publicly pledged support for the Russian government. These Russian-aligned cybercrime groups have threatened to conduct cyber operations in retaliation for perceived cyber offensives against the Russian government or the Russian people.
The document also emphasized the frontline role likely to be played by Russian state actors, including the Russian Federal Security Service (FSB), the Russian Foreign Intelligence Service (SVR), Russian General Staff Main Intelligence Directorate (GRU), GRU’s Main Center for Special Technologies (GTsST) and the Central Scientific Institute of Chemistry and Mechanics (TsNIIKhM) of the Russian Ministry of Defense.
The authors of the document urge critical infrastructure organizations to take immediate steps to protect against cyberattacks. Those steps, they say, should include patching known exploited vulnerabilities, updating software, enforcing multi-factor authentication, securing and monitoring remote desktop protocol (RDP) and other “potentially risky” services, and providing end-user security awareness and training. As The Register, a British technology news website, notes, if any of these recommendations come as a surprise to critical infrastructure operators, “we’re screwed”.
The warning from the “Five Eye” nations comes just days after NATO began (as Bloomberg puts it) “the largest and most complex ‘live-fire’ cyber defense exercises” ever conducted. More than 2,000 people from 32 nations were expected to participate in the war game, which began on Tuesday in Tallinn, Estonia. They include representatives of five to 10 large global financial institutions, including Santander and Mastercard.
This is all happening as fears rise that the boundaries of the cyber war between Russia and NATO could soon spread beyond Europe, where attacks have been registered not only in Ukraine and Russia but also Poland and Finland. On March 21, President Joe Biden warned American businesses to prepare themselves for cyberattacks. Russia is likely to deploy cyber attacks as a form of retaliation against US sanctions, Biden said, adding that Russia has “a very sophisticated cyber capability,” which Putin “hasn’t used… yet” but which forms “part of his playbook.”
Cyber War Reaches Latin America?
Over the past week, two Latin American countries, Costa Rica and Puerto Rico, have suffered major cyber attacks targeting key national infrastructure. In Costa Rica a wave of attacks on Wednesday temporarily disabled websites belonging to the Ministry of Finance, the Ministry of Science, Innovation, Technology and Telecommunication, the Costa Rica Social Security Fund, the National Meteorological Institute (IMN) and the Costa Rican Radiographic Institute (Racsa).
Following the attack the Ministry of Science’s Director of Digital Governance, Jorge Mora, noted that the digitization of governmental activities creates risks as well as benefits. As for who was responsible, Mora said a US$10 million ransom demand had been posted on the dark web by the Conti Group, a pro-Russian ransomware gang that has threatened to deploy retaliatory measures if cyberattacks are launched against Russia. The Costa Rican government has ruled out paying a ransom, which prompted Conti Group to issue one last ultimatum: pay up or all the data gets released.
Costa Rica is a curious choice of target given the country, like Mexico, follows a policy of neutrality regarding foreign wars. In fact, Costa Rica has not had an army for 73 years. That said, the Costa Rican government is one of a small number of Latin American countries to have agreed to apply US and EU sanctions against Russia within its financial system. It has also suspended broadcasts of Russian state-backed media outlet RT.
Puerto Rico, being a so-called unincorporated territory of the United States, is a more obvious choice of target. In the past few days the country’s electronic toll collection system was brought down by a cyber attack. Local media reported Tuesday (April 19) that the attacks had begun over the weekend and had affected a mobile application, the collection systems at toll plazas, and a website. The website was up and running again by Tuesday but users were still reporting service irregularities as of this writing.
Puerto Rico’s Interior Secretary Noelia García said the hackers have demanded a ransom to restore the system, which the government says it will not do. García also insisted that users’ encrypted data such as credit card details are safe. According to Ngai Oliveras, the Puerto Rican government’s chief of security, the FBI is investigating the attack, which it is believed could be linked to the war in Ukraine.
This is not the first major cyber attack to target key public infrastructure in Puerto Rico in recent months. In January, the website of Puerto Rico’s senate as well as its internet provider and telephone systems were temporarily taken out. In October 2021, the capital’s electricity provider fell victim to a DDoS attack that resulted in a power outage affecting more than a million people. In a DDoS attack hackers inundate a website with so many bots connecting to it all at once, they render it inaccessible. Servers are not breached, data is not stolen but it can still cause lots of disruption.
The Digital Side of Russia-NATO War
Both sides of the NATO-Russia conflict took the battle to the cyber sphere from day one. In the case of Russia, it has been attacking Ukrainian targets since mid-January, weeks before the war even began. At the very onset of its invasion of Ukraine, “U.S. intelligence and military cyber warriors were advocating the use of American cyberweapons on a scale never before contemplated.” That was according to a February 24 report out of NBC titled “Biden Has Been Presented with Options for Massive Cyberattacks Against Russia.”
In an interview with MSNBC two days earlier, Hilary Clinton praised hacker group Anonymous’ for launching coordinated cyber attacks on Russian targets.
“There were reports overnight that Anonymous, a group of hackers, took down Russian TV. I think that people who love freedom, who understand that out way of life depends upon supporting those who believe in freedom as well, could be engaged in cyber support for those in the streets of Russia. We did some of that during the Arab Spring when I was secretary of state. I think we could also be attacking a lot of the government institutions, and you know the Oligarchs and their way of life through cyber attacks.”
The hacktivist group DDoSecrets, which specializes in hacking and then publishing compromising data, has also been busy since the war began. According to Micah Lee, an operational security analyst at The Intercept, the group has so far amassed seven Russian datasets from March and a further 20 from April. Among its targets are Roskomnadzor, an agency that monitors and censors mass media; Transneft, the world’s largest oil pipeline company; Rosatom, the state nuclear energy agency; the Russian Orthodox Church’s charitable wing and the Russian Central Bank.
On the other side of the conflict, cyber attacks have played a constant, if somewhat muted, role in Russia’s invasion. The targets in Ukraine have included government websites; the mobile apps and ATMs of the country’s largest banks; and the websites of non-profit organizations, tech companies, the Ukrainian military and Security Service (SBU).
“We are now witnessing the first real cyberwar,” Natalia Tkachuk, the head of Ukraine’s Information Security and Cybersecurity Service, told The Record, a cyber security news publication belonging to Recorded Future, a Massachusetts-based cybersecurity firm:
[M]any cyber attacks on government institutions and critical infrastructure are coordinated and planned by the Russians in order to cause maximum damage to Ukraine. Most of the attacks are now aimed at government agencies, energy, telecommunications and banking sectors. In most cases, the main purpose of the attacks is to destroy information using various data wiper malware.
We can’t say that there is necessarily an increase in the number of the attacks, rather we can note the increased coordination of efforts in the preparation of attacks on a particular sector. Such targeted and dangerous attacks come in waves, amid the static noise caused by a large number of overall cyber incidents and small attacks.
Fake News and Bank Runs
Concerns are also rising about potential attacks on financial institutions, particularly in Europe. On April 1, the European Banking Authority issued a warning about the risk of fake news triggering a run on European banks. Per Reuters:
“As market sentiment remains highly volatile and driven by news flow, banks’ liquidity levels can become vulnerable due to spread of inaccurate information,” the European Banking Authority said in its latest “risk dashboard”, which focused on exposures to Russia and Ukraine.
“Such campaigns that spread inaccurate information may result in deposit outflows from targeted banks,” EBA said.
EBA said exposures of banks in the bloc to Russia are too low to threaten financial stability, but economic fallout from the war in Ukraine and cyber attacks could hit the profitability of lenders.
EU banks had exposures totalling 76 billion euros ($84 billion) to Russia and 11 billion euros to Ukraine in the fourth quarter of 2021, mainly among Austrian, French and Italian lenders.
“Based on the EBA’s initial assessment, direct exposures to Russia, Belarus and Ukraine are limited, but second-round effects may be more material from a financial stability perspective,” it said.
Second-round effects include direct economic fallout of the war such as the fiscal impact, the impact of sanctions, elevated risks from cyber attacks, and the longer-term impact on supply chains in the global economy, EBA said.
The EBA’s warning bears a striking resemblance to a scenario featured in a 10-country simulation of a major cyberattack organized by the Israeli government in December 2021. As Reuters reported at the time, the simulated cyber attack, dubbed “Collective Strength”, took place over 10 days, “with sensitive data emerging on the Dark Web along with fake news reports that ultimately caused chaos in global markets and a run on banks.”
Participants in the Collective Strength simulation included treasury officials from Israel, the US, the UK, Austria, Switzerland, Germany, Italy, the Netherlands, the United Arab Emirates and Thailand, as well as representatives of the IMF, the World Bank and the Bank of International Settlements, the central bank of central banks. The participants discussed a range of policies for responding to the simulated crisis, including a coordinated bank holiday, debt repayment grace periods, SWAP/REPO agreements and coordinated delinking from major currencies.
The simulation took place after a string of cyber attacks last year caused serious disruption to banks and other financial institutions in Pakistan, Ecuador, New Zealand and Venezuela. Interestingly, Venezuela’s government laid the blame for the IT outage suffered by Banco de Venezuela, the country’s largest bank, on the US government, which Venezuela’s vice president Delcy Rodríguez accused of launching an “intense and aggressive” cyber attack against the bank’s IT system.
Cyber Attacks Were on the Rise Long Before Russia’s Invasion of Ukraine
Cyber attacks have been a growing problem for a number of years as more and more aspects of human communication, work and business operations have migrated online, particularly following the pandemic-induced lockdowns of 2020. Ransomware-related data breaches have doubled in the US for the past two years, according to the Identity Theft Resource Center’s 16th Annual Data Breach Report. Supply chain attacks, like DarkSide’s ransomware attack on Colonial Pipeline, are also on the rise.
There are many reasons for this. One is that large companies that fall victim to ransom attacks tend to pay up. And the ransoms tend to be big. Colonial Pipeline paid a $4.4 million ransom payment to regain access to its files.
The rising threat is also being driven by the increasing technological sophistication and capability of hackers. At the same time, banks and companies’ IT systems have grown more vulnerable due to the explosion in use of electronic financial services during the pandemic as well as the rise in remote working by employees, as reader Vlade commented on a previous article:
The problem with the home front is that most people are treating home IT as “just put it there”, and not thinking about security until it’s way too late. Using open wifi, not changing default passwords or admin users etc. etc. – but TBH, I have seen the same behaviour within large corpos too.
Still by far the easiest hacking attack is via a mole (i.e. human element), and that’s very hard to prevent. And, as they are right now, since the companies are looking at their employees as interchangeable cogs in a machine, recruiting moles is likely getting easier and easier.
This may well have been the case with the recent cyber attack against Colonial pipeline, which took down the largest fuel pipeline in the country, leading to fuel shortages along the East Coast, and was pulled off with a single compromised password.
US Infrastructure At Risk?
As Russia gets bogged down in its war with Ukraine (and, of course, NATO & friends) and its sanctions-ravaged economy spirals deeper and deeper into depression, an increasingly desperate Vladimir Putin may resort to digital warfare against US targets. That is the scenario depicted by a recent CBS News report. Citing the same US intelligence officials that helped produce the Five Eyes missive, the CBS report warns that cyber attacks against US infrastructure are growing increasingly likely.
“We have to assume that there’s going to be a breach,” said Jen Easterly, US Director of the Cybersecurity and Infrastructure Security Agency (CISA), a US federal agency that operates under Department of Homeland Security oversight. “There’s going to be an incident.”
Caveat #2: US intelligence agencies are not exactly the most reliable sources of information. Intelligence officials already told a big porky when they recently warned that Russia might be preparing to use chemical agents in Ukraine. As it turns out, they had no evidence Russia had brought any chemical weapons near Ukraine; they were apparently just trying to deter Russia from using the banned munitions. This is part and parcel of Washington/NATO’s disinformation war against Russia, as even NBC News recently admitted:
It’s one of a string of examples of the Biden administration’s breaking with recent precedent by deploying declassified intelligence as part of an information war against Russia. The administration has done so even when the intelligence wasn’t rock solid, officials said, to keep Russian President Vladimir Putin off balance.
In other words, they lied, just as they lied about Iraq’s weapons of mass destruction. As Caitlin Johnstone notes in an article for Consortium News, they may contend that they lied for a noble reason but they still lied: “They knowingly circulated information they had no reason to believe was true, and that lie was amplified by all the most influential media outlets in the western world.”
Now, we are being told by the intelligence agencies of not only the US but also its fellow Five Eye partners that a Russian cyber attack against critical infrastructure is all but inevitable. But as I noted at the beginning of this article, they are not exactly trusted sources.