Experts assessing the geopolitical situation in eastern Europe have no doubt that Russia is planning an attack on Ukraine . This is evidenced by Russia’s massive military build-up near the borders of Poland’s eastern neighbor. Thousands of soldiers, gathered under the pretext of military exercises, could launch an invasion at any time. This is evidenced by satellite images published for several weeks on a number of websites. However, the actions of the cyber forces, which Russia is likewise mobilizing in preparation for a potential conflict, remain less visible. Cybersecurity experts say that if Russia decides to invade Ukraine, it will undoubtedly use cyberattacks as a key part of its strategy. This took place already during the previous conflicts – in Georgia as well as Crimea (2016). If the cyberattacks get out of control, institutions that are not involved in the conflict, such as government agencies and private companies in the US, Poland, and elsewhere, could be affected too. Past events show that this is a very likely scenario.
In mid-January, hackers swapped the content of dozens of government websites in Ukraine. This type of attack did not directly affect the websites, but it successfully attracted media attention around the world. The attackers posted misleading content only to create a smokescreen and divert attention from a more dangerous attack – planting destructive malware inside the networks of Ukrainian businesses and government agencies. The plot was identified and described by Microsoft’s security engineers . After conducting a post-hack analysis, the Ukrainian security services unequivocally identified Russia as the source of the attack. Mandiant’s independent analysts, while predicting that the crisis in Ukraine would become a catalyst for additional aggressive cyber activity that would likely escalate, warned that future operations may not be limited to Ukrainian targets. At the same time, the US Cybersecurity and Infrastructure Security Agency (CISA) warned critical infrastructure operators in the US and allied countries to take “urgent steps” against cyber threats, citing the attacks in Ukraine as a reason to remain vigilant against possible threats to US assets.
Polish government institutions and banks were also instructed to prepare for potential cyberattacks. Increased defense capabilities were necessary because of the incidents that occurred in previous years. CISA recalled the 2017 NotPetya attack that got out of control and spread quickly across the Internet. The malware infection affected the entire world, causing billions of dollars of damage. NotPetya was a Russian cyberattack targeting Ukraine during a period of high tension . Similarly, BlackEnergy attacks aimed to disrupt industrial control systems (ICS) of Ukrainian power plants . As a result of the aggression, the supply of electricity to half the population of the Ivano-Frankivsk region was suspended. Variants of the malicious code were later found also following the attacks on other institutions, including power sector companies in the US and Poland .
Attacks on critical infrastructure are far more complex as well as require far more work and expense than those targeting less protected assets. For that reason, Mandiant analysts stated that “destructive tools and other simpler methods could be leveraged against a large cohort of targets simultaneously.” They were not wrong – on February 15, 2022, Ukraine was once again hit with a DDoS attack. Such attacks can be launched at low cost, for instance, by using attacker’s botnets. The websites of the Ministry of Defense of Ukraine, the Armed Forces of Ukraine, and two large banks were among the victims of the attack. In the latter case, customers reported problems with logging in to online banking and making withdrawals from ATMs. The source of the attack has not been provided to date.
Russia is likely to continue using cyber sabotage against Ukraine as it allows this country to effectively pursue its goals in the region. Cyberattacks, such as the power grid shutdown described above, have a destabilizing effect not only on the economy but also on the morale of the Ukrainian people. They are also a demonstration of Russia’s technical capabilities. A stronger attack on the financial sector could permanently prevent Ukrainians from withdrawing money and accessing bank accounts. An attack on the communications infrastructure would limit connectivity, and consequently the ability to organize evacuations and defense against aggression. Self-replicating malware attacks could bring all institutions and government agencies to a halt. They can also spread uncontrollably beyond the territory where they were intended to be used and hit the entire world, as it has already happened in the past.