News
Computing Profession

Anticipating the War’s Direction

Posted
Russia's cyber resources may appear limited only because defenders have resisted Russian cyberattacks so well.

U.S. President Biden and U.S. cybersecurity experts have urged cyber readiness for potential Russian cyberattacks.

Says Eric Goldstein, executive assistant director for cybersecurity at the U.S. Cybersecurity & Infrastructure Agency (CISA), "We have warned repeatedly about the potential for Russia to engage in malicious cyber activity against the United States." According to Goldstein, as the president stated in March, intelligence increasingly indicates Russia may be exploring options for potential cyberattacks.

The warnings came as the U.S. and the North Atlantic Treaty Organization (NATO) continued to sanction Russia for its invasion of Ukraine. U.S. and NATO countries have also provided Ukraine with military support. According to The Associated Press, President Biden has committed $3.4 billion in military aid to date.

Last year, Russia-based advanced persistent threats (APTs) targeted U.S. critical infrastructure with successful ransomware sieges on Colonial Pipeline and the JBS meatpacking company. However, according to Time, Russia's cyber efforts appear limited during the Ukraine onslaught.

For example, Russia tried and failed to damage components of Ukrainian critical national infrastructure. According to The Hacker News, the Computer Emergency Response Team of Ukraine (CERT-UA), with help from ESET, a global cybersecurity firm based in Slovakia, foiled a Russian cyberattack intended to cut power at substations of an unmanned Ukrainian energy provider.

Even Ukrtelecom, Ukraine's state-owned telecom company, suffered only a brief disruption in Internet service during the attack on March 23, according to Reuters. Yet Forbes reported it as one of the most severe cyberattacks since Russia first attacked that nation on Feb. 22.

If Russia's cyberattacks on Ukraine are falling short, it begs the question of how significant the risk of cyberattack is to the U.S.

Bill Woodcock, executive director of Packet Clearing House, the international organization that builds and supports critical Internet infrastructure, says the U.S. is not at risk of severe Russian cyberattack while supporting Ukraine. "Whatever cyber capabilities Russia has, it has largely directed those at Ukraine right now and is likely to continue to do so through the duration of the war. Ukraine has deflected several attacks, and they're far more distracted and resource-constrained than the U.S.," says Woodcock.

Russia's cyber resources may appear limited only because defenders have resisted Russian cyberattacks so well. According to V.S. Subrahmanian, Walter P. Murphy professor in the department of computer science of Northwestern University and a cybersecurity scholar, Biden's warning of the Russian attacks on Ukraine caused an unlikely alliance of cyber defenders to prepare better and come to Ukraine's defense, deterring Russian cyber-aggression.

Examples include attacks by the hacktivist group Anonymous against Russian sites at the outset of the conflict. Many private-sector organizations, such as physical security key vendor Yubico and Internet hardware vendor Cisco have provided cyber support to Ukraine. Yubico sent 20,000 YubiKey security keys to Ukraine, according to The Straits Times. Over 500 employees of  the Cisco Talos Intelligence Group are combating cyberattacks in the region, according to CIO.

According to Woodcock, who developed the anycast routing technique that protects the Domain Name System, Russia's cyber offensive plans have taken a big hit during the war. "Cyber-intrusions of this sort are complex, typically involving the exploitation of multiple vulnerabilities in sequence. It takes significant preparation to set it up, months or even years of work, and any change to the defending environment may render all of that planning inapplicable," says Woodcock.

"Since the start of the war," Woodcock continues, "many changes have occurred and continue to occur inside defending networks. That churn means that Russian attackers have to go back to the drawing board most times, as previously planned or even previously tested attacks no longer work."

Still, experts insist the risk of malicious Russian cyberintrusions on critical national infrastructure is high. "Countries opposing Russia's gambit should absolutely assess that the likelihood of malicious cyberattacks has risen in multiple critical infrastructure industries," says Gary Salman, CEO of Black Talon Security, a cybersecurity company specializing in data breach prevention and response.

Subrahmanian seems to suggest decidedly measured parameters for such a Russian cyber response. "Increased sanctions, the increased supply of weaponry to Ukraine, and increased intelligence-sharing may evoke a proportionate increase in Russian cyberattacks on the U.S. as a tit-for-tat retaliation, but I do not see a big likelihood of a cyber-Pearl Harbor unless the U.S. dramatically increases its involvement in the war," says Subrahmanian.

U.S. cyber leadership continues to urge readiness in case of attack. According to Goldstein, every organization—large and small—must prepare to respond to disruptive cyber activity; that means using this time to adopt a heightened cybersecurity posture to protect their most critical assets. 

Salman agrees. "It is far too early to declare Russia's quiver of cyber exploits empty."

As Salman explains, "Cyber capabilities do not need to be sexy zero-day exploits or exquisite nation-state toolsets—most critical infrastructure industries in the U.S., NATO, and E.U. countries are not immune to common exploits in the wild. The health care sector continues to see cases of Russian-language malware of various capabilities—but none, so far, have been rapidly spreading zero-day variants." Salman's Black Talon Security has some insight into attacks on the health care sector, since it secures health care organizations.

Rather than wait and wonder when Russia may launch a cyberattack, keep watch for the following indicators, which Subrahmanian says we may anticipate when Russian cyberattacks are upon us. "First, U.S. organizations must look for unexpected traffic as these APTs ship more data to command-and-control centers outside the U.S.

In addition, warns Subrahmanian, "U.S. organizations must closely monitor what happens in other countries—new malware discovered in Ukraine or Poland may target the U.S. next."

David Geer is a journalist who focuses on issues related to cybersecurity. He writes from Cleveland, OH, USA.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More