Ongoing cyberattacks in Eastern Europe are state controlled

Lior Div, CEO and Co-Founder, Cybereason
Lior Div, CEO and Co-Founder, Cybereason.
by
3 years ago

I am watching the ongoing tragedy in Ukraine with the rest of the world. It is heart-breaking and my thoughts are with the people of Ukraine. I had hoped that diplomatic efforts would work, and that Putin would pull his troops back, but I would be lying if I said I was completely surprised that Russia launched a full-scale invasion of Ukraine.

Nation-state cyberattacks often bleed beyond the intended target and result in collateral damage around the world

Aside from displaying Putin’s imperialist aspirations, this conflict has also revealed the extent to which Russia has integrated cyber into its military strategy and how much control Russia has over allegedly independent cybercrime gangs.

Cyber is an integral element of nation-state intelligence and a powerful tool for disrupting communications and impeding the enemy’s defences in a military conflict. Russia and threat actors aligned with Russia have a history of employing cyberattacks against Ukraine.

It demonstrates the control, the government has over cybercrime groups

In the weeks and days leading up to the Russian invasion, Ukrainian government websites and banks, along with the websites of nations allied with Ukraine were defaced. Researchers also discovered multiple malicious wiper programmes deployed on Ukrainian systems.

The threat is still high, and it is not only specific to Ukraine. Nations and businesses around the world need to be on high alert for cyberattacks. As the United States and NATO allies support Ukraine with military equipment and medical supplies and increase pressure on Russia through sanctions and other means, I expect Russia and aligned threat actors to escalate cyberattacks in an effort to impact critical infrastructure, cripple the global economy, and weaken our collective resolve to stand united against them.

Cyberattacks are not really state-ignored or state-sponsored, but actually state-controlled.

The rhetoric around potential cyberattacks is intensifying. There are reports that the Biden administration and other nations are considering options for offensive cyber operations against Russia. The hacktivist collective Anonymous claims to have knocked Russian websites offline. Meanwhile, various ransomware gangs have issued threatening statements warning that they will strike back against any nations or groups that attack Russia.

While those attacks may be primarily aimed at government and military assets, there is no way to predict the scope or resulting impact given that the majority of critical infrastructure security rests with the private sector. Nation-state cyberattacks often bleed beyond the intended target and result in collateral damage for unrelated businesses around the world—like the NotPetya attack by Russia against Ukraine in 2017.

Intelligence agencies enlisting cybercrime threat actors as proxies

The Cybereason Threat Intelligence team has been carefully monitoring the situation in Ukraine as tensions have escalated. There was a dramatic drop-in ransomware attack activity following the public and performative arrest of members of the REvil ransomware gang in January. Ransomware attacks originating from Russia have effectively all but ceased since mid-January.

Various ransomware gangs have issued threatening statements warning they will strike back against any groups that attack Russia

That actually tells me two things. First, it demonstrates the influence—control, actually, that Putin and the Russian government have over these cybercrime groups. It shows that the cyberattacks coming out of Russia are not really state-ignored or state-sponsored, but actually state-controlled.

It confirms what we have long suspected, that Putin and Russian intelligence agencies enlist cybercrime threat actors as proxies to provide a buffer of plausible deniability while effectively leveraging cyberattacks as a weapon.

The drop-in Russian ransomware activity over the last six weeks also suggests that those cybercrime groups were given a new mission. They were most likely conscripted to help the Russian government in its efforts to hack and disable critical infrastructure and defence systems in Ukraine in preparation for launching the invasion.

Putin and Russian intelligence agencies provide plausible deniability while leveraging cyberattacks as a weapon

We now know that Russia has far more power and control over cybercrime groups and ransomware gangs than they have admitted to.


Putin and Russian intelligence agencies enlist cybercrime threat actors as proxies to provide plausible deniability while leveraging cyberattacks as a weapon. 


Opinions and comments are of the authors mentioned.

Don't Miss

Greg Day, VP Europe Middle East and Africa, Field CISO, Cybereason.

Shift to SaaS fragments identity management

The big shift to SaaS has fragmented more than a decade’s worth
Greg Day, Vice President and Global Field CISO EMEA, Cybereason.

The answer lies in detection efficacy

Over the years I have seen hundreds of company’s trials and deploy