The Russian threat to Ukraine prompts warnings of offensive cyber operations.
Warnings of Russian cyber activity as Moscow continues preparations to invade Ukraine.
Reports of US and NATO talks with Russia over Russian preparations to invade Ukraine are not optimistic. (The Moscow Times' coverage is representative, as is the AP's.) Russia is concerned about NATO encroachment into what it regards as its proper security sphere of influence; NATO and the US are concerned over an expansion of Russian aggression against its neighbor. That aggression is conventionally held to have begun with Russia's annexation of Crimea in 2014.
As CyberScoop reminds everyone in their coverage of the tension between the two countries, Russia has denied any intention to invade. But the staging of ground troops near Ukraine is obviously in tension with such denials.
Western powers have offered Ukraine various forms of support. The New York Times has reported that the US and UK have lent expertise to Ukraine intended to shore up that country's power grid against disabling cyberattacks of the kind Russia has mounted before. The US has also, CNN says, allocated some $200 million in security assistance for Kyiv, which has said, according to Reuters, that it's "united" with Washington against Moscow.
In sum, both Russian and Ukrainian forces remain in a high state of readiness. Should there be an invasion, the outcome is unlikely to be in doubt, since Russia disposes larger forces and neither NATO nor the US are likely to commit themselves to a full-scale war. Nonetheless, any war would be difficult, bloody, and damaging, as Ukraine is itself not a negligible military power, and a large-scale invasion wouldn't be a walkover. Both the Russian and Ukrainian militaries share a common descent from Soviet forces, with considerable overlap in doctrine, equipment, training, and culture; they understand one another very well.
The US warns of the Russian cyber threat.
Since cyber operations in wartime amount to combat support, the increased risk of kinetic war carries with it an increased risk of action in cyberspace.
Yesterday afternoon the US Cybersecurity and Infrastructure Security Agency (CISA) issued a joint warning with the FBI and NSA, "Alert (AA22-011A) Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure." CISA Director Jen Easterly tweeted this brief commendation of the joint advisory her agency issued yesterday in conjunction with the FBI and NSA: "Russian state-sponsored malicious cyber activity is a continuing threat to our critical infrastructure—why we’re working closely w/public & private sector partners to reinforce the importance of vigilance against these threats; read our latest advisory."
The Alert doesn't call out the threat of Russian military operations against Ukraine as the proximate cause of the warning, but its timing seems hardly coincidental. "This CSA provides an overview of Russian state-sponsored cyber operations; commonly observed tactics, techniques, and procedures (TTPs); detection actions; incident response guidance; and mitigations," the Summary says. "This overview is intended to help the cybersecurity community reduce the risk presented by these threats." The technical details offered are specific, and include a list of vulnerabilities known to have been exploited by Russian services:
- "CVE-2018-13379 FortiGate VPNs"
- "CVE-2019-1653 Cisco router"
- "CVE-2019-2725 Oracle WebLogic Server"
- "CVE-2019-7609 Kibana"
- "CVE-2019-9670 Zimbra software"
- "CVE-2019-10149 Exim Simple Mail Transfer Protocol"
- "CVE-2019-11510 Pulse Secure"
- "CVE-2019-19781 Citrix"
- "CVE-2020-0688 Microsoft Exchange"
- "CVE-2020-4006 VMWare (note: this was a zero-day at [the] time.)"
- "CVE-2020-5902 F5 Big-IP"
- "CVE-2020-14882 Oracle WebLogic"
- "CVE-2021-26855 Microsoft Exchange (Note: this vulnerability is frequently observed used in conjunction with CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065)"
The Alert is directed toward critical infrastructure providers, but its recommendations have broad applicability to any organization that faces a risk of cyberattack. At a high level, those recommendations are summarized as follows:
- "Patch all systems. Prioritize patching known exploited vulnerabilities."
- "Implement multi-factor authentication."
- "Use antivirus software."
- "Develop internal contact lists and surge support."
And organizations should pay close attention to logging. Stressing vigilance, NSA Cybersecurity Director Rob Joyce emphasized this in a tweet: "Logging is key! With Russian focus on persistent access to compromised networks, you need robust logs and focused effort to hunt, find, and kick them out."
CISA and its partners have provided, at the very least, a detailed overview of past Russian cyberattacks (and there's no ambiguity in the Alert's attributions) as well as advice on the tactics, techniques, and procedures organizations can use to help secure themselves. Those responsible for cybersecurity, anywhere, and in any kind of organization, should give this Alert close attention.
The European Union holds cyber exercises.
Bloomberg reports that the EU's member states are holding a series of cyber "stress tests" this week designed to check Europe's resilience to attacks on supply chains, and to give them the ability to redress any shortfalls they discover. "The exercise will be structured around a gradual escalation toward a major crisis that culminates in an attack that could qualify as an armed aggression under the United Nations Charter, according to one of the documents. In order to be as realistic as possible and better prepare the bloc for a real-world attack, it will be modeled on incidents that have taken place or could occur in the near future," Bloomberg writes. The exercises were proposed by France.
Sanctions and other responses short of war.
Sanctions have been the customary response to Russian action in cyberspace, but there's growing skepticism, CNBC reports, about their efficacy in deterring Russian operations against Ukraine. CNBC quotes a former British ambassador to Moscow, Tony Brenton, to the effect that "Sanctions don’t work on Russia. Russia just becomes even more obdurate.” Angela Stent of Georgetown University told CNBC that explicit discussion of sanctions don't "seem to have deterred Russia at all.”
Sanctions do figure in a bill introduced in the US Senate, the Defending Ukraine Sovereignty Act of 2022, but the measure would also authorize extensive security assistance to Ukraine and an increase in efforts to counter Russian influence operations. Title II of the proposed bill also calls for exposure of Russian intelligence operations and the "Public disclosure of assets of Vladimir Putin and his inner circle."