Hacker hands at work with interface around showing Russian cyber attacks

DHS Bulletin Warns of Russian Cyber Attacks in Retaliation if US Responds to a Ukraine Invasion

As the great “will they or won’t they” continues to play out in the news, the Department of Homeland Security (DHS) has issued a bulletin to law enforcement agencies warning that Russian cyber attacks in the US are possible if Ukraine is invaded.

DHS is specifically warning that these attacks could happen in response to US or NATO actions if Russia should physically invade Ukraine, and if Russia feels that those actions threaten its “long-term national security.”

Russian cyber attacks on US a possibility in an extreme scenario

The whole assumption is predicated on Russia first invading Ukraine with its troops, something that is far from certain despite increasingly heated rhetoric from elements in the US that appear to be looking for a fight.

But should there be an invasion, and should Russia not like the response by US or NATO, DHS is assessing the possibility of Russian cyber attacks on the US homeland. The agency does say that, even in the case of some sort of direct conflict, Russia’s threshold for conducting “disruptive or destructive cyber attacks” on targets in the US remains “probably very high.”

The DHS is nevertheless calling for a “heightened state of alert,” citing the range of Russian cyber attacks that are possible (from lower-level denial of service attacks to potential disruptions of critical infrastructure). Russia’s state-backed hacking teams have been thought to have access to aspects of the nation’s power grid for years, and concerns about critical infrastructure were greatly heightened with the attack on Colonial Pipeline by a Russia-based criminal gang last year.

The back-and-forth between the US and Russia had reached the point of the US and NATO sending weapons systems to Ukraine just prior to the DHS warning. Estonia, Lithuania and Latvia were given clearance by NATO to send Javelin anti-tank weapons and Stinger air-defense systems to Ukraine, and the United Kingdom is additionally providing light anti-tank weapons. This equipment is from US arms manufacturers and requires US government permission to sell or move. The US government is also directly providing Ukraine with five Mi-17 transport helicopters that had been slated for deployment to Afghanistan prior to the pullout.

There has not yet been an attack on US critical infrastructure or utilities by hackers linked to the Russian government, though these groups are believed to have broken into power systems and explored multiple times. The attack on Colonial Pipeline gave a taste of what could be possible, however, as fuel deliveries to multiple states were cut off for nearly a week. Russia’s government-backed cyber activities in the US have thus far been limited to espionage, such as the brazen 2020 SolarWinds attack.

Tim Erlin, VP of Strategy at Tripwire, was left wondering exactly what the average organization is expected to do in response to a warning like this: “The cybersecurity industry has gotten used to tossing around the idea of ‘nation-state’ adversaries, but I think we’ve yet to see cyber attacks used in concert with a full-fledged military campaign. DHS’s warning sets that expectation that something has changed in the threat profile, and that organizations should be prepared for a change in the types of attacks they see … It’s entirely valid for organizations to wonder what they’re supposed to do differently when faced with this type of alert. Cybersecurity calls for constant defense already, and an alert like this doesn’t magically remove the obstacles that are preventing organizations from implementing solid security controls. For most companies, a DHS alert simply doesn’t create budget or add people to their staff.”

Could wave of cyber attacks in Ukraine expand?

Russian cyber attacks are hardly an uncommon thing in Ukraine, dating back to the flare-up of tensions between the nations in 2014. However, thus far the current Russian cyber campaign has been limited to a series of defacements of national and local government websites that appeared to threaten mass doxxing of the country’s citizens. Russia shifted blame for the attack to a Ukrainian separatist group.

Mandiant, a leading cybersecurity firm, also weighed in with a report released on January 20. The report concluded that Russian cyber attacks would not remain restricted to Ukraine or to the public sector should the situation continue to deteriorate.

In addition to advising increased vigilance for Russian cyber attacks, the US government has put 8,500 troops on heightened alert for deployment to the region. President Biden also recently deployed the aircraft carrier Harry S Truman to the Mediterranean under NATO control, the first time such a move has been made since the end of the Cold War.

It is unclear exactly what Russia would do to the US in retaliation, or even what the exact sequence of events would need to be to prompt such an escalation. A 2018 report revealed the extent to which Russian threat groups had penetrated US utilities since 2016, finding that they had worked their way into “multiple organizations in the energy, nuclear, water, aviation, construction, and critical manufacturing sectors.” The US reportedly did the same ahead of Russia’s 2018 midterm elections, as a form of warning that the country was willing to “hack back” in response. Russia has already shut down power stations in other countries, however, including multiple times in Ukraine since 2016. However, the attacks are always covered in at least a thin enough layer of plausible deniability that it is not completely obvious that Russia’s hacking teams did it.

Sam Curry, CSO of Cybereason, points out that this phenomenon could also work the same way but in the other direction: “The recent disruptions of railway service in Belarus means that the Ukraine situation is heating up. It wouldn’t surprise me if Belarus or Russia accuses the hacktivists of treason or of being American or Ukrainian partisans or that the countries accuse the group of being a cover for Western intelligence groups … seeing cyber used in this way to disrupt troop movement, to effect political change and specifically aimed at Russia is novel. How this plays out will affect how history views this in that a successful Russian invasion could include a cyber war component because most nations today regularly check it’s cyber resiliency. If an invasion doesn’t materialize, cyber politics or even hyped up claims of cyber terrorism could surface. What matters most is what happens next.”