Ukraine’s government warned of Russia’s planned massive cyber attacks against critical infrastructure facilities, especially the energy sector.
The advisory warns that the cyber attacks aim to supplement the effect of missile strikes on electricity supply facilities, primarily in the eastern and southern regions of Ukraine.
The advisory states that Russia hopes the attacks would slow down Kyiv’s counteroffensive operations, which saw Russia lose significant ground in the occupied territories.
The warning also coincides with Russia’s mobilization of 300,000 troops to fight in the “special operation” that began in February.
Russia targets the critical infrastructure of Ukraine’s allies
Ukraine’s Ministry of Defense added that Moscow would increase distributed denial of service (DDoS) attacks against the critical infrastructure of Ukraine’s allies, such as Poland and the Baltic states.
Hackers affiliated with the Russian military have carried out over 200 cyber attacks on Ukraine since the start of the Russian invasion. While most Russian cyber attacks failed to produce the desired effect, at least 40 had destructive impacts on critical services.
NATO members such as Estonia, Lithuania, and Montenegro have also experienced Russian cyber attacks since the beginning of the invasion.
Experts believe that Russian cyber attacks on Ukraine’s allies remain the country’s best response for their continued support for its southwestern neighbor without risking direct military confrontation.
So far, Russia’s cyber attacks outside Ukraine have largely remained restrained and isolated, while many have been repelled. However, the latest Ukraine warning suggests that the current situation is about to change.
A repeat of the 2015/16 massive cyber attacks
Ukraine’s Ministry of Defense intelligence agency believes Russia will apply the lessons of the 2015/16 massive cyberattacks.
“First of all, [the] attacks will be aimed at enterprises in the energy sector,” the Ukrainian government warned. “The experience of cyberattacks on Ukraine’s energy systems in 2015 and 2016 will be used when conducting operations.”
The cyber attacks on critical infrastructure targets were attributed to the Russian advanced persistent threat (APT) actor Sandworm. The group operates within the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
During the attacks, Russia unleashed the highly-potent malware variants such as BlackEnergy, Industroyer, and KillDisk. CERT-UA has already identified Industroyer2 malware targeting its critical infrastructure entities.
Josh Lospinoso, Co-founder and CEO of Shift5, questioned Russia’s ability to execute more effective cyber attacks than previously witnessed. “It is unlikely that Russian hackers have any new tools or tricks to launch more effective cyberattacks against Ukraine,” he said.
Citing Ukraine’s previous successful attempts in warding off Russian cyber terrorism, the Shift5 co-founder impugned the source’s credibility, “Russia is having more success with missiles through the air than attacks on the internet, so the idea of Russia putting more energy behind cyberattacks does not compute.”
Cyber attacks could trigger a military response
The FBI and CISA warned that Russian industrial malware could spill to other countries, producing unintended consequences and escalating the conflict.
In July, U.S. President Joe Biden warned that disruptive cyber attacks against critical infrastructure could trigger a military response.
NATO had also warned that “malicious cumulative cyber activities” could invoke Article 5.
“Geopolitical tension has reached a tipping point,” Tom Kellermann, CISM, senior vice president of cyber strategy at Contrast Security. “Just hours after the Ukrainian warning about attacks against critical infrastructure, Russia sabotaged the gas pipeline to Europe last night.”
Kellermann suggested that the “gloves are off” and predicted a “dramatic escalation” with more destructive cyber attacks against critical western infrastructure.
“Cybersecurity teams must test their backups, expand threat hunting for groups like Sandworm, APT 28, Gameredon and APT 29, apply micro segmentation and apply runtime protection across their applications.”
So far, Russia’s cyber attacks on third parties to the conflict have not evoked a strong response from any country.
Lospinoso suggested that Ukraine was fishing for an international response by publishing this information.
“Ukraine’s warning of cyberattacks against Poland is especially interesting, and likely the impetus behind this disclosure. An attack against a NATO country will require an international response, so it seems the primary reason for releasing this information is to sharpen international resolve.”
The Shift5 CEO warned against disclosing such information, arguing that it could compromise future intelligence gathering missions.
“The intelligence community is always considering how intel gain or loss will impact long-term operations – Ukraine is potentially tipping its hand and losing whatever access to or advantage against Russian intelligence which provided this information.”