With Russia’s invasion of Ukraine dragging on, the escalation of the conflict into major cyberattacks is growing ever more likely, experts warned Friday in a webinar hosted by SANS — and the war could reach places cyber professionals never anticipated.
The attack by Russian forces against Ukraine’s Zaporizhzhia nuclear power plant served as the backdrop for the group’s discussion, as it was occurring at the same time as the webinar. Fighting began near the plant on Thursday, sparking warnings about radiation leaks that were only heightened when a building at the facility caught fire during the shooting. Russian troops have since brought the plant’s staff under their control and cut off internet access to the site. The International Atomic Energy Agency said Sunday that it was “extremely concerned” about the potential for “undue pressure” on operators at the facility.
Though the Zaporizhzhia situation involved a physical attack rather than one in cyberspace, Robert M. Lee, CEO of cybersecurity firm Dragos, used the fighting to illustrate the unpredictable nature of warfare. He pointed out that “targeting a nuclear power plant is a war crime [and] insane under any discussion”; nevertheless, Russia did so anyway. The lesson for cyber professionals is that attackers don’t necessarily share their victim’s assessment of what infrastructure — be it schools, hospitals or nuclear plants — should be beyond the pale when it comes to legitimate targets.
“One of the things that I’ve said in my classes over the years … is [that] we get to control pretty much everything on the defensive side. We get to … define the layout, define the scale, define the plan … we get everything,” Lee said. “Defense is doable, and defense has the upper hand in many ways, [but] one thing you don’t get to decide is if the adversary thinks you’re a good target or not.”
Not Just a Problem for Ukraine
Targets in a potential Russian cyberoffensive could include critical infrastructure not just in Ukraine, but in its allies’ territories. Panelists reminded listeners that such an offensive would not be out of character for Russia’s military intelligence service, which has been linked to attacks against Ukraine’s power grid in 2015 and 2016, in addition to the NotPetya malware that spread beyond its targets in Ukraine to companies around the world, including in the U.S. (See Six Russians Charged for Ukraine Cyberattacks.)
The fact that Russia has long been known to have this capability has left many experts confused as to why they haven’t been deployed in the current conflict. (See Experts Warn Cyberwar Still Possible.) Paul N. Stockton, former assistant secretary of defense for homeland defense, said U.S. officials had assumed that weakening an enemy’s infrastructure would be top priority for Russia in any conflict and saw Ukraine as a “laboratory” for testing its latest disruptive tools.
“We have a dog that did not bark in the night here. It’s very peculiar from my perspective that we haven’t seen large-scale, sophisticated cyberattacks in conjunction with the physical attacks that have been underway,” Stockton said. “A key component of new generation warfare, as it’s been described by Russian military documents, is to employ devastating cyberattacks early in a conflict to disrupt the adversary’s command-and-control and potentially critical infrastructure essential to the functioning of the victim nation.”
Experts have speculated that Russia has held back its most sophisticated cyber capabilities so far because the country’s leaders feel they can prevail against Ukraine without exposing their most potent weapons to foreign intelligence. Stockton and his fellow panelists agreed that this is the most likely explanation, but there is no guarantee this condition will continue — particularly if Russia’s conventional forces seem unable to get the job done and President Vladimir Putin seeks to avoid an embarrassing military defeat.
Prior Preparation Essential
In light of the unpredictable situation, Stockton said U.S. critical infrastructure operators should be prepared for a potential strike to weaken the U.S. and divert attention from Ukraine. First, he said, in the event of a large-scale attack, utilities should immediately “stop downloading software updates from the cloud,” a reference to Russia’s hacked version of the SolarWinds Orion cloud management software that was spread to thousands of organizations worldwide through a compromised update server.
Next he advised that any attacks against U.S. industrial control systems should be considered part of a sustained campaign, not “one and done.” In other words, while an initial attack might target gas pipelines or water utilities rather than the power grid, that does not mean that cyber professionals at electric utilities can relax; they might still be targeted in subsequent waves.
Finally, though it may be a bitter pill for hardworking security staff to swallow, utilities must assume that their systems are already compromised and that the adversaries are inside. If this assumption is not part of the planning process, it may be hard to fully eliminate any intruders.
“They’re going to be training inside our systems, exploiting persistent access,” Stockton said. “And that, I want to emphasize, not only applies to the initial attacks, but efforts to restore functionality. It’s going to be utterly unlike dealing with hurricanes or other natural incidents; they’re going to be inside our restoration efforts.”