Why has the conflict in Ukraine not caused the much anticipated global cyber-meltdown?
New York City’s 8.4 million residents are in darkness after an audacious nation-state cyberattack took out the city’s power grid, causing untold chaos with stock markets around the world collapsing. In retaliation against the perpetrators, the US unleashes a series of cyberattacks on the water and sewage systems in Moscow, reversing the pumping systems causing excrement to overflow in homes, businesses and out on to the streets.
Imagine this unlikely scenario where one side or the other starts lobbing zero-day grenades at the other side’s tech, causing them to send several of their own zero-day missiles back. And this then becomes far more complicated if a third party to the conflict, supporting one side or another attempts to assist by launching their own zero-day warhead. Is this the scenario that is the reason we have not seen either side unleash global cyber-chaos?
When Russia attacked Ukraine, it started a series of alerts from government agencies and cybersecurity organizations setting an expectation of some form of devastating cyberattack on Ukraine and possibly on those supporting Ukraine.
The messages keep coming: on March 21st, 2022, the White House issued a Statement by President Biden on our Nation’s Cybersecurity, warning that there is the potential of malicious cyberactivity against the United States by Russia in response to the economic sanctions that have been imposed by western governments.
These messages continue to disseminate, suggesting maintaining vigilance and ensuring that there are no weaknesses in existing operations and practices. The advice is especially targeted at organizations and businesses that fall into the critical infrastructure category, where disruption causes uncertainty and potential chaos, as witnessed when Colonial Pipeline suffered a ransomware attack in 2021, and in the BlackEnergy and Industroyer attacks on Ukrainian power facilities in 2015 and 2016, respectively.
There is and has been for several years, without any doubt, an increase in malicious cyberattack activity against critical infrastructure. According to government agencies such as the United States Cybersecurity & Infrastructure Agency (CISA), “In 2021, cybersecurity authorities in the United States, Australia and United Kingdom observed an increase in sophisticated, high-impact ransomware incidents against critical infrastructure organizations globally”. The monetization of cybercrime, fueled by the ease of anonymized cryptocurrency payments, has caused an unprecedented opportunity that cybercriminals continue to exploit in order to make money.
Confirming attribution of cyberattacks is complex, especially when there are often multiple parties involved: the author, the service provider, the attacker, the operators, etc. The cyberattacks that are taking place during the conflict in Ukraine are no different and are difficult to attribute to any party. However, it does appear that most of the cyberattacks reported, and potentially attributable to the conflict, to date, are limited, targeted, and focused on those directly in the war zone or in the communications sector. Even the discovery, by ESET researchers, of malicious data-wiping malware – such as HermeticWiper, IsaacWiper and CaddyWiper targeting devices in Ukraine – cannot, at present, be attributed to any party.
Any cyberattack, especially if it has the resources and intelligence assets of a state actor behind it, could cause untold damage not only on its target but also to those not directly involved. History has demonstrated that cyberweapons, such as zero-day vulnerabilities or destructive malware, can fall into the wrong hands even during the world’s more peaceful moments.
In 2017, the leak of the US National Security Agency’s (NSA) hacking tools, which included EternalBlue, presented a method of initial compromise subsequently utilized by WannaCryptor (aka WannaCry), NotPetya, and BadRabbit ransomware causing over US$1 billion worth of damages in over 65 countries. The zero-day vulnerability, EternalBlue, had been in the hands of the NSA for over five years before a breach forced them to disclose its existence to Microsoft.
Nicole Perlroth’s book, This Is How They Tell Me the World Ends: The Cyberweapons Arms Race, published in February 2021, documents how governments are the major clients of the zero-day market. For many readers it may be shocking that this book, documenting a thriving underground market for zero-day exploits and vulnerabilities, exists, but to many others it is likely less surprising, even the fact governments are the main customers in this underground marketplace.
There have been incidents, such as Stuxnet and the SolarWinds supply-chain attack, that demonstrate the power a sophisticated cyberattack can have – one destroying nuclear facilities in Iran and the other seeing data exfiltration from potentially thousands of infested systems in government agencies and corporations around the world. In comparison to the cost of conventional weapons, acquiring the ability to launch a cyberattack is relatively cheap and also very difficult to attribute, making any attack very deniable, unlike a war on the ground.
The fact that all sides possess the ability and could be motivated to launch a cyberattack of untold potential, should they choose to, may be creating a ‘cyber-deterrent’, in the same way we refer to nuclear weapons of mass destruction as a ‘nuclear deterrent’. It is unlikely we will see cyberweapon peace campaigners or calls for ‘cyberweapon disarmament’ of the stockpiled, zero-day arsenals any time soon, but I hope one day we do. The internet should never be weaponized to cause mass destruction.
As a closing comment, while there appears to have been no major devastating cyberattack on critical infrastructure by either side in the Ukraine conflict it does not mean there will not be, nor that it will not spread uncontrollably to other, uninvolved nations.