Are U.S. Cyber Defenders Prepared For Russian Attacks Over Ukraine?

In both the run-up to the invasion and in the early days of the conflict to date, we have witnessed suspected Russian disinformation campaigns and intrusions by cyber espionage groups against Ukrainian targets. There have also been more destructive attacks, such as the usage of wiper malware that can erase data and corrupt systems. Some of these attacks have been coupled with a psychological component designed to wear down a target’s resistance. In the case of distributed denial of service attacks on Ukrainian banks—where a massive amount of malicious traffic was generated to overwhelm and crash bank websites—customers were also sent fabricated text messages about ATM outages, to further enhance the effect of the attack by stoking panic. As cybersecurity professionals, we continue to watch for novel techniques or changes in targeting from both known Russian threat actors and the addition of newer groups. 

Many are now wondering if the cyber front of this conflict will escalate beyond Ukraine’s borders. Across the public and private sector, the mantra of “shields up” is being echoed, highlighting the necessity for organizations to be prepared for cyber attacks. Of particular concern are organizations that could be linked to those being sanctioned in Russia, especially in financial services and energy. Differentiating between cyber espionage and destructive cyber attacks will be particularly important in the days ahead. Russia will likely continue to employ the former outside Ukraine to ascertain future policy responses to its actions. 

The cybersecurity community is particularly on alert for known Russian threat actors—such as Sandworm Team—that have a history of carrying out attacks. Given that intrusions for the purposes of cyber destruction can often start by looking like intrusions for the purposes of cyber espionage, it is important we are careful in our analysis. Rapid information sharing is important, but so is cautious analysis in how we interpret incidents in a chaotic environment. Remember, ransomware campaigns by criminals and operations by other nation state actors have continued throughout this conflict.

But there is cause for some optimism. Addressing constant Russian cyber aggression over the last several years has put the private sector in a better position to weather disruptive attacks. Many of the technical hardening steps organizations can take in preparation for destructive Russian cyber attacks are best practices for preparing against ransomware. For example, adding additional protection for privileged user accounts or implementing firewall policies that make it more difficult for an attacker to move laterally to additional workstations in a network, can limit damage even if adversaries gain an initial foothold in an organization’s environment. It is also important to note that lessons learned from fighting ransomware have gone beyond just best practices for technical preventative steps. New strategies can also include crisis management, tabletop exercises, intelligence sharing, and partnership building across sectors. 

And it is not just the challenge of addressing ransomware that has made us more resilient. Learning from the experiences of our collective response to destructive attacks, like NotPetya in 2017, has helped create models for how to respond to threats that impact our supply chains. Understanding patterns and themes of historical disinformation from Russia has also better positioned us to rapidly respond to and call out potential information operations that seek to divide alliances. 

We must always prepare for the unknown, including the likelihood that Russian adversaries already have a foothold inside some critical infrastructure networks in the West. It is important to also keep in mind the psychological effect that often is a parallel goal of cyber attacks. An approach that focuses efforts on containing damage and restarting operations as soon as feasible can ensure some resiliency and limit systemic risk in an industry or sector.  

Over the years we have collectively invested substantial resources toward understanding the threat posed by aggressive Russian cyber operations, and toward communicating those observed tactics, techniques, and procedures across the public and private sectors globally. Organizations that have implemented security strategies to deal with impacts to their operations from ransomware are better prepared to respond to the threats we currently face from Russia. While there is a temptation to surge resources around this crisis in the anticipation of activity, we must also approach this as a marathon, not a sprint. Burnout among cyber defenders can be equally dangerous and further compound existing problems. 

Preparedness, not panic, is our collective call to action.

Guest commentaries like this one are written by authors outside the Barron’s and MarketWatch newsroom. They reflect the perspective and opinions of the authors. Submit commentary proposals and other feedback to ideas@barrons.com.