Russian Troops Formally Enter Ukraine Raising Cybersecurity Risks
Given the developments in Ukraine, and the importance such developments have for international relations and cybersecurity, this brief will focus on Russia’s presence in Ukraine.
After weeks of escalation, Russia formally moved troops into Eastern Ukraine on Monday. Earlier, Vladimir Putin had recognized two breakaway regions as independent and ostensibly sent the troops in as “peacekeepers.” So far, the troops seem to be operating primarily in the Donbas region. The Donbas is part of Eastern Ukraine where Russians or Russian language speakers predominate.
The formal presence of Russian troops in eastern Ukraine is alarming, but is not a new invasion. The unacknowledged presence of Russian forces in Ukrainian territory was an open secret for several years. Formally recognizing the presence of Russian troops, and probably increasing their overall number, does change the dynamic internationally. Dislodging formal forces, especially those ostensibly on a peacekeeping mission, creates additional challenges.
The international conflict outside Ukraine is likely to play out online, more than anywhere else. Already, countries are mobilizing to respond to Russian attacks. The US preemptively released a report accusing Russia of attacking US defense interests. Security experts are warning of the increased threats from Russian groups, even if unintentional. Some countries, including Australia, are mobilizing to assist Ukraine online.
It bears noting that, despite the shift in Russian posture, the previous week was relatively quiet on the cybersecurity front. I have so far seen no reports of significantly increased Russian attacks. It is possible that because the ‘invasion’ was as much an open recognition of the ‘secret’ status quo, Russia felt no need to attack online in advance. It is also possible that attacks happened, but have not been reported publicly yet, but we will learn of them in the fullness of time. Finally, defenses could have worked, and any attacks that Russia carried out simply failed, and therefore were not newsworthy.
While possible attacks have been unreported, it is equally possible there has been no increase in attacks, and we may be able to draw inferences from the lack of attacks. Given the amount of information that western governments have leaked about Russian operations, it seems unlikely that cyberattacks would be the only kind of operation that wouldn’t be leaked. Even western governments were unusually laconic about Russian cyberattacks on Ukraine, accidental spillover remains likely, and we would probably see that, too. If Russia is not attacking online or is being especially careful about its online attacks, Russia could be trying to use online behavior as a signal.
Selectively attacking online or not attacking online could be a signal that Russia is attempting to avoid additional escalation. Russia undoubtedly knows that many countries have mobilized cyberdefenses, and might escalate online and offline if Russia attacks them. Limiting cyberattacks could be an attempt to prevent the conflict from spiraling out of control by expanding beyond Ukraine. Whether Russia is avoiding escalation, out of fear that escalation would be unmanageable or because it does not intend to invade the remainder of Ukraine, requires information we do not have.
Current Russian restraint does not imply future restraint. Readers should prepare their defenses. If online signals match with real-world signals, then there may be a way to resolve the conflict without further escalation, and hopefully, international leadership will move quickly. No resolution may be forthcoming. Russian operations online are among the most destructive we have seen, and if Russia expands the war online it will affect many people.
Three recent operations that may indicate how Russian attacks may spread. First, during the initial war in Ukraine, Russian hackers released a worm called notPetya in Ukraine, but it eventually spread worldwide. Russian hackers employed exquisite and refined tools to break into the SolarWinds software supply chain. A Russian ransomware gang was involved in the shutdown of the Colonial Pipeline in Pennsylvania. Russian hackers could soon accidentally or deliberately trigger similar problems if the Ukrainian conflict continues.