7 August 2022

The Risk of Russian Cyber Retaliation for the United States Sending Rockets to Ukraine


For months President Biden and his administration have warned of possible Russian cyberattacks against American infrastructure. On March 21, Biden urged American business leaders to harden their companies’ cyber defenses immediately. He said Russian President Putin is “likely to use cyberattacks as a form of retaliation” for U.S. actions to counter the Russian invasion into Ukraine. His alarm followed an FBI advisory that hackers with Russian internet addresses were scanning the networks of five U.S. energy companies. On April 18, U.S. officials ramped up warnings that Russian state actors are “looking for weaknesses in our systems.” Even though evolving intelligence indicates Russian planning for cyberattacks, none yet have emerged on American soil.

The U.S. provision of long-range rocket systems to Ukraine will not trigger a catastrophic campaign of Russian cyberattacks against American critical infrastructure, as long as Ukraine continues to only use the systems within its own territory. The reality is that the latest weapons transfers are not a significant escalation and will not lead Russia to expand its cyberattacks. Russian threat actors are devoting most of their resources to defending networks within their own country and attacking Ukrainian networks, and devoting resources to attacking the West would distract from the core Russian objective of capturing Ukrainian territory. This combination of Russian cyber priorities and the similarity between current weapons shipments and previous ones combine to ensure that Russia will not retaliate against the United States through cyberspace for providing rockets to Ukraine.

In late May, Ukrainian President Zelenskyy pleaded for the United States to provide the Multiple Launch Rocket System (MLRS) as a game changer in the war. The weapon system can launch rockets more than 185 miles. A prominent Russian television host said on the state network Rossiya-1, “if the Americans do this, they will clearly cross a red line, and we will record an attempt to provoke a very harsh response from Russia.” After considering National Security Council concerns of escalating the war, President Biden stated, “We are not going to send to Ukraine rocket systems that strike into Russia.”

Instead, the United States is sending a much shorter-range system, the High Mobility Artillery Rocket System (HIMARS), that has a range of around 45 miles. In response, Putin has threatened to strike new targets in Ukraine. Putin says “this is nothing new. It doesn’t change anything in essence,” since the U.S. missile’s range is the same as Soviet-made missiles that Ukraine already had. His conclusion might change if Russian forces take substantial losses or if a Ukrainian ask for sixty launchers is granted, instead of the four already dispatched by the Pentagon. Russian Foreign Minister Lavrov alleges Ukraine will strike targets inside Russia, even though U.S. officials received assurances from Ukraine they will use the systems only within its territory. A close Putin ally warns Moscow could target western cities if Russia is hit with U.S. rockets.

U.S. security agencies have provided cybersecurity advisories for organizations to better understand Russian state-sponsored cyber threats to U.S. critical infrastructure. They illuminate the speed, scale, and sophistication of Russian cyber operations. One of their historic examples of high-profile cyber activity publicly attributed to Russian cyber actors is a multi-stage intrusion campaign that gained remote access to U.S. energy sector networks. The Russians compromised dozens of utilities and got to the point where they could have thrown switches to shut off power. In April, Russian military hackers tried to knock out power to millions of Ukrainians. They penetrated grid networks and uploaded malware named Industroyer2, an upgraded version of malware used in a 2016 attack that caused blackouts in Kyiv. The malware was programmed to activate on a Friday night as citizens came home from work.

At least seven Russian aligned cyber threat groups have conducted destructive attacks and espionage operations in Ukraine in support of Russian military goals. Microsoft reports those with known or suspected ties to Russian military intelligence have used destructive wiper malware or similar tools on select Ukrainian networks “at a pace of two to three incidents a week” since the beginning of the invasion. More than 40 percent of the destructive attacks are targeted against critical infrastructure organizations. In total, the different Kremlin-linked hacking groups have conducted almost 240 cyber operations against Ukraine targets. The scope is broader than perceived from media outlet reports and represents potential saturation of Russian cyber capabilities. Particularity considering the magnitude of the Ukrainian defense that could be tying down the groups. John Hultquist, a vice president at Mandiant states, “defenders [in Ukraine] are very aggressive and very good at confronting Russian actors.”

Russian groups have demonstrated the capability to damage U.S. critical infrastructure even before the current conflict in Ukraine. The Russian-based criminal group DarkSide reduced the flow of fuel to the U.S. east coast when it infected Colonial Pipeline with ransomware and forced the company to shut down part of its network. In February, the Black Cat group, a suspected rebrand of DarkSide, followed suit with ransomware attacks on seventeen European oil port terminals. Perhaps most concerningly, last month the Cybersecurity and Infrastructure Security Agency (CISA) warned about industrial control system malware, dubbed PIPEDREAM, which could be used to disable liquid natural gas facilities. President Putin has waged a relentless cyber campaign against Ukraine, but so far, its effects have not stretched beyond Ukraine’s borders.

There are several reasons why cyberwar has not spread to the West. Some Ukrainian officials believe that Russia’s best government sponsored hackers may be occupied defending their nation from attacks on its networks by activists or other hackers. Shortly after the invasion, Ukraine formed an IT Army, a loose band of citizens and foreign hackers that are directed by government officials, but not officially part of the government. The volunteers are attacking key Russian and Belarusian websites with distributed denial of service (DDoS) attacks, exposing data on high-ranking officials and agencies, and launching wiper attacks against Russian networks and systems. Adding to the pressure, the international hacking collective Anonymous has declared cyber war against the Russian government, further stressing website and database defenses. The Russians would have to shift priorities to attack U.S. critical infrastructure by cyber means, which takes time to prepare and penetrate networks and uses advanced tactics that are necessary to evade detection. Only a significant escalation in the war, such as devastating attacks by U.S.-supplied rockets against their homeland, would likely merit a shift from Russian nation state cyber operators toward the United States.

Absent significant strikes in Russian territory, U.S. shipments of HIMARS are unlikely to shift the thinking of the Russian leadership towards attacking the United States through cyberspace. This is not to say that the Russians do not pose a threat to the United States, they clearly do, or that future decisions or circumstances will not induce them to turn toward a more offensive strategy. Russian threat actors certainly have the capability to escalate, either by integrating criminal hackers or pivoting away from defense of their home networks. However, despite concerns about escalation, the provision of HIMARS and similar rocket systems are not enough of a change from previous arms deliveries to trigger a shift in Russian thinking on cyberattacks against the West.

No comments: