As the fighting in Ukraine escalates and it looks like Russia won't have the quick and easy victory it anticipated, the war is already having spill-over effects.
In the physical world, that means a flood of refugees escaping the conflict and its economic effects such as spikes in oil prices. A lot of the damage is to Russia itself, with harsh economic sanctions putting its financial system under extreme strain.
In the cyber arena, most of the damage so far has been inside Ukraine and, in retaliation, there have been some nuisance attacks against Russian targets. But that is likely to change, especially as Europe, the US, and other countries step up their sanctions against Russia.
"I fully expect there will be more cyberattacks against Ukraine, and that it will spill over," said Rahul Telang, professor of information systems at Carnegie Mellon University's Heinz College. "If the US takes steps against Russian financial interests, you cannot deny that something like that can happen."
Russia has a long history of using cyber attacks against its enemies. In 2007, Russian hackers disabled Estonia's Internet and launched Denial of Service attacks on government offices and financial institutions – all because the country wanted to move a World War II memorial.
The following year, Russia attacked the Internet in Georgia, a former Soviet republic. The attack was timed to correspond with a physical invasion by Russian troops.
In 2009, Russian attackers took down Internet service providers in Kyrgyzstan in order to pressure the country to evict a US military base.
In 2014, cyber attacks briefly took down the country's election system. Soon after, when Russia seized Crimea, a massive denial of service attack took down the Ukrainian internet.
The following year, Russia expanded the targeting of these attacks. First, there was the hack of the Democratic party computers, as well as attacks on government computers in Germany and the Netherlands.
The most globally damaging attack was NotPetya. It started with malware planted in a software update for an accounting system popular in Ukraine – a similar tactic to the one that Russia used with SolarWinds in 2020.
But the NotPetya malware wasn't just a backdoor, like the SolarWinds hack, but a self-propagating worm that spread quickly beyond the country’s borders.
At first, NotPetya was mistaken for ransomware, similar to the North Korean worm WannaCry. But rather than encrypting files and making people pay ransom to get them back, NotPetya simply destroyed them. It did an estimated $10 billion worth of damage, including more than $1.4 billion to pharmaceutical giant Merck, $300 million to shipping conglomerate Maersk, and $100 million to Mondelez International, the company that makes Oreos and Triscuits.
Mondelez is still in court, trying to get its insurance company to pay up. The insurer, Zurich, claims that the attack falls under the "warlike action" exclusion and refuses to cover the damages.
State-sponsored hackers haven't been idle since, with the recent SolarWinds attack hitting major enterprises and government agencies around the globe.
Meanwhile, Russian cybercriminals have been stepping up their activity. Cybercrime gangs, operating with near impunity from within Russia, launched ransomware attacks of unprecedented scale over the last couple of years.
The cyberwar began before the troops rolled in
This year, the Internet became the first front of the war in Ukraine, with destructive malware called WhisperGate that first appeared on Ukrainian government computers on January 13.
Like NotPetya, it was thinly disguised as ransomware, but didn't have any mechanisms to actually pay a ransom and get the files back. The purpose was pure destruction. Microsoft reported the malware on January 15.
On February 23, another data-wiping malware was discovered, called HermeticWiper. According to the ESET researchers who discovered it, it had been compiled back in December.
Meanwhile, Russian attackers were hitting Ukrainian systems with denial of service attacks.
On Saturday, CISA issued a joint alert with the FBI warning organizations against the threats posed by both WhisperGate and HermeticWiper.
"Further disruptive cyberattacks against organizations in Ukraine are likely to occur and may unintentionally spill over to organizations in other countries," the agencies said.
The alert provided detailed guidance for identifying and mitigating these attacks.
Global tech giants such as Microsoft, Facebook, and Twitter, as well as others, have stepped up to help secure systems and user accounts under attack by Russian forces.
Meanwhile, Russia has its own allies. Belarus has been pitching in, both military, and on the cyber front.
So did one of the Russian ransomware gangs. Last Friday, one of the bigger outfits, dubbed Conti, officially announced full support for the Russian government.
"If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use all our possible resources to strike back at the critical infrastructures of an enemy," the team announced, according to threat analyst Brett Callow.
The move backfired. Two days later, we saw a leak of a years' worth of chat logs – more than 60,000 messages total – between the criminals, including chats that show a chain of command linking Conti to Russian intelligence agencies.
This is the same group that hit Ireland's health service last May, costing the organization $48 million to clean up.
Meanwhile, the Ukrainian government has called on hackers around the world to defend it, and many have already done so.
Various groups have attacked Russian media websites, including state-owned news agency TASS. Hackers claiming to represent Anonymous broke into maritime tracking data and changed the name of Putin's $97-million yacht to "FCKPTN."
So far, none of the cyberattacks, by either side, have been particularly damaging. As of Monday night, Ukraine's Internet and other critical infrastructure is still functioning.
This could be because the country is more prepared and has a lot of international help. Or it could be that the Russians haven't unleashed the big guns yet.
What's next?
According to CISA, there are no current specific cyber threats against the United States. But that may change, especially as the US and its allies continue to impose sanctions on Russia.
"Every organization—large and small—must be prepared to respond to disruptive cyber activity," the agency said on its new "Shields Up" website.
The site offers technical guidance for defending against Russian attacks, best practices for both security teams and recommendations for corporate leaders and CEOs, and free tools and services.
One of those free services is a free weekly automated vulnerability scan from CISA. CISA also offers free phishing assessments, a remote penetration test, and many other tools, services and resources from both CISA and partner organizations, including Microsoft, Google, IBM, Cloudflare, Mandiant, and many others.
Many organizations have also put together lists of steps that companies can take to protect themselves.
Forrester, for example, has a set of recommendations on how to prepare for the cybersecurity effects of the war in Ukraine.
The exact steps that companies need to take, and how soon, depend on location and industry.
"If you’re based in the Ukraine, be prepared for the worst," said Nate Beach-Westmoreland, head of strategic cyber threat intelligence at Booz Allen Hamilton. "Anything can happen."
Companies based elsewhere but that have operations in Ukraine should have network segmentation in place, to protect themselves from another NotPetya type of attack.
"You don’t want a worm to come back to your systems," he said. "And if you are in a critical infrastructure sector or defense sector in Europe, the US or another country that has taken a confrontational relationship with Russia, make sure you are getting threat intelligence."
Organizations related to defense or critical infrastructure should also organize preventative activities, run hunts and red team exercises.
"It's also useful to do war gaming at the executive level to figure out how your organization will respond if a catastrophic situation would occur."
Smaller companies also have to be on alert. And not just because they might be collateral damage victims, as in the case of NotPetya.
"I'd almost argue that the number one targets have less to worry about," said Nathan Fisher, managing director at StoneTurn, a global advisory firm. "For Putin to cross the red line and go after traditional critical infrastructure, that is a dastardly move that will not be ignored, so they might want to focus on second and third-level targets."
Even if Russia goes after American critical infrastructure with a significant and damaging attack, it won't help them in their battle in Ukraine, Fisher said.
"And it would be impossible for the US and its allies to ignore that kind of provocation," he added.
If an attack does occur, companies should be aware of the latest indicators of compromise and be ready to identify Russian attack patterns.
This is important not just because of the need to share attack details with authorities, but also because an advanced attack by a Russian government group is going to be different from one by an activist, business rival, or criminal gang.
"It matters what type of attack it is," said Karthik Kannan, CEO at Anvilogic, a cybersecurity firm.
A website defacement, or a DDoS attack, could be the end goal for some groups. But if a Russian state agency is behind it, it could be a distraction from something far more insidious.
"We need to identify and label them," Kannan said. "It helps us in mitigation procedures, and it helps to warn the rest of the community."
To do this, cybersecurity managers need to step up their game. It could be attention training for employees or additional hires with cybersecurity skills. It could also be a managed services provider, or new technology for security operations centers.
"A lot of SOCs are legacy and we need to get more proactive," he said.
Another option is AI-powered systems that automatically detect malicious activity and look for indicators of compromise from advanced threat actors.
"This is the right time to ask for a budget increase if I were a security person," Kannan added.
Teaching moment for cybersecurity
With Ukraine all over the news, this is a good opportunity for companies to run anti-phishing training or other cybersecurity drills.
Organizations that might have been reluctant to inconvenience their employees or executives in the past may be more motivated now, said Carnegie Mellon's Telang.
"You can do some drills," he said. "If something goes down, how do we get it back?"
It's also an opportunity to impose some security restrictions that may have been a harder sell in the past, he said.
That includes better password protocols, password managers and two-factor authentication, said Adam K. Levin, founder of cybersecurity firm Cyberscout and co-host of the "What the Hack with Adam Levin" podcast.
"Organizations have to create a culture of privacy and security," he said. "And you have to foster an environment where if people click on the wrong link they shouldn’t be afraid to come and say something."
This is also a good time to line up outside help, if a company hasn't done that already.
"It should be a team effort," Levin said. "People say 'I can handle it all in house' — those are famous last words. I don’t care what it costs you to get outside assistance. That’s nothing compared to what it’s going to cost you if Russia – or China or Iraq – gets into your systems. That could be an extinction-level event for your organization."
Even in the unlikely event that a peace deal is reached quickly, or Russia pulls out of Ukraine entirely, cyber attacks aren't about to disappear.
"This is not going to go away any time soon," said Stan Golubchik, CEO at ContraForce, a cybersecurity firm. "We know that these threats, especially from nation-state actors, are going to become more sophisticated. Now warfare is not just boots on the ground. It's become hybrid. The fifth dimension of warfare is cyber and it's only going to become more prevalent."
