Russia-Ukraine War: 7 Cybersecurity Lessons LearnedCybersecurity Czars Talk Cyber War, Hacktivists, Incident Response, Stress Testing
More than 75 days after Russia invaded Ukraine, what cybersecurity lessons should security leaders be learning from the conflict?
That question has been the focus of multiple presentations and discussions at this year's annual CyberUK conference, being held this week in Newport, Wales, organized by Britain's National Cyber Security Center.
At the conference, government officials responsible for intelligence and cybersecurity detailed seven key surprises as well as lessons to be learned from the ongoing conflict:
1. No 'Massive Cyber Campaign'
Russia's invasion is notable in part for what hasn't happened: any type of all-out onslaught online. "What we were expecting was a massive cyber campaign with more spillovers," said Juhan Lepassaar, executive director of the EU Agency of Cybersecurity, known as ENISA, in a Tuesday panel discussion alongside cybersecurity leaders from the Australian, U.S. and U.K. governments (see: Ukraine Fighting First-Ever 'Hybrid War' - Cyber Official).
"We've seen some of it - the attack against the satellite operator, which essentially spilled over to 20 European countries and affected about 10,000 end users," he said. "So yes, we've seen that, but we haven't seen a sustained effort."
Surprising no one, on Tuesday, the U.S., U.K. and EU formally attributed that attack against Viasat's KA-SAT satellite communications network on Feb. 24 to Russia. That was the same day the invasion of Ukraine ordered by Russian President Vladimir Putin began (see: US, UK, EU, Ukraine Attribute Viasat Cyberattack to Russia).
2. Hacktivists' Unexpected Appearance
One facet of the Russia-Ukraine war that seems to have surprised everyone is the part being played by hacktivism (see: Ukraine's 'IT Army' Call-Up: Don't Try This at Home).
"One aspect that took us by surprise … was the emergence of these cyber civil vigilantes, as we call them, and the scale of them," said Abigail Bradshaw, head of Australia's Cyber Security Center, which is part of the country's Signals Directorate.
By some reports, for example, 300,000 or more individuals have been backing one side or the other, in part via distributed denial-of-service attacks and leaking data. "On any one day, you might have 59 different groups on the side of Ukraine and 20-odd on the side of Russia; the numbers change on a day-by-day basis," she said. "But the public engagement in that cause by the actors, and the capacity for that to actually introduce extreme unpredictability and opportunities for spillover and actually for wrongful attribution - and retribution and escalation … in our world is, you know, highly problematic."
Likewise, Lepassaar said the surge in such "organized hacktivism … being channeled in this conflict" remains for him "a point of concern."
"Absolutely, and I think we'd share that view," said Lindy Cameron, CEO of NCSC, who moderated the Tuesday panel discussion. "We would like to see, frankly, people sticking within the rules."
Rob Joyce, director of the U.S. National Security Agency's Cybersecurity Directorate, highlighted further complications posed by hacktivism. "You want to sit back and root for the folks who are trying to do noble things," he said during the panel. "It is problematic," not least because the U.S. and allies are trying to be "good international citizens in the cyber arena," and asking their own people to behave properly.
Bradshaw said articulating acceptable behavior by nation-states and their supporters online remains essential. In particular, she advocated for "analyzing and calling out the new sorts of behaviors that break those global norms which we hold so dear," including not just hacktivism but also "the use of criminal actors to support state actions" (see: Beg, Borrow, Steal: Conti Leaks Reveal Ransomware Crossover).
3. Russia Targeting Critics Online
Russia continues to actively launch online attacks and disruptions, not least against foreign critics of Putin, Jeremy Fleming, director of Britain's security, intelligence and cyber agency, GCHQ, told CyberUK attendees (see: Five Eyes Warns of Russian Hacks on Critical Infrastructure).
"Perhaps the concept of a 'cyber war' was over-hyped," Fleming said in a keynote speech Tuesday. "But there's plenty of cyber about, including a range of activity we and partners have attributed to Russia. We've seen what looks like some spillover of activity affecting other countries. And we've seen indications that Russia's cyber operatives continue to look for targets in countries that oppose their actions."
4. Wiper Malware Attacks Continue
Russia has continued to directly target Ukraine infrastructure and critical infrastructure, including government agencies, banks and telecommunications providers, with online attacks. Those attacks have included DDoS disruptions and in some cases, wiper malware designed to leave infected systems inoperable.
"I can think of at least eight unique variants of wipers that have been deployed against Ukraine," the NSA's Joyce said. "And they've responded, kept their systems up, rebuilt their systems."
Thankfully, none of these strains of wiper malware appear to have wormlike capabilities or to have escaped Ukrainian networks, meaning that at least so far, there's been no repeat of Russia's devastating 2017 NotPetya wiper malware attack.
5. Plan, Practice, Repeat
Joyce said Ukraine's ability to resist repeated Russian efforts to destroy its systems isn't happenstance. "One of the things they've done is, they have emergency plans, having been under pressure for years," he said. "It hasn't been just this crisis, but they have been able to practice and they understand what good incident response is, and they're able to then recover."
Accordingly, he said, "having a practice plan, as well as the recovery plan, is a really vital lesson we should all take."
"Certainly that's one of the lessons I'd love that the public learn from this, is that you don't need to be passive in response to this," the NCSC's Cameron said. "Actually, there's stuff that you can do. Please get on with it as fast as possible."
This is the very definition of being "active in your own cyber defense," she added. "It's a really important lesson to people that even in the face of a semi-significant state adversary that you don't need to freeze in the headlamps. So … it's a great lesson to take away, and it's been very impressive. We also been very proud to be to be assisting Ukrainians."
6. Focus on Resilience
Another way to view Ukraine's seemingly successful cybersecurity strategy is that the country has been continuing to focus on refining its resilience. Of course, Ukraine is not alone in this regard, with the U.S., U.K., EU and others also focusing much more on ensuring that both the public and private sectors are in a better position to repel cybercrime and nation-state attacks outright, as well as to recover when attacks do get through (see: Incident Response: Best Practices in the Age of Ransomware).
"Raising resilience and doubling down on our collective approach is key to long-term success," GCHQ's Fleming said.
What does this entail? "Investing time, energy and resources in getting the basics right," he said. "Ensuring you understand the technology you use, following best practice to make it is as resilient as possible, and being alive to the shifting threat and how to defend against it."
7. Think 'Stress Testing'
When honing incident response plans, ENISA's Lepassaar suggested organizations also simulate a variety of adverse situations (see: Hybrid War: 'It's Going to Get a Lot Worse').
"It pays off, stress-testing yourself. I mean, the Ukrainians have been stress testing involuntarily since 2014. I don't think that we need to emulate that in our systems," he said.
But one recommended course of action for governments is to develop a framework or plan "where you regularly stress-test the most critical elements or infrastructure sectors in your society," backed by incentives to drive more industries to do this themselves, Lepassaar said.
"I know the U.K. has done great work with the telecom service providers here, and I think this is something that we should really try to replicate across different critical sectors," he said.