The United States and its Western allies are bracing for the possibility that a Russian invasion of Ukraine would have a ripple effect in cyberspace, even if Western entities are not initially the intended target.
“I am absolutely concerned,” U.S. Deputy Attorney General Lisa Monaco told the virtual Munich Cyber Security Conference on Thursday when asked about the chances of catastrophic spillover from a cyberattack on Ukraine.
“It’s not hypothetical,” Monaco said, pointing to the June 2017 “NotPetya” virus, engineered by Russia’s military intelligence service, the GRU.
The virus initially targeted a Ukrainian accounting website but went on to hobble companies around the world, including Danish shipping giant Maersk and U.S.-based FedEx.
“Companies of any size and of all sizes would be foolish not to be preparing right now,” Monaco said. “They need to be shields-up and really be on the most heightened level of alert.”
Monaco is not the first high-ranking U.S. official to warn that potential Russian actions in cyberspace might reverberate in unexpected ways.
“We’ve seen this play before,” U.S. National Cyber Director Chris Inglis warned a virtual audience earlier this month. Like Monaco, he alluded to the NotPetya attack: “It got out of its reservoir, so to speak, and it then eviscerated broad swaths of infrastructure across Europe and across the United States.”
U.S. Homeland Security Department officials said that for the moment, there were no specific or credible threats indicating an attack like NotPetya is about to be unleashed against the United States. But they said they were not taking any chances and were closely collaborating with Ukraine and other allies, just in case.
“We are all hands on deck,” Homeland Security Undersecretary Robert Silvers told the Munich Cyber Security Conference on Thursday.
“It’s no secret that Russia has proven itself willing to use cyber means to achieve its broader geopolitical objectives,” Silvers added, pointing to Russia’s attack on Ukraine’s energy grid in 2015.
Some officials remained concerned that Russian President Vladimir Putin would give the order to target countries beyond Ukraine as part of any military action against Ukraine.
“I don’t think Ukraine is his goal,” said Jaak Tarien, the director of NATO’s Cooperative Cyber Defense Center of Excellence in Estonia.
“Putin said in 2007 at the Munich Security Conference that he is sick and tired of the existing security architecture and he wants to change that, and he’s still at it,” Tarien told Thursday’s cybersecurity conference. His goal is “to get U.S. allies to fight amongst each other and disrupt our unity. So cyber is a really, really good way to do that.”
U.S. agencies are likewise worried that as tensions escalate, Russia may be tempted to ramp up cyber operations.
On Wednesday, the U.S. Cybersecurity and Infrastructure Security Agency, the FBI and the National Security Agency issued a joint advisory warning that Kremlin-linked actors might use a variety of techniques to target U.S. defense contractors.
Not all cyber experts are convinced Russia will resort to cyberattacks to hurt the West, even if the U.S. and its allies make good on promises to hit Moscow with severe economic sanctions.
“I don’t think that cyber [attacks] from state actors is going to be the first or the preferred mechanism for response,” Dmitri Alperovitch, the co-founder of the cybersecurity firm CrowdStrike, told the Munich Cyber Security Conference.
“Russia has enormous leverage in the economic sphere, even outside of cyber, to respond through export control measures, for example, on critical materials like aluminum and uranium and titanium and palladium and many other things that will do a lot to hurt the U.S. economy and the global economy,” he said.
Alperovitch also cautioned that Russia might be willing to let cybercriminals do the work instead, perhaps releasing a number of ransomware actors it has arrested in recent weeks.
“That would send an unmistakable, even unspoken message to the Russian cybercrime ecosystem that it’s open season on Western organizations,” he said.