A month into the war between Russia and Ukraine, we heard a lot about Russia’s activity in the cyber domain. One of the central elements, included witnessing the use of wipers, ransomware, and DDOS attacks against Ukrainian entities long before the first shot was even fired. This of course, caused much debate amongst both academics and colleagues in the cyber intelligence industry. Established through this debate, is that our perception of Russian conduct is inherently different.
So, what have we seen against the West so far?
Aside, from the US reporting to have experienced ransomware against oil and gas companies prior to the breakout of the war, we also saw the FBI publish full reports of IOCs (Indicators of compromise). These IOC’s focused on the Russian TTPs (Tactics, Techniques and Procedures) and tools that might have been intended for CNI (Computer Network Influence) attacks; the U.S. government even went so far as to warn companies of possible attacks (… more than once … do they know something we don’t? probably…).
Further to this, for years, the US security services have assessed that the Russian cyber threat is severe and has significant capabilities to cripple companies, networks, and critical infrastructures. For the sake of this article, let’s assume that indeed, after years of assessments and successful infiltrations such as CCLEANER and SolarWinds, and other incidents handled by CYE in hub companies infiltrated by APT29, that Russian APTs (Advanced Persistent Threats) have such capabilities and red buttons all over Western entities. We have seen Russia’s APTs attack companies solely for the purpose of expanding their reach to other, more difficult-to-reach, targets.
Between CNI and CNA, on strategic targets
Contrary to CNI attacks, an ability like a red button to shut down critical infrastructure or a government network is not something any actor will consider using. Not only does it take a lot of time to build and cultivate, but, it also has the potential to trigger detrimental escalation. Abilities such as these are primarily reserved for wartime or extreme conditions. These conditions predominately refer to governments that decide that they either have nothing to lose or that they are provoked by measures of similar severity.
We therefore assess that whilst Russia was prepared for Western sanctions — from our perspective, we still haven’t reached the point where Russia would choose to conduct significant CNA (Computer Network Attack) attacks against high-value targets such as critical infrastructures in the West.
This ultimately begets the question, WHEN will this happen? Whilst there is no sure answer, we strongly concur that it will be when Russia is on the brink of losing control over its population due to sanctions, or, when it will have less to lose from the attacks. A convincing example of this, is if the West finally follows through on its threat to cut Russia off from SWIFT. In doing this, the West will effectively cut Russia off from the majority of the modern economy, plunging them into a deeper economic crisis than the one they are currently facing.
To quickly circle back, it is almost common knowledge that Russia may have red buttons for CNA purposes on Western targets. IF and WHEN they use them is the real question; hence, ARE WE THERE YET?
We think not.
After a decade and a half in the Israeli defense and intelligence community, Elad Leon joined CYE as the CTI Lead Analyst. He is an experienced cyber security and intelligence professional with extensive hands-on and strategic analysis abilities.
