Russia's dreaded cyberwarriors seem to be struggling in Ukraine
Russia's hackers — like its military — may not be quite as fearsome as the world thought
One day after Russian tanks broke through Ukrainian border posts on February 24, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a rare "Shields Up" alert warning that "every organization — large and small — must be prepared to respond to disruptive cyber activity."
The expectation was that Russia would attack not only Ukraine but also Ukraine's western allies.
For some reason, that hasn't really happened in a big way.
"We haven't seen anything that we can directly attribute to Russia turning its sights to Canada," Sami Khoury, head of the Canadian Centre for Cyber Security, told CBC News. "There's been probably spillover effects in some cases, but we haven't seen anything that is directly targeted at the Canadian infrastructure or Canadian ecosystem."
Instead, Russia has found itself being hacked — in one instance with embarrassing results that surely must have marred President Vladimir Putin's Victory Day extravaganza.
As RuTube, Russia's version of YouTube, was taken down by hackers, YouTube itself remained online in Russia and continued sharing videos demonstrating Ukraine's dominance of the information space in this war.
Hacktivist groups such as Network Battalion 65 have stolen reams of emails and data from Russian government and corporate sites. In March, for the first time ever, more Russian email credentials were leaked online than those of any other nation.
Russian hackers even failed to disrupt voting in the Eurovision Song Contest. (Ukraine won.)
Just as Russia's armoured divisions entered this conflict with a fearsome reputation that turned out to be wildly overblown, the reach of Moscow's cyber legions may have been overestimated. And just as Russia's war has diminished the reputation of Russian arms, it might also lead to a reassessment of nations' relative strengths in the virtual world.
Fearing the worst
Ukraine had every reason to expect the worst. Online attacks have been happening there since war began in 2014.
A Russian "persistent threat group" known as Sandworm was behind a December 2015 attack on the Ukrainian electrical grid that caused widespread power outages.
A year later, in December 2016, the Ukrainian financial system was targeted by the Black Energy malware attack which also caused power cuts in Kyiv.
Then in June 2017, the same group struck again with a powerful new malware called Petya, causing chaos at government ministries, forcing banks to close, jamming telecom networks and again disrupting Ukraine's electrical grid. Airports and railways were affected and Chernobyl's radiation monitoring system went offline.
Ukrainian and western officials blamed the attacks on Russia's GRU (main intelligence directorate) and SVR (foreign intelligence service).
Last year, Ukraine's SBU security service reported it had "neutralized" an average of four cyberattacks per day.
So it was widely assumed that an army of bots would act as vanguard for any real invasion by attempting to cut power and communications, clog transportation links and generally sow confusion.
Russia did try something modest along those lines.
In mid-January, a cyberattack hit about 70 Ukrainian government websites hours after talks between Russia and NATO failed to produce the concessions the Kremlin was hoping for.
"All information about you has become public, be afraid and expect the worst," said a pop-up screen message. "This is for your past, present and future." It repeated familiar Kremlin tropes about Nazis and persecution of Russian-speakers.
In addition to hitting government and military sites, the distributed denial of service (DDOS) attacks also targeted two banks, shutting down ATMs and credit card transactions.
Hack and attack
Russia launched another cyberattack on Ukraine on the day of the invasion with a piece of malware called Hermetic Wiper that targeted hard drives.
Last week, the Canadian government accused the Russian military of having "directly targeted the Viasat KA-SAT satellite Internet service in Ukraine" in February. The U.K. government says the attack also hit collateral targets such as central European wind farms.
But the trains continued to run and the Ukrainian government continued to function. The attack was much less damaging than the 2007 attack on Estonia, or the attacks that preceded the 2008 invasion of Georgia.
Ali Dehghantanha, Canada Research Chair in Cybersecurity and Threat Intelligence at the University of Guelph, said Russia may have underused its offensive cyber capabilities because it was confident of a swift military victory.
But Ukraine is also better defended after years of successive attacks, he added.
"Because of their previous story with Russia," said Dehghantanha, "going back to the time of the conflict in Crimea, Ukraine — with the support of Western allies — did a very good job in protecting its physical infrastructure this time."
Those western partners include Canada's digital counter-espionage agency, the Communications Security Establishment.
"While we can't speak about specific operations, we can confirm that CSE has been tracking cyber threat activity associated with the current crisis," the CSE's Ryan Foreman told CBC News.
"CSE has been sharing valuable cyber threat intelligence with key partners in Ukraine and continues to work with the Canadian Armed Forces in support of Ukraine."
CSE also has to worry about Canada's own assets, of course.
For years, major cyberattacks on North American assets have been landing with some regularity. CISA has compiled a long list of American online assets it sees as coveted targets for Russia's disruption and theft operations, including "COVID-19 research, governments, election organizations, health care and pharmaceutical, defence, energy, video gaming, nuclear, commercial facilities, water, aviation, and critical manufacturing."
"Russia has significant cyber capabilities and a demonstrated history of using them irresponsibly. This includes SolarWinds cyber compromise, COVID-19 vaccine development, Georgia's democratic process and NotPetya malware," Foreman told CBC.
Dehghantanha said state-sponsored hackers are now shifting away from building the most sophisticated malware to employing more of a scattergun approach — one that involves installing simpler backdoors into a wide range of less well-defended infrastructure targets.
"Before 2020, we saw a lot of effort on building the best malware or the best wiper or the best exploits," he said. "The issue is, if your opponent discovers that malware, they know a lot about you, about your capabilities, all your investments.
"So if you come with the most advanced malware, it may take you two or three years of research and development. But from the moment it's deployed and you start causing the impact, it takes them only a couple of weeks to address it."
Hacktivists on the battlefield
Dehghantanha said Russian actors have had some success in the emerging field of "social cybersecurity," where hackers behave more like hacktivists.
"The cost of building fake content that looks very convincing to the wider public is quite low these days," he said. "And I am seeing a quick shift in the activities of the hacking groups in that direction. Instead of trying to impact the capital infrastructure or the IT infrastructure, we can impact the human beings and achieve the same result."
An example of such a "fake hacktivist" attack would be a disinformation campaign designed to sow panic in a particular village or district.
"They try to impact on that micro level," Dehghantanha said.
Ukraine also has warned that it may not have felt the full effects of Russian hacking yet.
The country's top cyber official Victor Zhora said recently that Russia stole Ukrainian government data to give its forces a list of targets for arrest or murder in the occupied zones. He said he fears that data is already being used.
Underbelly remains soft
Canada remains vulnerable, said Dehghantanha — "especially the soft bellies of critical infrastructure like water treatment systems, the agricultural sector, any single supply chain and, of course, pipelines."
More and more, hostile actors have been seeding malware in advance with a view to attacks months or years in the future. Dehghantanha said Canada should tighten its requirements for private companies that manage critical infrastructure.
"We need to change our policy from blacklisting to whitelisting, which means instead of telling you that you cannot install A, B and C, and anything else is allowed, we need to say you can only work with A, B and C and nothing else is allowed," he said.
"There is no way, no resources for the nation to monitor everything. So it is better that we just limit ourselves to specific suppliers, to a specific product that we know."
Balance can shift quickly
Foreman said the CSE is in constant contact "with Canadian critical infrastructure partners via protected channels," beyond what is seen in its public advisories.
"Now is the time to take defensive action and be proactive," he added.
That means isolating critical systems from the internet, creating and testing backups and testing manual controls to ensure critical systems still function when networks fail, he said.
Dehghantanha said he's reluctant to downplay the threat posed by Russia merely because it has underwhelmed in Ukraine.
"The cyber war is not like a balance where you can say that I have bigger guns or more airplanes, so I am superior. It is not the case at all here," he said.
"You could have just ten fantastic cyber attackers that could build an exploit and get access to that critical infrastructure, and they make a significant change."