With Russia very likely to intensify its offensive cyber operations over the coming months, we are considering some of the worst-case and business-threatening scenarios that organisations may face.
This assessment was issued to clients of Dragonfly’s Security Intelligence & Analysis Service (SIAS) on 24 October 2022.
In our assessment, this would involve the global spread of disruptive or destructive malware. While it is difficult to predict the likelihood of such attacks – given these could be either intentional or unintentional and cyber defence varies across countries – Russia’s threshold for deploying self-propagating malware is probably at its lowest point yet. And this threshold is likely to further fall in 2023.
Foreign governments and our cybersecurity sources have alluded to this potential scenario amid the Ukraine war, or more vaguely to Russia taking ‘more risks’ in cyberspace. The UK NCSC in September said that Russia this year has favoured wiper malware – which erases the hard drives of infected computers – and that there would be ‘dire consequences globally if such malware propagated in the same way that NotPetya did’. The 2017 NotPetya attacks, which Russia was behind, targeted Ukrainian organisations but led to cascading financial losses and operational disruption for countries and organisations globally.
Russia does not appear to have deployed similar self-propagating attacks since the war in Ukraine began in February, according to our UK cybersecurity official source. But they told us that Russia ‘now appears content to cause a bit of disruption to prove a point’. We assess that a Russia-backed cyberattack attempting to disrupt Western critical infrastructure is a probable scenario in the near to medium term, as the country tries to exert pressure on European governments into sanctions relief. This is as Russia appears to be placing increasingly little weight on the international repercussions – and collateral risks – stemming from such attacks amid the war.
The spread of self-propagating malware by Russia-state-sponsored groups would fit with the Kremlin’s objectives, and offer key advantages. The global spread of such malware – particularly if this originated from Ukraine – would allow Russia to inflict major disruption and financial costs on Western countries and businesses, while probably not constituting the West’s threshold of it being a direct attack or an act of war. We suspect that the benefits of this for Russia would outweigh any international backlash from countries impacted by such attacks that are neutral or support Russia.
As part of its objectives, Russia is probably willing to accept any collateral damage from the global spread of destructive or disruptive malware. Russian organisations were impacted by the 2017 NotPetya attacks, which primarily targeted Ukraine. The Russian government has tried to progress towards isolating its internet infrastructure in recent years, conducting what it says have been ‘successful’ tests to separate its internet from global connections. But we have seen no evidence that Russia has the capability to do so on a national scale that would mitigate itself from any collateral damage of propagating destructive malware.
We will be monitoring for indicators that would suggest such a global cyber-related crisis is becoming more likely. The primary indicators would be Russia deploying new variants of mal- or ransomware with self-propagating capabilities, especially on a widespread scale in Ukraine or elsewhere in Europe, as well as warnings by foreign cybersecurity agencies of vulnerabilities being actively exploited by such groups. Many victim organisations that were impacted by the NotPetya attacks or the North-Korean global WannaCry ransomware attacks in 2017 had not applied recommended patches or had outdated operating systems.#
Image: Photo by Imaginima via Getty Images