In recent weeks, nearly every corner of the US government has been brought to bear on that same question: The Transportation Security Administration, which oversees pipeline security in addition to its more well-known role of passenger screening at airports, has issued directives to pipeline companies; the Environmental Protection Agency has recently hosted two webinars for more than 400 water utilities about necessary security steps; and the Department of Energy held comparable, CEO-level briefings for energy companies.
More public-facing government efforts have come in the form of a mid-January advisory from CISA, NSA, and FBI outlining common tactics and techniques for Russian cyber operations, ranging from preferred Cisco routers to Microsoft Exchange vulnerabilities. Last week, those agencies issued another joint advisory, along with international counterparts from Australia the UK highlighting the proliferation in 2021 of ransomware attacks against critical infrastructure. While the advisory never specifically mentions Russia, many of the worst attacks of 2021 stemmed from Russia-based groups like REvil.
Russia has long treated its neighbor Ukraine as a real-world sandbox to test cyberattacks. In 2015, it brought down the country’s power grid. In 2017, it set loose the NotPetya ransomware, which corrupted Ukrainian tax software and went on to cause as much as $10 billion in damage to international companies that did business in the country. The shipping company Maersk saw some 80,000 computers destroyed; FedEx suffered nearly half-a-billion-dollars in damage; the drug company Merck saw upwards of a $800 million loss.
A more recent attack came in mid-January, as dozens of Ukraine government websites were knocked offline and defaced, replacing the sites with text that warned, “Be afraid and expect the worst.” While that attack may have originated from Russian ally Belarus, subsequent destructive malware hit Ukrainian systems, posing as ransomware but deleting data. US officials have also warned of “specific, credible” threats against Ukraine’s critical infrastructure. On Tuesday, an apparent DDoS attack hit the websites of Ukraine’s Ministry of Defense, Armed Forces, and two major banks, although it’s unclear who’s responsible.
The US government has long been intimately involved in helping understand and mitigate Ukraine’s cyber risk, collaboration that it hopes will also help understand and mitigate threats to the homeland. US Cyber Command has conducted what it calls “hunt forward” missions in Ukraine, deploying teams to the country to search for malware as part of a strategy known as “persistent engagement,” developed by its commander, general Paul Nakasone, that attempts to keep the US in constant contact with its primary adversaries in the most active arenas in cyberspace.
On the civilian side, CISA works closely with Ukrainian cybersecurity agencies, and the US Agency for International Development has for years run large-scale, multi-million-dollar programs to help Ukraine protect its own critical infrastructure against cyberattacks. “We’ve also more recently, as you can imagine, been communicating with CERT-Ukraine to provide reports of possible activity targeting Ukrainian organizations, including Ukrainian government agencies,” Easterly says, referring to the country’s computer emergency response team. “We are standing in to be able to be helpful for them.”
Red Lines
Conversations with more than a dozen senior cybersecurity leaders across the US government, tech companies, and the private sector in recent weeks—many who asked to speak anonymously in order to candidly discuss a dynamic threat environment—outlined major areas of risk they’re collectively watching where Russia has already demonstrated a sometimes brutal effectiveness online.
While many expect Russia to deploy information operations regionally, including both disinformation and perhaps even hack-and-leak operations similar to those it used to target the 2016 US presidential elections, the two leading threats are a scourge of ransomware and so-called collateral damage. “Looking back at NotPetya, that’s a huge cautionary tale,” Easterly says, pointing to the many US companies or Western subsidiaries who do business in Ukraine and thus have interlocked digital systems.
