On 23 Feb 2022, Russian forces started a military operation targeting Ukraine. Reporting indicates that shelling in several Ukrainian cities has occurred, and footage from Kharkiv’s border shows Russian vehicles moving into Ukraine. In a fiery televised address, President Vladimir Putin has threatened dire consequences to any nations seeking to prevent this, labeling his offensive as a “special military operation in the Donbas”. We’re continuing to monitor the situation, and our sympathies extend to those at risk in Ukraine.
Malicious cyber-action has coincided with Russia’s military forces entering Ukraine. On 23rd Feb 2022, it was reported that a wave of DDoS attacks had occurred against Ukrainian government websites and banks. In addition, new data wiping malware was discovered on hundreds of devices on Ukrainian networks. In some instances, researchers found that the malware had been compiled in December 2021, indicating that the attack had been prepared in advance; other research identified that the malware—which has been named “HermeticWiper” by researchers—was deployed directly from Windows domain controllers, indicating it realistically possible that attackers may have had prolonged access prior to execution.
Yesterday’s developments have incited significant sanctions from multiple NATO member-states including the UK and the US. Additionally, Germany has halted operations relating to the Nordstream 2 pipeline stemming from Russia to Germany. It is almost certain additional sanctions against Russia will be announced in the immediate future.
How have we arrived at this situation?
The conflict in Ukraine has multiple historical factors that have all driven towards the current situation. The Euromaiden protests in 2013 resulted from then Ukrainian president Viktor Yanukovich postponing the signing of the EU-Ukraine association agreement, and instead choosing closer ties with Russia and the Eurasian economic union. This enraged many of Ukraine’s population who wanted to see the country move towards EU and NATO membership, with Yanukovich ousted following other claims of corruption, abuse of power and human rights violations. The subsequent Ukrainian governments—who have taken a far more favorable view towards the west—have widely been rejected by Moscow as being illegitimate.
This shift towards NATO and/or EU membership has enraged Putin, who has suggested that such a move would threaten Russia. Several recent speeches given by President Putin also have emphasized an outdated and archaic view of Ukraine; Putin has alleged that Ukraine had no history and is not a true country. The guise of “peacekeeping” for separatists in the regions of Donetsk and Luhansk also likely provides his decisions with a sense of legitimacy.
Germany’s decision to halt operations related to the Nordstream 2 pipeline is, among other decisions, noteworthy. Some critics assessed that Germany would be more cautious, given its reliance on Russian natural gas; this represents around 65% of current natural gas imports in Germany. In terms of sanctions, more are promised, but for now, they do not seem to be extensive or extreme. Financial punishments are likely to be proportionate to Russia’s actions; as it moves further west into Ukraine, the sanctions will likely increase.
Politicians and journalists alike have hinted at the potential exclusion of Russia from the “SWIFT” banking system. This would represent a dramatic increase in severity, and in direct response to Russia’s escalation. In the UK, Westminster politicians have declared support for further action against oligarchs based in London, and for further scrutiny towards the government’s “Golden Visa” program. The US has also targeted larger Russian banks with sanctions, and the EU has sanctioned 27 individuals.
Malicious cyber-action coming from Russia is likely to continue targeting Ukraine. Cyber-attacks could extend out of Ukraine, and impact NATO and EU member states; this has already been observed with Hermetic Wiper impacting networks in Latvia and Lithuania. NotPetya, notorious for its global spread in 2017, immediately springs to mind. It is also realistically possible that the financial services, energy, and oil & gas sectors in particular are under an increased risk from Russian aligned threat actors. Targeting oil & gas in Europe, for example, could serve to cause concern among nation-states dependent on Russian energy.
Russia-based cybercriminals may also be emboldened or otherwise encouraged by Russia’s actions. This week, the FBI warned organizations of an increased threat from ransomware operations; it is realistically possible that, despite recent Russian crackdowns against cybercriminals, they may deem NATO-based targets, or organizations based in NATO countries, as viable.
Digital Shadows will continue to monitor and update accordingly; for further insights, we have released a special edition of ShadowTalk discussing the wider geopolitical issues at play during these troubling times. Digital Shadows’ SearchLight service features a constantly-updated threat intelligence library, providing insights on the unfolding situation within eastern Europe and other trends that might impact your organization. Digital Shadows’ clients can use Shadow Search™ queries for further details, and view the event profile created to monitor developments.