Intelligence brief: Russian invasion of Ukraine and its cybersecurity impact
Disclaimer: The current ongoing situation is developing rapidly, and information presented might quickly become out of date. For the most up-to-date information, continue to monitor alerts sent out from the Cybersecurity and Infrastructure Security Agency (CISA) and information from trusted media sources.
On February 24, 2022, Russian President Vladimir Putin announced a “Military Operation in Ukraine” proceeded by the movement of Russian troops into Ukrainian territory.
Background on the invasion
In April 2021, Russia sent approximately 100,000 troops to Ukraine’s border. At the time, this troop movement was believed to pertain to military exercises. Ukraine President Volodymyr Zelenskyy, concerned about the potential for escalation, proceeded to request that NATO leadership outline a timeline for Ukraine’s membership. Ukraine’s admittance into NATO has long been opposed by Russian President Vladimir Putin. Late into the month, Russia began a phased reduction of its military presence along the border, however, tens of thousands of troops remained.
Starting in November 2021, satellite imagery revealed a significant buildup of troops along the border of Ukraine. In Early December 2021, U.S. intelligence found evidence the Kremlin was planning a multi-front offensive to take place in early 2022. During this time, it is believed Russia increased its cyber operation efforts both in Ukraine and abroad to launch both a disinformation/propaganda campaign and an offensive campaign to infiltrate infrastructure critical to Ukraine.
In early January 2022, the Biden administration began to announce that Russia was planning to launch a “False Flag” operation to justify an invasion into Ukraine. The U.S. and Russia continued to engage in diplomatic talks, with the main source of contention being NATO’s expansion in Europe. The State Department, towards the end of the month, ordered the families of embassy staff to leave Ukraine, and NATO placed forces on standby. The U.S. ordered 8,500 troops located within the U.S. to be ready to deploy.
Russian troop presence continued to build throughout February, encompassing a significant portion of Ukraine’s border. As diplomatic efforts increased, the U.S. began the movement and deployment of additional troops, to assure NATO allies they would be protected. In the regions of Donetsk and Luhansk, fighting escalated between the Russian-backed separatist and the Ukrainian forces, with Vladimir Putin making the unsubstantiated claim that “what is happening in Donbas today is, in fact, genocide.” On February 21, Putin formally recognized the independence of Donetsk and Luhansk, and ordered Russian military troops to deploy there under the guise of a “peacekeeping” mission.
Global response to the invasion
Russia’s invasion of Ukraine has been met with sanctions and airspace restrictions designed to cripple the Russian economy, make it difficult to produce critical infrastructure, and target the finances of those closest to and including Vladimir Putin himself. The United States’ block on technology will severely limit Russia’s ability to advance its military and aerospace sectors. While these packages aim to weaken the Russian economy and place pressure on those closest to Putin, there will be ripple effects felt across the globe. Supply chain shortages and increased energy costs are expected, but the full effects could take years to play out.
These sanctions could also elicit a response from the Kremlin. While there has been escalatory rhetoric from Vladimir Putin on Russian nuclear readiness, the U.S. has continued to signal that Russia was “under no threat” and has continued to seek de-escalation.
Increase in Russian cyber activity
At the time of writing, there are no credible cyber threats to the U.S. homeland. This is, however, subject to change. It should be noted that due to the destabilizing actions by Russia in Ukraine, along with the sanctions imposed, the potential exists for Russia to engage in destabilizing actions outside the region. Organizations, regardless of size, should take a heightened posture when it comes to cybersecurity. Organizations in sectors such as banking, energy and transportation (aviation) are likely to be targeted in the event of a cyber attack launched by Russia.
It has been uncovered that a web service linked to GRU hackers and acting as a command-and-control center, hosted cloned copies of various Ukrainian government websites. According to Bellingcat, “a cloned version of the Ukrainian President’s website included a clickable ‘Support the President’ campaign that, once clicked, downloads a package of malware to the user’s computer.” It is unclear the intent of the malware payload, and whether it was operational or just a placeholder. Due to the target audience, it is believed that this could have been intended to co-opt all computers infected into a distributed DDoS attack or to be used to steal credentials for social media as part of a larger disinformation campaign to discourage military resistance.
It should also be of note that Russia has continued to engage in sophisticated disinformation campaigns abroad, using social media and Russian state-sponsored media sources to further Russian interest. When reading information online, it is critical to investigate the source and to take an active approach to stop the spread of disinformation. Russia has also been known to utilize spearphishing, brute force and vulnerability exploits to gain initial access.
CISA Shields Up guidance
CISA has created a page providing guidance for organizations and their members to ensure a proactive approach to cybersecurity.
- Ensure all software is up to date to shore up potential known vulnerabilities.
- Take steps to lower their reporting threshold to senior management and the U.S. government.
- Prepare to defend against critical threats with this CISA checklist.
- Remain vigilant towards common Russian TTPs.
- Review their personal and work logins to ensure that passwords are difficult to predict, the same password isn’t reused on multiple websites, and that multi-factor authentication is enabled when possible.
- Exercise caution when clicking links, downloading files and sharing content.
- What do we know about cyber operations during militarized crises?, Atlantic Council
- Attack on Ukrainian government websites linked to GRU hackers, Bellingcat
- Crisis crossroads: Ukraine, CSIS
- Russia’s at war with Ukraine. Here’s how we got here, NPR
- Maps: Tracking the Russian Invasion of Ukraine, The New York Times
- Putin Declares a Nuclear Alert, and Biden Seeks De-escalation, The New York Times
- U.S. intel suggests Russia is planning a false-flag operation, Politico
- U.S. Companies Should Prepare for Putin’s ‘Gangster Diplomacy’ As Risk of Russian Cyberattacks Grows, Time
- Russia planning massive military offensive against Ukraine involving 175,000 troops, U.S. intelligence warns, The Washington Post
- FACT SHEET: Joined by allies and partners, the United States imposes devastating costs on Russia, The White House
- U.S. Treasury announces unprecedented & expansive sanctions against Russia, imposing swift and severe economic costs, U.S. Department of the Treasury
- Alert (AA22-011A): Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure, CISA