Security experts brace for possible Russian cyberattacks (2022)

In the four months since its invasion of Ukraine, Russia hasn't intensified its usual pattern of cyberattacks against the U.S. and Western Europe in response to sanctions and Ukrainian military aid, as many expected. But that doesn't mean the risk of escalation with the West is gone, numerous experts told Protocol.

In other words, don't lower your shields just yet.

At the moment, it's clear that Vladimir Putin has made a calculation not to inflame tensions with the West, said Dmitri Alperovitch, the Russian-born cybersecurity and geopolitics expert who co-founded CrowdStrike.

But if things don't go Putin's way on Ukraine and sanctions, he "may very well resort back to cyber to increase pressure on the West," Alperovitch said.

Ciaran Martin, who was the founding CEO of the U.K. government's National Cyber Security Centre, agreed that Putin’s approach toward the West on cyber may change in response to events on the ground in Ukraine. “Russia could decide that it needs to make a point to the West, in an escalatory way," Martin said, though “the chances of [that] are not high at the moment.”

To get a better sense of the current state of the Russian cyber threat against the West, Protocol recently spoke with 20 experts — including threat researchers, former government officials and those with expertise on critical infrastructure and Russia.

A number of them are concerned that, as soon as later this year, Putin may give the green light for major cyberattacks aimed at disrupting critical infrastructure and supply chains in the West. A surge of attacks from proxy groups is also probable, according to some Russia watchers.

"I fear this is a 'calm before the storm' situation," said Chester Wisniewski, principal research scientist at cybersecurity giant Sophos.

In all likelihood, the political and economic issues facing the Kremlin will only continue to mount, raising the prospects of Russia bringing new cyber pressure against the U.S., said Chris Krebs, former director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

"Once they start losing good options, they're going to start using some of their capabilities they've kept in reserve to strike back at the U.S. and say, 'Hey, wipe off the sanctions,'" Krebs said. "How are they going to do it? It would be a highly visible, likely destructive attack."

Shields up

Initial U.S. government warnings of a potential for disruptive Russian cyberattacks did not play out the way that many expected.

On February 11, CISA issued its first "Shields Up" warning, urging increased cyber readiness as Russia amassed troops near Ukraine's borders.

(Video) Expert offers tips as US braces for possible Russian cyber attacks

Later in February, when Russia struck Ukraine with a series of data-wiper attacks followed by the invasion of the country, the CISA warning looked prescient. Surely, Russian cyberattacks would soon be directed toward the U.S. and other nations who were backing Ukraine, many experts assumed.

But as far as the public knows, this didn't happen. The past several months have actually been even quieter than usual, according to many security professionals.

"I don't think anyone expected effectively no retaliatory actions," said Ryan Olson, vice president of Threat Intelligence at Palo Alto Networks' Unit 42 group.

CISA’s "Shields Up" program has been a success in terms of raising awareness; the campaign almost instantly became a rallying point for cyber defenders in the U.S.

"I fear this is a 'calm before the storm' situation."

But while grateful that the attacks didn't materialize, cybersecurity teams started to wonder if they were supposed to stay in "Shields Up" mode indefinitely.

CISA Director Jen Easterly did consider whether to move to a status like "shields normal," she said during a panel at the RSA Conference this month. But she eventually concluded that "Shields Up" is "really the new normal."

"We all know, though, we can't sustain the highest level of alert for an extensive period of time," Easterly said during the RSA panel. That has prompted plans to develop an advisory framework that can give some indication of what the current threat is, based on intelligence and information from partners, she said. (CISA declined to make a representative available for an interview for this article.)

If Putin does decide to escalate, among the top questions is whether Russia would take the extreme measure of launching a cyberattack against U.S. critical infrastructure.

It's worth pointing out that the highest-profile attack of this type in U.S. history — which struck fuel pipeline operator Colonial Pipeline a year ago — was probably an accident. The Russia-based group behind the ransomware attack, which led to gas shortages across the Southeastern U.S., likely wasn't trying to do something so big, according to several experts.

But with U.S.-Russia relations further deteriorating thanks to the Ukraine war, some experts believe the Kremlin's appetite for critical infrastructure attacks may have changed. Now attacks like Colonial Pipeline "are the kinds of things I would expect that [the Russians] might want to do intentionally," Sophos' Wisniewski said.

Based on nearly two decades of following cybercrime activity out of Eastern Europe, he said, "My instinct is that if a group could intentionally pull that off, they would now get kudos."

This potential shift is important because, even in the wake of Colonial Pipeline, cybersecurity remains underfunded for many critical infrastructure operators.

(Video) New York braces for possible Russian cyberattack

"We have sprawling critical infrastructure that has been ignored from a security standpoint for a long time," said Katell Thielemann, a vice president analyst at Gartner. "For a determined aggressor, it's not too hard to find the weak points."

Meanwhile, the knowledge is spreading for how to attack critical infrastructure and supply chains.

Evidence suggests that two recent strains of malware targeting industrial systems were developed within weeks, while those systems have also seen an uptick in vulnerabilities, according to Thielemann. All of which means, she said, that “the risk profile has increased" for industrial environments.

Supply chains

Infrastructure that American society considers "critical" is also broader than just the electric grid and water utilities, said Justin Fier, formerly a cybersecurity specialist for Lockheed Martin and other defense contractors.

"We shouldn't just focus on the Hollywood scenarios — turning out the lights and the water," said Fier, who is now vice president of Tactical Risk and Response at Darktrace. "It could be something so much simpler."

The effects from shortages of baby formula and technology components such as chips have been significant; it's not hard to see how an intentional disruption of supply chains by a Russian cyberattack could quickly turn into a crisis, Fier said.

If the goal is to deliver a blow to critical infrastructure, a direct breach may not be necessary either. Attacking a third-party service provider or manufacturer could have a similar effect to a direct hit on a utility and would likely be met with weaker cyber defenses.

If a producer of a single component used in transformers were to go down, for example, "I don't know that you're going to be able to build a transformer anymore," said Betsy Soehren-Jones, formerly the director of cyber and physical security strategy for energy utility Exelon.

Likewise, if the company that prints bills used by a utility experiences a ransomware attack, that utility will struggle to keep business going, said Soehren-Jones, who is now COO of Fortress Information Security. When it comes to cyberattacks from Russia on critical infrastructure, she said, "I am way more worried about business continuity than I am direct hits."

Ultimately, in whatever form it takes, "that big national critical infrastructure attack is probably still very much on the horizon," Fier said.

Dave DeWalt, the former CEO of FireEye and McAfee, sees attacks on critical infrastructure and increased ransomware as probable toward the end of the year. "I believe we have a massive wave coming at us," DeWalt said.

"For every dollar of sanctions, they're going to try to get a dollar back — that's what I think they're going to do," said DeWalt, who is now founder and managing director of venture firm NightDragon. "It could be measured in trillions."

Cyberattacks could accomplish many goals at once for Putin: They would distract the national security community, exact financial costs and create fear in the populace, said Jonathan Reiber, vice president of Cybersecurity Strategy and Policy at AttackIQ.

(Video) New York bracing for possible cyber attacks by Russia

While there's no definitive evidence that the Kremlin coordinates with the Russia-based cybercriminal groups to any degree, prominent ransomware gang Conti did vow to support Russia at the start of the Ukraine war. And the recent leaks of alleged Conti chat logs suggest ties between the group and the Russian Federal Security Service (FSB), noted Sergey Potseluy, a Ukrainian and senior researcher at Intel 471.

Conti has been characterized as an especially ruthless ransomware gang, responsible for the May 2021 attack that crippled Ireland's public health care system, among others.

In the past, nobody would've imagined that the Kremlin had directed an attack on a health care system, said Martin, who is now a professor in the Blavatnik School of Government at the University of Oxford. But Conti's statement of fealty to Russia, he said, suggests that "its relationship with the state has changed.”

And so, in the event of a future attack by Conti on a Western target, "would it be seen to be acting as an authorized proxy for the state?" Martin said. "Because then if it does something that's hugely disruptive to the welfare of a Western country, that's a different issue."

"For every dollar of sanctions, they're going to try to get a dollar back — that's what I think they're going to do."

Just how much the Kremlin might coordinate with the cybercriminal groups around a future cyber strike against the U.S. and Western Europe is up for debate.

If Russia wants to send a message to the West in response to the sanctions and military aid to Ukraine, its forces can deliver that "in a clearer format than just siccing the ransomware gangs on the West," said Matthew Olney, director of Cisco's Talos Threat Intelligence Group.

Wiper attacks

If the U.S. did face a retaliatory strike from the Kremlin, it would most likely involve data-wiping malware, Unit 42's Olson said.

The costliest cyberattack of all time, the NotPetya attack on Ukraine nearly five years ago to the day was a wiper disguised to look like ransomware. And in recent months, Russia has deployed dozens of wipers against Ukrainian agencies and critical infrastructure, some of which have posed as ransomware, researchers say.

If Russia does launch cyber retaliation against Ukraine's allies, a wiper attack on critical infrastructure pretending to be the work of a ransomware group is a strong possibility, Olson said.

If Putin can't get rid of the sanctions through other means, a wiper attack could be deployed to turn up the pressure, said Krebs, who was the first director of CISA and is now a founding partner at cybersecurity consulting firm Krebs Stamos Group.

Such an attack, he said, "would go after key sectors and segments that would get the attention" the Kremlin is seeking. "Every organization right now should be looking very hard at [the wiper threat] and saying, 'How could I be potentially affected here?'"

Going forward, threat researchers at Microsoft see a possibility for destructive attacks against financial, transportation and communications providers in regions including the European Union, said Justin Warner, senior threat intelligence analyst at the Microsoft Threat Intelligence Center, in an email.

(Video) NY braces for cyber attack in response to U.S. sanctions on Russia

According to a Microsoft report released last week, Russian agencies have been conducting network penetration tests across a wide swath of NATO countries in the months since the invasion, with the U.S. being the top target.

Microsoft says that 29% of the attacks successfully breached the target networks, which included government agencies, IT enterprises and critical infrastructure organizations.

"It would certainly be in keeping with the way that Russia operates to make a lot of noise over in Ukraine, [while] they are executing a much more covert and persistent attack against a completely different target," said Daniel Clayton, formerly an intelligence operations center branch chief for the U.K. government and the NSA.

"It's been my experience for a long time that you have to never look where [Russia is] making all the noise," said Clayton, who is now vice president of Global Security Services and Technical Support at Bitdefender.

Experts also anticipate an increase in disinformation activities by Russia targeting the U.S., in tandem with cyberactivity. "Putin is an opportunist, and he's going to use both tools in combination with one another," said Jessica Brandt, policy director for the Artificial Intelligence and Emerging Technology Initiative at the Brookings Institution.

Earlier this month, Russia's foreign ministry blamed the U.S. and Ukraine for cyberattacks against government institutions and critical infrastructure in the country, saying in a statement that it would "not leave aggressive actions unanswered." The statement followed comments by U.S. Army Gen. Paul Nakasone, who heads the Cyber Command and NSA, signaling that the U.S. has engaged in offensive cyber operations in support of Ukraine.

An intensification in cyberattacks against the U.S. and other NATO countries becomes more likely when Putin has either "achieved a stalemate or he's losing — where he has no other options," said Reiber, previously chief strategy officer for Cyber Policy in the Office of the Secretary of Defense during the Obama administration.

Another former Obama administration official, Jeffrey Edmonds, suspects the Russians “might be holding their punches” on cyber while waiting to see how things develop in Ukraine.

If Putin does end up wanting to send a message in the form of cyberattacks against the U.S. and Western Europe, it would have to represent an escalation above the usual baseline of activity, said Edmonds, former director for Russia on the National Security Council during the Obama administration. “They'd have to deviate from the norm,” he said.

However, Putin may not feel the need to intensify cyberattacks against the U.S. if he can achieve his goal of getting sanctions lifted without them, said Alperovitch, formerly CrowdStrike's CTO and now the co-founder and executive chairman of Silverado Policy Accelerator, a Washington think tank.

While some view Putin's actions as irrational, "All of his decisions are actually perfectly understandable, if you put yourself in his shoes," Alperovitch said. And crucially, "Many of them are predictable."

Case in point, in December 2021, Alperovitch predicted that Russia would invade Ukraine during the winter, two months before it happened.

Currently, Putin's strategy is "driven by his belief that he's actually winning,” Alperovitch said. This confidence is based on Russia's acquisition of Ukrainian territory and, more critically, its blockade of the Black Sea, which is exacerbating food prices worldwide, according to Alperovitch.

(Video) U.S. on alert for potential cyberattack from Russia over Ukraine

As a result, Putin thinks he has leverage to win concessions from the West on sanctions. "With that mindset, there's no point in trying to make things worse by launching cyberattacks," Alperovitch said.

However, if this fails, "He may decide that [cyber] is a tool worth pursuing" for driving inflation and economic instability even higher. Alperovitch doesn't expect that scenario to be a possibility until this coming winter at the earliest.

"Would launching cyberattacks right now help him with this goal? I would argue no. And I think he's making the same decision," Alperovitch said. "But that can — and perhaps will — change."


How much does a cyberattack cost? ›

Contents. According to the latest data breach report by IBM and the Ponemon Institute, the cost of a data breach in 2021 is US$ 4.24 million, this is a 10% rise from the average cost in 2019 which was $3.86 million.

What is CISA shields up? ›

The stated goal is to “reduce the likelihood of a damaging cyber intrusion, ensure that cybersecurity/IT personnel identify and quickly assess any unexpected or unusual network behavior, ensure that the organization is prepared to respond if an intrusion occurs, and maximize the organization's resilience to a ...

Which tips should you follow to defend against cyberattacks? ›

13 Ways to Protect Against Cyber Attack in 2021
  • VPN-capable firewall. ...
  • Security keys. ...
  • Office 365 Secure Score. ...
  • G-Suite (Google for business) Recommendations. ...
  • Multi-Factor Authentication. ...
  • Use a Password Vault. ...
  • Auto-Updates. ...
  • Malware scanners.

Which country has best cyber security experts? ›

Analytics Insights ranks these countries at the top of the Cybersecurity ranking: USA – “58% of the digital security organizations are situated there.”
CyberDB lists these countries in their top 10:
  • United Kingdom.
  • Malaysia.
  • China.
  • France.
  • Sweden – “Sweden has the lowest rate of malware infections in the world”
  • Estonia.

Who is Alice Bob and Trudy? ›

They are the founders of modern cryptography, They were members of British Navel Intelligence who did pioneering work in secure communications thar later. became known as cryptography.

How much does a data breach cost in 2021? ›

2021 had the highest average cost in 17 years

Data breach costs rose from USD 3.86 million to USD 4.24 million, the highest average total cost in the 17-year history of this report.

How much does CISA certification cost? ›

CISA exam and maintenance fees

Upon acceptance, ISACA members pay $575 for exam registration, while non-members will need to pay $760. To maintain your CISA certification, you'll need to earn a minimum of 20 hours of professional education credits per year and 120 hours every three years.

Is CISA a government agency? ›

The Cybersecurity and Infrastructure Security Agency (CISA) is a United States federal agency, an operational component under Department of Homeland Security (DHS) oversight. Its activities are a continuation of the National Protection and Programs Directorate (NPPD).

What is ransom software? ›

Ransomware is a type of malicious software (malware) that threatens to publish or blocks access to data or a computer system, usually by encrypting it, until the victim pays a ransom fee to the attacker.

What are information security best practices? ›

10 Basic Information Security Practices
  • Start With Security - Limit Scope. ...
  • Train Employees on Security. ...
  • Inventory Devices and Eliminate Exposure to External Networks. ...
  • Encrypt Sensitive Data. ...
  • Use Secure Remote Access Methods. ...
  • Strong, Non-Default Passwords…Plus 2FA. ...
  • Enact the Principle of Least Privilege.
Dec 30, 2015

What are the 10 recommended tips steps for CyberSecurity? ›

The Top 10 Personal Cyber Security Tips
  • Keep Your Software Up to Date. ...
  • Use Anti-Virus Protection & Firewall. ...
  • Use Strong Passwords & Use a Password Management Tool. ...
  • Use Two-Factor or Multi-Factor Authentication. ...
  • Learn about Phishing Scams – be very suspicious of emails, phone calls, and flyers.

Is Russia a cyber threat? ›

Since the start of Russia's invasion of Ukraine in February, federal agencies including the Cybersecurity and Infrastructure Security Agency, the National Security Agency and the Federal Bureau of Investigation have warned of potential cyberattacks against critical infrastructure operators.

Which country is #1 in cybersecurity? ›

Cyber surveillance power: When it comes to cyber surveillance, China is the most powerful in cyber. Researchers say Russia is second in the category and the United States is third. Cyber power in commerce: In this category, China is number one, the U.S. is second.

Who has the strongest cyber Army? ›

1. United States. There's no surprise it's at the top spot in the rank of countries by cyber power. The United States continues its dominance as a leading cyber power nation.

Where did Alice and Bob come from? ›

Alice and Bob are Born

In February 1978, Rivest, Shamir, and Adleman published their paper “A Method for Obtaining Digital Signatures and Public-key Cryptosystems” in Communications of the ACM, (the paper is now typically called the “RSA paper” given its stature in the field).

Why are the names Alice and Bob used? ›

In 1978, professors Ron Rivest, Adi Shamir and Len Adleman (RSA) chose the names Alice and Bob to make it easier for people to understand how public key encryption works.

What is the story of Alice and Bob? ›

Alice and Bob have been used to illustrate all sorts of protocols and bits of coding theory in scientific papers. Over the years Alice and Bob have tried to defraud insurance companies, they've exchanged secret messages over a tapped line, and the've played poker for high stakes by mail.

Is security breach worth the money? ›

Five Nights at Freddy's: Security Breach is worth playing especially if you're a fan of the horror series. It was completely different from the prior games which was refreshing and exciting. But if you're playing it for the horror and lore aspect expect to be underwhelmed.

What is the most common cause of a data breach? ›

Criminal hacking—it's what causes the majority of data breaches. These are planned attacks by cybercriminals always looking to exploit computer systems or networks. Some common techniques include phishing, password attacks, SQL injections, malware infection, and DNS spoofing.

Which is better CISA or CISM? ›

The CISM certification proves your knowledge of Information Security programs and their role within business goals and objectives from a strategic level. The CISA certification demonstrates the auditing knowledge you need to identify vulnerabilities, report on compliance and introduce controls within a business.

Is CISA exam difficult? ›

The CISA exam is notoriously difficult with only an average of 50% of test takers passing, and even lower numbers for first time participants. For that reason, it is important to study and learn for the test before taking it.

Does CISA expire? ›

To maintain your CISA, you must complete payment of the annual maintenance fee. This payment is due annually by 1 January and is required to renew through the upcoming calendar year.

Who is eligible for CISA? ›

Eligibility Criteria for CISA Course in India:

The associate's degree can substitute for one year of experience, while a bachelor's degree will substitute for two years. Hold a master's degree in Information Security, Information Technology, or the equivalent. A graduate degree can count for one year of experience.

Which is better CISA or Cissp? ›

The CISSP focuses more on information security. It is far more expensive, but commands a higher salary. The CISA on the other hand, focuses on auditing, is less expensive, and has far lower annual fees. If your job is to plan out the cyber security infrastructure of an organization, it may be best to focus on CISSP.

Is CISA worth? ›

So, is the CISA certification worth pursuing? If you are a junior or mid-level IT auditor, then it most certainly is. Similarly, if you are an internal auditor, IT consultant, project manager, or any cybersecurity professional then this certification is definitely worth pursuing.

Is it possible to decrypt ransomware files? ›

It's possible to decrypt files encrypted by ransomware with several tools available for free online. However, not all of these tools are guaranteed to work for the particular strain of ransomware on your computer. Therefore, you'll need to start by identifying the ransomware.

Can McAfee remove ransomware? ›

Often the ransomware (and other malware) is distributed using email spam campaigns, or through targeted attacks. McAfee® products leverage a number of technologies that help prevent ransomware. The following McAfee products and associated configurations are designed to stop many types of ransomware.

Can Kaspersky remove ransomware? ›

And the new, improved Kaspersky Anti-Ransomware Tool is FREE! This lightweight ransomware protection tool uses all the features of cutting-edge Kaspersky endpoint protection technologies, such as cloud assisted behavior detection to block ransomware and crypto-malware immediately.

What are 10 good cybersecurity practices? ›

21 Cybersecurity Tips and Best Practices for Your Business [Infographic]
  1. Keep software up-to-date. ...
  2. Avoid opening suspicious emails. ...
  3. Keep hardware up-to-date. ...
  4. Use a secure file sharing solution. ...
  5. Use anti-virus and anti-malware. ...
  6. Use a VPN to privatize your connections. ...
  7. Check links before you click.

What are the top 3 important steps to securing your information? ›

and create a tracking capability in the event your computer is stolen or lost.
  • Step one: Install full-disk encryption. The key to proper encryption is not just the encryption itself, but also protecting the right data. ...
  • Step two: Create a hidden volume. ...
  • Step three: Set up tracking for your computer.
Feb 1, 2012

What are IT security standards? ›

IT security standards or cyber security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization.

Can you learn cyber security on your own? ›

You can learn cybersecurity on your own, thanks to the multitude of online courses and learning resources available these days. For example, top schools such as MIT, Harvard, Stanford, and many others have open courseware that you can use to learn cybersecurity concepts from the best of the best instructors.

Why is cyber security so hard? ›

Some factors that make cyber security hard to learn are: Large numbers of tools. Since there are so many potential attacks, a cyber security professional must be familiar with various complex cybersecurity tools, technical skills, and software.

What NIST best practices? ›

It gives your business an outline of best practices to help you decide where to focus your time and money for cybersecurity protection. You can put the NIST Cybersecurity Framework to work in your business in these five areas: Identify, Protect, Detect, Respond, and Recover.

How can we improve cyber security at work? ›

10 cybersecurity best practices
  1. Protect your data. ...
  2. Avoid pop-ups, unknown emails, and links. ...
  3. Use strong password protection and authentication. ...
  4. Connect to secure Wi-Fi. ...
  5. Enable firewall protection at work and at home. ...
  6. Invest in security systems. ...
  7. Install security software updates and back up your files.
Apr 9, 2019

Who is responsible for control of the cybersecurity infrastructure in Russia? ›

The Russian Federal Security Service (FSB), including FSB's Center 16 and Center 18. Russian Foreign Intelligence Service (SVR) Russian General Staff Main Intelligence Directorate (GRU), 85th Main Special Service Center (GTsSS)

Who is mummy spider? ›

MUMMY SPIDER is a criminal entity linked to the core development of the malware most commonly known as Emotet or Geodo. First observed in mid-2014, this malware shared code with the Bugat (aka Feodo) banking Trojan.

What do hacktivists do? ›

In Internet activism, hacktivism, or hactivism (a portmanteau of hack and activism), is the use of computer-based techniques such as hacking as a form of civil disobedience to promote a political agenda or social change.

Who is the best hacker in the world? ›

Kevin Mitnick is the world's authority on hacking, social engineering, and security awareness training. In fact, the world's most used computer-based end-user security awareness training suite bears his name.

Which country has the most advanced hackers? ›

China. By quite a significant margin, China houses the largest number of hackers on Earth. During the last quarter of 2012, the world's most populous country accounted for 41 percent of the world's hacking traffic.

Where does the US rank in cybersecurity? ›

U.S. Is Only The 17th 'Most Cyber-Secure' Country, Study Shows.


1. US bracing for possible Russian cyber attacks
(WAAY-TV 31 News)
2. Bracing for Russian cyver response
(WPTV News - FL Palm Beaches and Treasure Coast)
3. Local experts warn about possible cyberattacks amid Russia-Ukraine conflict
4. Flash briefing: The cyber security implications of Russia invading Ukraine
(IT Governance Ltd)
5. Experts warn of cyberattacks amid conflict in Ukraine
(WBAL-TV 11 Baltimore)
6. Cyberattacks from Russia?
(FOX 5 New York)

You might also like

Latest Posts

Article information

Author: Duane Harber

Last Updated: 09/14/2022

Views: 5367

Rating: 4 / 5 (71 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Duane Harber

Birthday: 1999-10-17

Address: Apt. 404 9899 Magnolia Roads, Port Royceville, ID 78186

Phone: +186911129794335

Job: Human Hospitality Planner

Hobby: Listening to music, Orienteering, Knapping, Dance, Mountain biking, Fishing, Pottery

Introduction: My name is Duane Harber, I am a modern, clever, handsome, fair, agreeable, inexpensive, beautiful person who loves writing and wants to share my knowledge and understanding with you.