3 min Security

‘Russian intelligence agencies play part in cyberattacks on Ukraine’

‘Russian intelligence agencies play part in cyberattacks on Ukraine’

Russian intelligence agencies are cooperating with Russian cybercriminals. Yet, Russian cyberattacks are not an acute threat to the EU and US. This is concluded by an expert panel of security professionals at an emergency briefing by SANS Institute.

Ukraine is under cyber fire. On January 13, Microsoft encountered WhisperGate. HermeticWiper followed on February 23. Both malware forms were designed to destroy the data of Ukrainian organizations and government agencies.

National telecom organizations are plagued by DDoS attacks. Ukrainian residents receive SMS messages containing misinformation. The messages claim that ATMs will soon stop working in an effort to instil fear and disrupt the economy.

“Some Russian cybercriminals have ties to Russian intelligence services”, says Kevin Holvoet, team leader of the Threat Research Centre for Cybersecurity Belgium and panellist at a recent SANS Institute security briefing. “Although we don’t always know what the relation is, there are clear connections. Malware tools are shared among intelligence agencies and cybercriminals, and targets overlap.”

Holvoet points to links between Russian intelligence agencies and ‘Sandworm’, a spy group that covertly stole state secrets from Ukraine between 2009 and 2014. Gamaredon is mentioned as well, a hacking group that has been distributing malware among Ukrainian government agencies since 2013 — just before the annexation of Crimea.

Are the EU and US under pressure?

The Russian threat is an acute concern for Ukrainian organizations and government agencies. The same can’t be said for European and American organizations. Holvoet emphasizes that, at this time, most attacks are directed at Ukraine. Incidents in other regions are rare. 

Panellist Jake Williams, a seasoned security professional who performed multiple classified assignments for the US government, shares the view. “Russian government threat actors have capabilities, but not an infinite supply”, he explains. “Every attack burns another capability. Capabilities are used where the impact matters. Right now, Russian government operators are really busy with important government targets.”

Williams emphasizes that Russia’s focus may change. Should the country target the EU and US in a later stage, some targets could be prioritized. According to Williams, financial services companies, educational institutions and retail companies are more likely to be hit than utility, transportation, healthcare and national defence organizations. Williams reasons that attacks on the latter group — the private sector — are more likely to be seen as an act of war, barring a state actor from attacking without consequence, and reducing the likelihood of an attack. 

Tip: Russian attack on Ukraine pressures global chip industry