The U.S. Department of Homeland Security is reportedly warning that the U.S. could witness a retaliatory cyberattack at the hands of Russia if it decides to respond to the latter's potential invasion of Ukraine, where 100,000 or more troops have been amassed for weeks. According to a DHS Intelligence and Analysis bulletin dated 23 January 2022 and sent to law enforcement agencies around the country, officials believe that if the U.S. responds to rising tensions at Ukraine's eastern border, the Russian government or its state-sponsored actors could initiate a cyberattack.
The document reportedly reads: "We assess that Russia would consider initiating a cyberattack against the Homeland if it perceived a U.S. or NATO response to a possible Russian invasion of Ukraine threatened its long-term national security." DHS warns that Russia can employ a "range of offensive cyber tools" against U.S. networks, including "a low-level denial of service attack" or a "destructive" attack on critical infrastructure.
DHS officials maintain that Russia's "threshold for conducting disruptive or destructive cyberattacks … remains very high." These are attacks, the agency says, Moscow has not directly employed against U.S. infrastructure in the past although it has engaged cyberespionage campaigns such as SolarWinds. The latter, distributed via a corrupt update on SolarWinds' software, later affected 100 organizations globally, with follow-on attacks at nine U.S. federal agencies, including DHS and the Department of Commerce. Experts have attributed the campaign to APT29, aka Nobelium, which is linked to Russia's Foreign Intelligence Service, or SVR.
The 23 January 2022 bulletin also highlights Russia-linked attacks targeting Ukraine's electric grid, which struck in 2015 and 2016. "This is not at all unanticipated and is right in line with the joint alert from the FBI and CISA about 10 days ago," says Mike Hamilton, former vice chair for the DHS State, Local, Tribal, and Territorial Government Coordinating Council. "Geopolitical tensions are at a high … [and] the U.S. should not feel as though this activity is confined to NATO-curious countries. It's been well-reported … that Russian fingerprints have been found inside our own critical infrastructure networks. It is unlikely that all the access gained has been taken back."
Hamilton, former CISO for the city of Seattle and currently the CISO for the firm Critical Insight, adds, "Given all this information and these trends, it is likely that any military action taken by the U.S. in Ukraine will be met by actions designed to give the U.S. other things to worry about."
The latest warning follows a rapid surge in crypto-locking attacks eyeing U.S. targets in 2021. These include Russia-backed ransomware hits on Colonial Pipeline, which caused fuel shortages along the U.S. East Coast; also, the world's largest meat supplier, JBS, went dark after Russian hackers crypto-locked its systems.
Earlier this month, multiple Ukrainian websites were defaced with warnings to "be afraid and expect the worst," which came as troops continued to amass at the country's eastern border. Several government websites affected by the breach were taken offline to be restored. Defaced websites included messages written in Ukrainian, Russian and Polish. The incident occurred after a week of diplomatic discussions between NATO and Russia.
Ukraine-Russia relations have continued to sour in recent months, after Russian President Vladimir Putin criticized Ukraine's plans to join NATO. The White House subsequently warned that Moscow was running disinformation campaigns targeting Ukraine President Volodymyr Zelensky's administration. Putin threatened to further invade Ukraine if the country is allowed to join NATO. But the U.S. and its NATO allies said Ukraine's decision is not open to negotiation and have called on Moscow to de-escalate and pursue diplomacy, threatening that there will be reprisals for any further military activity.
Despite warnings from U.S. President Joe Biden to the Kremlin, Putin has remained steadfast on preventing Ukraine's NATO entry and he has sought a NATO troop removal from Eastern Europe. Foreign policy experts contend that Russia views Ukraine a former Soviet state as part of its sphere of influence. Russia annexed the Crimean Peninsula in southern Ukraine in 2014.
While other security experts say the alert is not terribly surprising, it is certainly worth closely monitoring. "DHS often releases alerts around potential upticks in activity," says Ross Rustici, a former technical lead for the U.S. Department of Defense and currently the managing director of the advisory firm StoneTurn. "Ultimately, these pronouncements do little to shift the needle on public opinion or corporate behavior. There is a significant record of Russian intrusions into CI/KR [critical infrastructure and key resources] that is sustained and ongoing. We would be best served by concentrating our efforts on continued security around those systems."
"We've yet to see cyberattacks used in concert with a full-fledged military campaign. DHS' warning sets that expectation that something has changed in the threat profile," says Tim Erlin, vice president of the firm Tripwire. "Organizations should be prepared for a change in the types of attacks they see."
"To see this warning coming out of the DHS at a point when tensions are so high is not necessarily surprising," says Lisa Plaggemier, interim executive director of the National Cybersecurity Alliance. "Nonetheless, [it] once again serves to underline how important it is that individuals and businesses prioritize cybersecurity. Fortunately, there has been a dedicated effort within the government to bolster its own cybersecurity capabilities and to promote cybersecurity awareness among the private sector and general public."
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or firstname.lastname@example.org
Weekly Cyber Intelligence Briefings:
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings