Alongside the carnage that’s taking place on the ground in Ukraine, there’s a parallel war being waged in cyberspace. Ukraine and Russia are highly IT-literate societies with infrastructure that relies on digital technology, which is why they’ve been going to great lengths to try to bring down each other’s systems.
In fact, Russia has been mounting cyber attacks for decades, with hostilities intensifying significantly after it seized the Crimean peninsula from Ukraine in 2014.
Electricity supplies have been a prime target for disruption since then, for instance. Such attacks have been reasonably focused so far, reports Alan Woodward, visiting professor of cybersecurity at the University of Surrey.
But, just as so-called guided missiles can wreak havoc on innocent civilians, a misfiring cyber attack can cause much collateral damage beyond its intended target. For this reason, businesses far from the physical battleground – especially SMEs, whose cyber defences are generally likely to be relatively basic – need to be wary of Russia’s online war with Ukraine.
“Effective cyber attacks will quite often use a vector in the supply chain,” Woodward says. This makes it possible for a business with no connection to Ukraine or Russia to be caught up in an attack, simply because it shares a software provider with a company that does have such links.
In 2017, for instance, the NotPetya ransomware strain (widely viewed as the handiwork of Russian military intelligence agency the GRU) was launched through a tax preparation app used by many firms in Ukraine – and plenty outside the country too.
“The next time that everyone updated their software – bang, they’d taken in this massive piece of ransomware,” Woodward says.
Some of the companies whose systems were infected had to write down billions of pounds from their balance sheets in the process of fixing the problem. “A number of small and medium-sized businesses were practically wiped out,” he adds.
This is why the UK’s National Cyber Security Centre (NCSC) has advised British businesses to remain alert for such attacks and bolster their defences accordingly. The NCSC doesn’t believe that Moscow is deliberately seeking to target British enterprises. Rather, it’s concerned that an assault targeting organisations in Ukraine could easily affect enterprises in other countries.
And British firms have more to fear from Russia than a less-than-discriminate cyber strike mounted by the GRU. Dr Victoria Baines is a senior researcher, author and speaker who’s worked with bodies such as Europol’s European Cybercrime Centre in The Hague. She says: “The line between state-sponsored and profit-driven cyber threats has become very blurred.”
Baines cites the WannaCry ransomware attack in 2017 as a case in point. This spread far beyond its original target, causing chaos for the National Health Service, as well as Renault, FedEx and Deutsche Bahn. Europol estimated that more than 200,000 computers in 150 countries – and especially Russia – were disabled.
WannaCry was eventually traced back to a gang with ties to Kim Jong-un’s regime in North Korea. But the link between private criminal enterprise and national governments goes further than that, according to Baines, who points out that the Conti Team – a prolific ransomware gang thought to be based in St Petersburg – “has recently declared its support for Putin”.
This means that its members could act as ‘hired guns’, aiming to cause chaos for any organisation around the world that speaks out against Russia’s actions.
Before the invasion, Russia had actually gained some good publicity for starting to round up some of the country’s more notorious cybercriminals. Their arrests, some of which were filmed and broadcast worldwide, had indicated a shift in approach from the Kremlin that many countries welcomed.
But, now that Russia has become an outcast, the Putin regime has far less incentive to clamp down on domestic cybercriminals. This means that we’re all more at risk, according to Baines, who adds: “It’s become increasingly clear that some states are also using ransomware and cryptocurrency scams to generate revenue.”
It’s another reason why the debate about whether to pay ransoms or not has become so heated. “Ultimately, we can’t rule out the possibility that ransoms paid by SMEs in the UK and elsewhere are supplementing the Kremlin’s war coffers – a sobering thought,” she says, but stresses that the threat is also “largely preventable”.
Woodward agrees that there are several straightforward and effective steps that firms can take to protect themselves from the GRU and Russian cybercriminals who’ve been let off the hook.
“This may sound like a broken record, but look at the NCSC’s guidance,” he says.
The centre has plenty of advice on matters such as how to manage passwords; handle emails to avoid downloading malicious attachments; and set up corporate networks so that they’re more resistant to attack and less likely to spread malware onwards if they do get infected.
“One of the most common vectors for ransomware is an emailed Excel spreadsheet that has a macro in it. If people open it and the right network policies aren’t in place, there’s nothing to prevent that macro from dialling home and pulling in some malware,” Woodward warns.
While it may seem costly, commissioning external expertise to satisfy yourself that your firm’s networks are as secure as they can be is likely to be a sound investment. If you want to do it in house, be sure to cover all the simple aspects that can easily be overlooked, Baines stresses.
“Basic digital hygiene – for instance, keeping software up to date, running a security program that scans for known threats and staying alert to the latest phishing scams – is an effective way to counter many of the cyber threats facing SMEs,” she says. “There really is no excuse not to do these things. They aren’t rocket science and they’ll help you to avoid so much pain in the long run.”