Conflict in Ukraine: A turning point for cybersecurity

Introduction

If the conflict in Ukraine signals a global realignment of powers, its impact will be no less felt in cybersecurity. Although the adversaries already have a long history with cyberattacks, the evolution of cyberthreat activity could shape the nature of conflict in the future — an evolution already evident in campaigns over the past several years, affecting targets beyond the immediate theater of this fight, as well as in the run-up to the recent escalation in a kinetic conflict.

Experience indicates that cyber conflict can have a significant impact well beyond any immediate sphere of aggression. The well-documented capabilities of adversaries in this present conflict raise significant questions. What impact might cyberattacks have, not only among the combatants, but on everyone from allies to the unintended victims of activity? What might be the impact of strikes, as well as counterstrikes, in the cyber realm? And what does this mean, not just for the cybersecurity industry, but for the continued advance of pervasive digitization overall?

We explore these questions in light of the historic activity by aggressors and manifested against targets in Ukraine. We highlight aspects of cybersecurity likely to be accentuated by activity that may arise from this conflict, and areas where we expect to see that activity manifest among the providers of cyber defense in technologies and services.

Past as prologue

This is not the first conflict in this region in which cyberattacks have played a significant role. Cyber incidents surrounding the controversy of the "Bronze Soldier" memorial in Tallinn, Estonia, in 2007 were followed by the establishment of the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn in 2008. In that same year, cyberattacks targeted critical infrastructure in Georgia during conflict that enveloped that region. Similar cyberattacks appeared in Ukraine in 2014 when the Donbas region revolted. In 2015, the BlackEnergy attacks against the Ukraine power grid demonstrated the ability of cyberattacks to cripple power supply in the region.

These incidents have already demonstrated the fallout of a cyber conflict exacerbated by the outbreak of physical battle. Such an escalation in a region implicated in a significant share of aggressive cyber activity was further heralded in the days leading up to the outbreak of physical conflict, in cyberattacks against Ukrainian infrastructure, banking, energy and government resources.

The threat extends further to the potential for retaliation in the cyber realm. Already, reports have emerged concerning the options allies and supporters may be considering for their own cyberattacks, including the disruption of power and transportation in targeted nations. Meanwhile, reports have also emerged that combatants are appealing to volunteers in the cybersecurity community to become involved.

These factors raise the possibility that a cyber conflict could extend beyond the principal combatants and potentially impact others around the world — a concern not limited to intentional targeting. In 2017, an attack leveraging the NotPetya malware targeted Ukrainian business software M.E.Doc. Because the attack indiscriminately automated its discovery and exploitation of exposures with rapid and devastating effect, victims included those that interfaced with the intended targets, spreading further to other assets similarly networked.

The result was a widescale impact felt particularly among those with globally extended networks on which there was immediate day-to-day dependence for fundamental business operations. Worldwide logistics provider A.P. Møller - Mærsk A/S, for example, sustained what it later assessed to have been as much as $300 million in damage from the outages it suffered. A 2018 assessment by the U.S. estimated total damage at more than $10 billion, with the White House calling it "the most destructive and costly cyberattack in history."

When targeting has been deliberate, participants in the current conflict have been implicated in some of the most wide-ranging attacks seen around the world to date, with implications far beyond the immediate victims. Various researchers and governments have pointed fingers at Russian operatives in attacks against SolarWinds Corp., Kaseya Ltd., Microsoft Corp. and others over the last several months. The disturbing trend in these attacks is the targeting of the IT supply chain. Principal targets included vendors whose products are used to manage IT among their customers — IT that, in turn, may host or support other relying parties further on in the supply chain.

Such an attack could provide an adversary with significant visibility and control across all the entities dependent on these direct targets, extending throughout the fabric of IT reliance — one of the most prominent examples of a campaign that exerts broad leverage for wide impact from compromising a limited but strategic scope of primary objectives. This suggests the leverage a state actor may seek to exert against those that might aid or support their opponents. While that leverage could not be exerted without blowback to the combatant, it would nevertheless likely make any potential ally — or foe — in such a conflict think twice about its options for response.

This concern is amplified by the knowledge that adversaries may have already penetrated targets and achieved persistence without sufficient (or any) detection or intervention. The campaign against SolarWinds was discovered almost incidentally when an operative at Mandiant Inc. took note of multifactor access being sought by a device not recognized as legitimate. This is a prime example of the benefits of a thorough approach to mature security processes — a maturity not always felt as keenly by every organization, depending on the degree to which it has assessed its cyberrisks and the priority it gives to their mitigation. This sort of incident also speaks to the sometimes serendipitous ways that cyber activity can be discovered. This also means hope for the defender, as we consider below.

More recently, threat research has reported evidence of similar activity in the infiltration of small office-home office networking gear by malware known as Cyclops Blink, which shows evidence of being a successor to the VPNFilter malware that had reportedly infected some 500,000 home and small- and medium-sized business network products in 2018. VPNFilter manifested the ability to observe and potentially manipulate traffic, including protocols used in industrial and operational technology, or OT, and the industrial internet of things, or IIoT. The FBI in the U.S. seized a domain to sinkhole this activity in 2018 — activity the FBI attributed to Russian operatives in an affidavit the bureau submitted in support of the seizure.

In this affidavit, the FBI also attributed the BlackEnergy attacks against the Ukraine power grid to the same actors. Researchers more recently implicated Russian operatives in ransomware attacks, including that against Colonial Pipeline, which impacted energy supply throughout the eastern U.S. in 2021, while attacks against oil terminals in the Amsterdam-Rotterdam-Antwerp region and the Mabanaft and Oiltanking terminals in Germany appeared in the last few weeks. These attacks preceded denial-of-service and defacement attacks of sites in Ukraine shortly before the outbreak of physical conflict, suggesting that disruption and demoralization may have been the objectives in at least some of these cases, hampering the coordination of support for combatants opposing the cyberthreat actors involved.

Implications for cyber defense — and the market that serves it

What does all this mean for providers of cyber defense technologies and services, and where do we expect to see further or increased momentum in this market?

Further fuel for threat intelligence, detection and "outside in" visibility: There was more than $5 billion in M&A activity in 2021 among companies dealing in various aspects of adversary awareness. From threat intelligence to technologies and services that give defenders the attacker's view of targets and opportunities, we expect the conflict in Ukraine and its potential fallout beyond the region to stimulate even more activity in this trend. We expect this momentum to be equally manifest in terms of threat detection — already an area of intense interest to organizations across industries. In 2021, our Voice of the Enterprise: Information Security survey showed that threat detection and response was the top category of security technology that organizations were planning to deploy in the months ahead.

Actionable defense for OT and IIoT: The targeting of the Ukraine power grid evident in the BlackEnergy attacks and similar activity elsewhere suggests the threat that cyberattacks pose to physical resources and dependencies. These dependencies may be used as leverage against allies of combatants. The area in conflict is a supplier of energy in multiple forms to the surrounding region well beyond the borders of each — but that only represents the physical component of leverage against digitally enabled controls combatants may call upon to mute opposition. The ability to disrupt critical functionality well beyond the borders of conflict poses a threat to allies the world over and potentially includes realms far removed from energy. Evidence of previous attacks against everything from healthcare systems to water supplies suggests the potential scope of threat, which could increase the value of mitigations to OT and IIoT risks.

Increased focus on security in the IT supply chain: Many Ukrainian IT and operational technologies were implemented in or by Russian firms, creating a possible avenue for Russian cyberthreat actors to move against Ukrainian targets. This may give Russian operatives deep and detailed knowledge of these environments to exploit, which could have direct implications beyond the borders of conflict, given that the backbone of communication lines between Europe and Asia may run through the region. The intent to achieve a similar level of leverage is further evident in incidents beyond the area, in attacks that sought to amplify impact through IT supply chain exploits that revealed a high degree of familiarity with the primary target. Together, these factors put a high bar on the mitigation of threats arising from the IT supply chain. The challenge for opportunists in this realm will be balancing depth with breadth. The recognition of exploits in defensive tools may require the same depth of familiarity with an individual target that the attacker shows, while the scope of dependencies in online services continues to expand, making the challenge of breadth equally daunting. Demand for functionality that can tame these twin challenges can be expected to increase, but their effectiveness may be hampered by just how far they can go to mitigate risk in the ever-widening interconnectivity of IT and digital resources.

Emphasis on greater resilience for recovery: Ransomware continues to demonstrate the essential nature of domains such as backup and recovery. These resources must be resistant to compromise, as they are often the last line of defense against a destructive cyberattack. Hardening recovery and resilience capabilities against attack and insulating them as far as possible from the reach of the attacker will be even more important, should the present conflict demonstrate the willingness of combatants or allied parties to escalate the destructive nature of attacks.

Whither cyber insurance? Among the victims of the indiscriminate nature of NotPetya in 2017 was Merck & Co. Inc., a pharmaceutical company whose insurance claims for hundreds of millions of dollars in lost revenue, remediation and recovery were denied owing to a policy exclusion for "acts of war" following military intervention in Ukraine beginning in 2014. In January, Merck won a $1.4 billion lawsuit against its insurer, ACE American, arguing that it had become vital to define warfare in the digital age. This outcome may influence both the cost and extent of coverage for cyber insurance, which has already been strained by repeated attacks, such as ransomware, in recent years, forcing organizations to reexamine the role insurance plays in mitigating their exposures. Such reexamination could further shift even more attention to the benefits of investing in cyber defense and resilience — an investment that insurers may require to qualify for what coverage they may offer.

Defenders have leverage, too

We may have seen the nature of cyberattacks manifesting around the conflict in Ukraine many times before, but the motivation to make the most of them now becomes a factor in prosecuting a kinetic war. Defenders may find the potential to increase the severity of attacks disturbing, but that does not mean the challenge is hopeless.

Defenders must keep in mind that the adversary is also exposed to risk. Whenever opponents uncover tools and tactics in threat evidence, the adversary has tipped their hand — and may have revealed their own exposures as well as their methods. As the efficacy of cybersecurity technology increases in realms such as threat detection, it raises the bar for the attacker and introduces new opportunities for the defender. The extent to which defenders may rise to the challenge will be the question, especially digitization and the scope and scale of IT continue to grow.

The cybersecurity industry will be eager to provide as many answers to this question as it can. It is not just nations and military forces, or even vital public and critical infrastructure services, that must respond. If cyberattacks extend to physical assets, targeting energy resources, transportation and financial systems, what are the implications for ongoing digital transformation as a whole? Sadly, this may demonstrate yet again the power of conflict to drive innovation, as it has so often before.

^{This article was published by S&P Global Market Intelligence and not by S&P Global Ratings, which is a separately managed division of S&P Global.}