Amid the most dangerous geopolitical time in decades, President Joe Biden last week warned US business leaders of the threat of Russian cyberattacks, pleading with them to do more to prepare. To understand why the White House is so worried about the Russian cyberthreat, it’s important to look back at a 2017 hacking incident that never received enough attention.
NotPetya, as it was called, was malware used by Russian military hackers to attack Ukraine, but its impact went way beyond the intended target. The malware was downloaded as an update to commonly used Ukrainian tax preparation software and spread rapidly from there. The United States estimated damages of some $10 billion to multinational companies. In 2019,
CEO Fred Smith called NotPetya “the largest single attack by a state-sponsored entity in world history.” And it could happen again.
Biden’s latest warning about “evolving intelligence” around Russian cyberattacks underscores the immense risks to an economy dominated by digital systems. Think of our digital economy as a building with 30 billion doors, many with flimsy locks, if any.
CISA, the US Cybersecurity and Infrastructure Security Agency, has warned that Russian state-sponsored actors have targeted industries ranging from energy and healthcare to banking and critical manufacturing, as well as governments and electoral organizations. They see risks to undersea cables, satellite communication systems and industrial controls. Unfortunately, there are precedents, including the Colonial Pipeline ransomware attack from last year, 2020
the software supply chain incident and the 2016 Democratic National Committee hack.
Although no such attack has surfaced since the start of the war in Ukraine, US officials are seeing evidence of Russian actors scanning US networks, looking for vulnerabilities. Because the private sector controls the vast majority of America’s infrastructure – the power grid, communications services, pipelines, water systems and hospitals – defense against digital armageddon depends on the thousands of companies that drive the American economy.
Last week, I reached out to executives at major cybersecurity companies and asked them to assess the threat. Here is what they said:
Lack of significant attacks so far doesn’t mean much. Ukraine’s surprising defense capabilities and the West’s unified sanctions could push Russia to become more cyber-aggressive. Tom Glocer, executive chairman of venture capital-backed cybersecurity firm BlueVoyant, said it would be a mistake to conclude that Russia’s cybersecurity expertise was overrated. “We haven’t seen what they’re capable of yet,” he says. “That means our customers need to be on their toes.”
Some economic sectors are better prepared than others. John Hultquist, vice president of intelligence analysis at the Cyber Breach Response Company
(ticker: MNDT), being acquired by
(GOOGL) for $5.4 billion, says the financial services and oil and gas industries are “the most mature security players in the game” and early adopters of advanced security practices. They “think about Russian threats all the time,” he says, noting that previous attacks have been a continuous, years-long test of corporate security systems.
Attacks don’t need to be sophisticated to be effective. Russian actors “rely on fairly mundane techniques and tactics,” says Nicholas Warner, chief operating officer at
(S), a cyber threat detection company. That’s all the more reason to engage in “basic hygiene,” he says, like training employees to report unusual network behavior and patching software. “Commercial software has known vulnerabilities. Malware actors know this. Doing these things greatly reduces the threats.
Michael Sentonas, Chief Technology Officer at
(CRWD), says popular advice for patching vulnerable software is often easier said than done. “It’s a huge problem. We see this constantly, where there are vulnerabilities that have been patched for months and have not been patched. Sometimes we fear that a patch will break a machine. And it’s never just a patch. More than 60% of the time, according to Sentonas, attacks don’t involve malware: hackers can use stolen credentials or other simple means to break into weakly protected networks.
There are risks of real-world effects. BlueVoyant’s Glocer notes that some infrastructure, like water purification and power plants, has older technology that wasn’t originally designed with network connectivity in mind. He sees risks of Russia attacking embedded systems in industrial equipment and points to the Stuxnet attack on Iran’s nuclear program as a demonstration of what is possible. “You can do physical damage in the real world,” he says. “If you can shut down the power grid, you can have the maximum impact on the people in a given area.”
Russian Hackers Won’t Start WWIII. Nick Biasini, Outreach Manager at Cisco Talos,
(CSCO), the threat intelligence arm, says Russia will seek to “cause pain in the chaos”, but in a way it can mitigate quickly.
“No one should panic,” adds Hultquist of Mandiant. Most potential attacks are “non-violent and reversible”, he says, “which is why they are on the table”. He thinks the Russians are looking for ways to respond to sanctions that don’t trigger “kinetic” retaliation involving real-world weapons.
In the current climate, that might actually be cause for optimism.
Write to Eric J. Savitz at firstname.lastname@example.org