In the four months since its invasion of Ukraine, Russia hasn't intensified its usual pattern of cyberattacks against the U.S. and Western Europe in response to sanctions and Ukrainian military aid, as many expected. But that doesn't mean the risk of escalation with the West is gone, numerous experts told Protocol.
In other words, don't lower your shields just yet.
At the moment, it's clear that Vladimir Putin has made a calculation not to inflame tensions with the West, said Dmitri Alperovitch, the Russian-born cybersecurity and geopolitics expert who co-founded CrowdStrike.
But if things don't go Putin's way on Ukraine and sanctions, he "may very well resort back to cyber to increase pressure on the West," Alperovitch said.
Ciaran Martin, who was the founding CEO of the U.K. government's National Cyber Security Centre, agreed that Putin’s approach toward the West on cyber may change in response to events on the ground in Ukraine. “Russia could decide that it needs to make a point to the West, in an escalatory way," Martin said, though “the chances of [that] are not high at the moment.”
To get a better sense of the current state of the Russian cyber threat against the West, Protocol recently spoke with 20 experts — including threat researchers, former government officials and those with expertise on critical infrastructure and Russia.
A number of them are concerned that, as soon as later this year, Putin may give the green light for major cyberattacks aimed at disrupting critical infrastructure and supply chains in the West. A surge of attacks from proxy groups is also probable, according to some Russia watchers.
"I fear this is a 'calm before the storm' situation," said Chester Wisniewski, principal research scientist at cybersecurity giant Sophos.
In all likelihood, the political and economic issues facing the Kremlin will only continue to mount, raising the prospects of Russia bringing new cyber pressure against the U.S., said Chris Krebs, former director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
"Once they start losing good options, they're going to start using some of their capabilities they've kept in reserve to strike back at the U.S. and say, 'Hey, wipe off the sanctions,'" Krebs said. "How are they going to do it? It would be a highly visible, likely destructive attack."
Initial U.S. government warnings of a potential for disruptive Russian cyberattacks did not play out the way that many expected.
On February 11, CISA issued its first "Shields Up" warning, urging increased cyber readiness as Russia amassed troops near Ukraine's borders.
Later in February, when Russia struck Ukraine with a series of data-wiper attacks followed by the invasion of the country, the CISA warning looked prescient. Surely, Russian cyberattacks would soon be directed toward the U.S. and other nations who were backing Ukraine, many experts assumed.
But as far as the public knows, this didn't happen. The past several months have actually been even quieter than usual, according to many security professionals.
"I don't think anyone expected effectively no retaliatory actions," said Ryan Olson, vice president of Threat Intelligence at Palo Alto Networks' Unit 42 group.
CISA’s "Shields Up" program has been a success in terms of raising awareness; the campaign almost instantly became a rallying point for cyber defenders in the U.S.
"I fear this is a 'calm before the storm' situation."
But while grateful that the attacks didn't materialize, cybersecurity teams started to wonder if they were supposed to stay in "Shields Up" mode indefinitely.
CISA Director Jen Easterly did consider whether to move to a status like "shields normal," she said during a panel at the RSA Conference this month. But she eventually concluded that "Shields Up" is "really the new normal."
"We all know, though, we can't sustain the highest level of alert for an extensive period of time," Easterly said during the RSA panel. That has prompted plans to develop an advisory framework that can give some indication of what the current threat is, based on intelligence and information from partners, she said. (CISA declined to make a representative available for an interview for this article.)
If Putin does decide to escalate, among the top questions is whether Russia would take the extreme measure of launching a cyberattack against U.S. critical infrastructure.
It's worth pointing out that the highest-profile attack of this type in U.S. history — which struck fuel pipeline operator Colonial Pipeline a year ago — was probably an accident. The Russia-based group behind the ransomware attack, which led to gas shortages across the Southeastern U.S., likely wasn't trying to do something so big, according to several experts.
But with U.S.-Russia relations further deteriorating thanks to the Ukraine war, some experts believe the Kremlin's appetite for critical infrastructure attacks may have changed. Now attacks like Colonial Pipeline "are the kinds of things I would expect that [the Russians] might want to do intentionally," Sophos' Wisniewski said.
Based on nearly two decades of following cybercrime activity out of Eastern Europe, he said, "My instinct is that if a group could intentionally pull that off, they would now get kudos."
This potential shift is important because, even in the wake of Colonial Pipeline, cybersecurity remains underfunded for many critical infrastructure operators.
"We have sprawling critical infrastructure that has been ignored from a security standpoint for a long time," said Katell Thielemann, a vice president analyst at Gartner. "For a determined aggressor, it's not too hard to find the weak points."
Meanwhile, the knowledge is spreading for how to attack critical infrastructure and supply chains.
Evidence suggests that two recent strains of malware targeting industrial systems were developed within weeks, while those systems have also seen an uptick in vulnerabilities, according to Thielemann. All of which means, she said, that “the risk profile has increased" for industrial environments.
Infrastructure that American society considers "critical" is also broader than just the electric grid and water utilities, said Justin Fier, formerly a cybersecurity specialist for Lockheed Martin and other defense contractors.
"We shouldn't just focus on the Hollywood scenarios — turning out the lights and the water," said Fier, who is now vice president of Tactical Risk and Response at Darktrace. "It could be something so much simpler."
The effects from shortages of baby formula and technology components such as chips have been significant; it's not hard to see how an intentional disruption of supply chains by a Russian cyberattack could quickly turn into a crisis, Fier said.
If the goal is to deliver a blow to critical infrastructure, a direct breach may not be necessary either. Attacking a third-party service provider or manufacturer could have a similar effect to a direct hit on a utility and would likely be met with weaker cyber defenses.
If a producer of a single component used in transformers were to go down, for example, "I don't know that you're going to be able to build a transformer anymore," said Betsy Soehren-Jones, formerly the director of cyber and physical security strategy for energy utility Exelon.
Likewise, if the company that prints bills used by a utility experiences a ransomware attack, that utility will struggle to keep business going, said Soehren-Jones, who is now COO of Fortress Information Security. When it comes to cyberattacks from Russia on critical infrastructure, she said, "I am way more worried about business continuity than I am direct hits."
Ultimately, in whatever form it takes, "that big national critical infrastructure attack is probably still very much on the horizon," Fier said.
Dave DeWalt, the former CEO of FireEye and McAfee, sees attacks on critical infrastructure and increased ransomware as probable toward the end of the year. "I believe we have a massive wave coming at us," DeWalt said.
"For every dollar of sanctions, they're going to try to get a dollar back — that's what I think they're going to do," said DeWalt, who is now founder and managing director of venture firm NightDragon. "It could be measured in trillions."
Cyberattacks could accomplish many goals at once for Putin: They would distract the national security community, exact financial costs and create fear in the populace, said Jonathan Reiber, vice president of Cybersecurity Strategy and Policy at AttackIQ.
While there's no definitive evidence that the Kremlin coordinates with the Russia-based cybercriminal groups to any degree, prominent ransomware gang Conti did vow to support Russia at the start of the Ukraine war. And the recent leaks of alleged Conti chat logs suggest ties between the group and the Russian Federal Security Service (FSB), noted Sergey Potseluy, a Ukrainian and senior researcher at Intel 471.
In the past, nobody would've imagined that the Kremlin had directed an attack on a health care system, said Martin, who is now a professor in the Blavatnik School of Government at the University of Oxford. But Conti's statement of fealty to Russia, he said, suggests that "its relationship with the state has changed.”
And so, in the event of a future attack by Conti on a Western target, "would it be seen to be acting as an authorized proxy for the state?" Martin said. "Because then if it does something that's hugely disruptive to the welfare of a Western country, that's a different issue."
"For every dollar of sanctions, they're going to try to get a dollar back — that's what I think they're going to do."
Just how much the Kremlin might coordinate with the cybercriminal groups around a future cyber strike against the U.S. and Western Europe is up for debate.
If Russia wants to send a message to the West in response to the sanctions and military aid to Ukraine, its forces can deliver that "in a clearer format than just siccing the ransomware gangs on the West," said Matthew Olney, director of Cisco's Talos Threat Intelligence Group.
If the U.S. did face a retaliatory strike from the Kremlin, it would most likely involve data-wiping malware, Unit 42's Olson said.
The costliest cyberattack of all time, the NotPetya attack on Ukraine nearly five years ago to the day was a wiper disguised to look like ransomware. And in recent months, Russia has deployed dozens of wipers against Ukrainian agencies and critical infrastructure, some of which have posed as ransomware, researchers say.
If Russia does launch cyber retaliation against Ukraine's allies, a wiper attack on critical infrastructure pretending to be the work of a ransomware group is a strong possibility, Olson said.
If Putin can't get rid of the sanctions through other means, a wiper attack could be deployed to turn up the pressure, said Krebs, who was the first director of CISA and is now a founding partner at cybersecurity consulting firm Krebs Stamos Group.
Such an attack, he said, "would go after key sectors and segments that would get the attention" the Kremlin is seeking. "Every organization right now should be looking very hard at [the wiper threat] and saying, 'How could I be potentially affected here?'"
Going forward, threat researchers at Microsoft see a possibility for destructive attacks against financial, transportation and communications providers in regions including the European Union, said Justin Warner, senior threat intelligence analyst at the Microsoft Threat Intelligence Center, in an email.
According to a Microsoft report released last week, Russian agencies have been conducting network penetration tests across a wide swath of NATO countries in the months since the invasion, with the U.S. being the top target.
Microsoft says that 29% of the attacks successfully breached the target networks, which included government agencies, IT enterprises and critical infrastructure organizations.
"It would certainly be in keeping with the way that Russia operates to make a lot of noise over in Ukraine, [while] they are executing a much more covert and persistent attack against a completely different target," said Daniel Clayton, formerly an intelligence operations center branch chief for the U.K. government and the NSA.
"It's been my experience for a long time that you have to never look where [Russia is] making all the noise," said Clayton, who is now vice president of Global Security Services and Technical Support at Bitdefender.
Experts also anticipate an increase in disinformation activities by Russia targeting the U.S., in tandem with cyberactivity. "Putin is an opportunist, and he's going to use both tools in combination with one another," said Jessica Brandt, policy director for the Artificial Intelligence and Emerging Technology Initiative at the Brookings Institution.
Earlier this month, Russia's foreign ministry blamed the U.S. and Ukraine for cyberattacks against government institutions and critical infrastructure in the country, saying in a statement that it would "not leave aggressive actions unanswered." The statement followed comments by U.S. Army Gen. Paul Nakasone, who heads the Cyber Command and NSA, signaling that the U.S. has engaged in offensive cyber operations in support of Ukraine.
An intensification in cyberattacks against the U.S. and other NATO countries becomes more likely when Putin has either "achieved a stalemate or he's losing — where he has no other options," said Reiber, previously chief strategy officer for Cyber Policy in the Office of the Secretary of Defense during the Obama administration.
Another former Obama administration official, Jeffrey Edmonds, suspects the Russians “might be holding their punches” on cyber while waiting to see how things develop in Ukraine.
If Putin does end up wanting to send a message in the form of cyberattacks against the U.S. and Western Europe, it would have to represent an escalation above the usual baseline of activity, said Edmonds, former director for Russia on the National Security Council during the Obama administration. “They'd have to deviate from the norm,” he said.
However, Putin may not feel the need to intensify cyberattacks against the U.S. if he can achieve his goal of getting sanctions lifted without them, said Alperovitch, formerly CrowdStrike's CTO and now the co-founder and executive chairman of Silverado Policy Accelerator, a Washington think tank.
While some view Putin's actions as irrational, "All of his decisions are actually perfectly understandable, if you put yourself in his shoes," Alperovitch said. And crucially, "Many of them are predictable."
Case in point, in December 2021, Alperovitch predicted that Russia would invade Ukraine during the winter, two months before it happened.
Currently, Putin's strategy is "driven by his belief that he's actually winning,” Alperovitch said. This confidence is based on Russia's acquisition of Ukrainian territory and, more critically, its blockade of the Black Sea, which is exacerbating food prices worldwide, according to Alperovitch.
As a result, Putin thinks he has leverage to win concessions from the West on sanctions. "With that mindset, there's no point in trying to make things worse by launching cyberattacks," Alperovitch said.
However, if this fails, "He may decide that [cyber] is a tool worth pursuing" for driving inflation and economic instability even higher. Alperovitch doesn't expect that scenario to be a possibility until this coming winter at the earliest.
"Would launching cyberattacks right now help him with this goal? I would argue no. And I think he's making the same decision," Alperovitch said. "But that can — and perhaps will — change."