Security experts are bracing for major cyberattacks against the West if Russia gets desperate

In response to strong sanctions and military aid to Ukraine, Russia was expected to launch disruptive cyberattacks against the West but never did. But a cyberescalation from Russia still remains possible, as soon as later this year, according to experts.

A red, black and white illustration of a computer screen with a lock on it

"I fear this is a 'calm before the storm' situation," said Chester Wisniewski, principal research scientist at Sophos.

Illustration: Nanzeeba Ibnat/iStock/Getty Images Plus

In the four months since its invasion of Ukraine, Russia hasn't intensified its usual pattern of cyberattacks against the U.S. and Western Europe in response to sanctions and Ukrainian military aid, as many expected. But that doesn't mean the risk of escalation with the West is gone, numerous experts told Protocol.

In other words, don't lower your shields just yet.

At the moment, it's clear that Vladimir Putin has made a calculation not to inflame tensions with the West, said Dmitri Alperovitch, the Russian-born cybersecurity and geopolitics expert who co-founded CrowdStrike.

But if things don't go Putin's way on Ukraine and sanctions, he "may very well resort back to cyber to increase pressure on the West," Alperovitch said.

Ciaran Martin, who was the founding CEO of the U.K. government's National Cyber Security Centre, agreed that Putin’s approach toward the West on cyber may change in response to events on the ground in Ukraine. “Russia could decide that it needs to make a point to the West, in an escalatory way," Martin said, though “the chances of [that] are not high at the moment.”

To get a better sense of the current state of the Russian cyber threat against the West, Protocol recently spoke with 20 experts — including threat researchers, former government officials and those with expertise on critical infrastructure and Russia.

A number of them are concerned that, as soon as later this year, Putin may give the green light for major cyberattacks aimed at disrupting critical infrastructure and supply chains in the West. A surge of attacks from proxy groups is also probable, according to some Russia watchers.

"I fear this is a 'calm before the storm' situation," said Chester Wisniewski, principal research scientist at cybersecurity giant Sophos.

In all likelihood, the political and economic issues facing the Kremlin will only continue to mount, raising the prospects of Russia bringing new cyber pressure against the U.S., said Chris Krebs, former director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

"Once they start losing good options, they're going to start using some of their capabilities they've kept in reserve to strike back at the U.S. and say, 'Hey, wipe off the sanctions,'" Krebs said. "How are they going to do it? It would be a highly visible, likely destructive attack."

Shields up

Initial U.S. government warnings of a potential for disruptive Russian cyberattacks did not play out the way that many expected.

On February 11, CISA issued its first "Shields Up" warning, urging increased cyber readiness as Russia amassed troops near Ukraine's borders.

Later in February, when Russia struck Ukraine with a series of data-wiper attacks followed by the invasion of the country, the CISA warning looked prescient. Surely, Russian cyberattacks would soon be directed toward the U.S. and other nations who were backing Ukraine, many experts assumed.

But as far as the public knows, this didn't happen. The past several months have actually been even quieter than usual, according to many security professionals.

"I don't think anyone expected effectively no retaliatory actions," said Ryan Olson, vice president of Threat Intelligence at Palo Alto Networks' Unit 42 group.

CISA’s "Shields Up" program has been a success in terms of raising awareness; the campaign almost instantly became a rallying point for cyber defenders in the U.S.

"I fear this is a 'calm before the storm' situation."

But while grateful that the attacks didn't materialize, cybersecurity teams started to wonder if they were supposed to stay in "Shields Up" mode indefinitely.

CISA Director Jen Easterly did consider whether to move to a status like "shields normal," she said during a panel at the RSA Conference this month. But she eventually concluded that "Shields Up" is "really the new normal."

"We all know, though, we can't sustain the highest level of alert for an extensive period of time," Easterly said during the RSA panel. That has prompted plans to develop an advisory framework that can give some indication of what the current threat is, based on intelligence and information from partners, she said. (CISA declined to make a representative available for an interview for this article.)

If Putin does decide to escalate, among the top questions is whether Russia would take the extreme measure of launching a cyberattack against U.S. critical infrastructure.

It's worth pointing out that the highest-profile attack of this type in U.S. history — which struck fuel pipeline operator Colonial Pipeline a year ago — was probably an accident. The Russia-based group behind the ransomware attack, which led to gas shortages across the Southeastern U.S., likely wasn't trying to do something so big, according to several experts.

But with U.S.-Russia relations further deteriorating thanks to the Ukraine war, some experts believe the Kremlin's appetite for critical infrastructure attacks may have changed. Now attacks like Colonial Pipeline "are the kinds of things I would expect that [the Russians] might want to do intentionally," Sophos' Wisniewski said.

Based on nearly two decades of following cybercrime activity out of Eastern Europe, he said, "My instinct is that if a group could intentionally pull that off, they would now get kudos."

This potential shift is important because, even in the wake of Colonial Pipeline, cybersecurity remains underfunded for many critical infrastructure operators.

"We have sprawling critical infrastructure that has been ignored from a security standpoint for a long time," said Katell Thielemann, a vice president analyst at Gartner. "For a determined aggressor, it's not too hard to find the weak points."

Meanwhile, the knowledge is spreading for how to attack critical infrastructure and supply chains.

Evidence suggests that two recent strains of malware targeting industrial systems were developed within weeks, while those systems have also seen an uptick in vulnerabilities, according to Thielemann. All of which means, she said, that “the risk profile has increased" for industrial environments.

Supply chains

Infrastructure that American society considers "critical" is also broader than just the electric grid and water utilities, said Justin Fier, formerly a cybersecurity specialist for Lockheed Martin and other defense contractors.

"We shouldn't just focus on the Hollywood scenarios — turning out the lights and the water," said Fier, who is now vice president of Tactical Risk and Response at Darktrace. "It could be something so much simpler."

The effects from shortages of baby formula and technology components such as chips have been significant; it's not hard to see how an intentional disruption of supply chains by a Russian cyberattack could quickly turn into a crisis, Fier said.

If the goal is to deliver a blow to critical infrastructure, a direct breach may not be necessary either. Attacking a third-party service provider or manufacturer could have a similar effect to a direct hit on a utility and would likely be met with weaker cyber defenses.

If a producer of a single component used in transformers were to go down, for example, "I don't know that you're going to be able to build a transformer anymore," said Betsy Soehren-Jones, formerly the director of cyber and physical security strategy for energy utility Exelon.

Likewise, if the company that prints bills used by a utility experiences a ransomware attack, that utility will struggle to keep business going, said Soehren-Jones, who is now COO of Fortress Information Security. When it comes to cyberattacks from Russia on critical infrastructure, she said, "I am way more worried about business continuity than I am direct hits."

Ultimately, in whatever form it takes, "that big national critical infrastructure attack is probably still very much on the horizon," Fier said.

Dave DeWalt, the former CEO of FireEye and McAfee, sees attacks on critical infrastructure and increased ransomware as probable toward the end of the year. "I believe we have a massive wave coming at us," DeWalt said.

"For every dollar of sanctions, they're going to try to get a dollar back — that's what I think they're going to do," said DeWalt, who is now founder and managing director of venture firm NightDragon. "It could be measured in trillions."

Cyberattacks could accomplish many goals at once for Putin: They would distract the national security community, exact financial costs and create fear in the populace, said Jonathan Reiber, vice president of Cybersecurity Strategy and Policy at AttackIQ.

While there's no definitive evidence that the Kremlin coordinates with the Russia-based cybercriminal groups to any degree, prominent ransomware gang Conti did vow to support Russia at the start of the Ukraine war. And the recent leaks of alleged Conti chat logs suggest ties between the group and the Russian Federal Security Service (FSB), noted Sergey Potseluy, a Ukrainian and senior researcher at Intel 471.

Conti has been characterized as an especially ruthless ransomware gang, responsible for the May 2021 attack that crippled Ireland's public health care system, among others.

In the past, nobody would've imagined that the Kremlin had directed an attack on a health care system, said Martin, who is now a professor in the Blavatnik School of Government at the University of Oxford. But Conti's statement of fealty to Russia, he said, suggests that "its relationship with the state has changed.”

And so, in the event of a future attack by Conti on a Western target, "would it be seen to be acting as an authorized proxy for the state?" Martin said. "Because then if it does something that's hugely disruptive to the welfare of a Western country, that's a different issue."

"For every dollar of sanctions, they're going to try to get a dollar back — that's what I think they're going to do."

Just how much the Kremlin might coordinate with the cybercriminal groups around a future cyber strike against the U.S. and Western Europe is up for debate.

If Russia wants to send a message to the West in response to the sanctions and military aid to Ukraine, its forces can deliver that "in a clearer format than just siccing the ransomware gangs on the West," said Matthew Olney, director of Cisco's Talos Threat Intelligence Group.

Wiper attacks

If the U.S. did face a retaliatory strike from the Kremlin, it would most likely involve data-wiping malware, Unit 42's Olson said.

The costliest cyberattack of all time, the NotPetya attack on Ukraine nearly five years ago to the day was a wiper disguised to look like ransomware. And in recent months, Russia has deployed dozens of wipers against Ukrainian agencies and critical infrastructure, some of which have posed as ransomware, researchers say.

If Russia does launch cyber retaliation against Ukraine's allies, a wiper attack on critical infrastructure pretending to be the work of a ransomware group is a strong possibility, Olson said.

If Putin can't get rid of the sanctions through other means, a wiper attack could be deployed to turn up the pressure, said Krebs, who was the first director of CISA and is now a founding partner at cybersecurity consulting firm Krebs Stamos Group.

Such an attack, he said, "would go after key sectors and segments that would get the attention" the Kremlin is seeking. "Every organization right now should be looking very hard at [the wiper threat] and saying, 'How could I be potentially affected here?'"

Going forward, threat researchers at Microsoft see a possibility for destructive attacks against financial, transportation and communications providers in regions including the European Union, said Justin Warner, senior threat intelligence analyst at the Microsoft Threat Intelligence Center, in an email.

According to a Microsoft report released last week, Russian agencies have been conducting network penetration tests across a wide swath of NATO countries in the months since the invasion, with the U.S. being the top target.

Microsoft says that 29% of the attacks successfully breached the target networks, which included government agencies, IT enterprises and critical infrastructure organizations.

"It would certainly be in keeping with the way that Russia operates to make a lot of noise over in Ukraine, [while] they are executing a much more covert and persistent attack against a completely different target," said Daniel Clayton, formerly an intelligence operations center branch chief for the U.K. government and the NSA.

"It's been my experience for a long time that you have to never look where [Russia is] making all the noise," said Clayton, who is now vice president of Global Security Services and Technical Support at Bitdefender.

Experts also anticipate an increase in disinformation activities by Russia targeting the U.S., in tandem with cyberactivity. "Putin is an opportunist, and he's going to use both tools in combination with one another," said Jessica Brandt, policy director for the Artificial Intelligence and Emerging Technology Initiative at the Brookings Institution.

Earlier this month, Russia's foreign ministry blamed the U.S. and Ukraine for cyberattacks against government institutions and critical infrastructure in the country, saying in a statement that it would "not leave aggressive actions unanswered." The statement followed comments by U.S. Army Gen. Paul Nakasone, who heads the Cyber Command and NSA, signaling that the U.S. has engaged in offensive cyber operations in support of Ukraine.

An intensification in cyberattacks against the U.S. and other NATO countries becomes more likely when Putin has either "achieved a stalemate or he's losing — where he has no other options," said Reiber, previously chief strategy officer for Cyber Policy in the Office of the Secretary of Defense during the Obama administration.

Another former Obama administration official, Jeffrey Edmonds, suspects the Russians “might be holding their punches” on cyber while waiting to see how things develop in Ukraine.

If Putin does end up wanting to send a message in the form of cyberattacks against the U.S. and Western Europe, it would have to represent an escalation above the usual baseline of activity, said Edmonds, former director for Russia on the National Security Council during the Obama administration. “They'd have to deviate from the norm,” he said.

However, Putin may not feel the need to intensify cyberattacks against the U.S. if he can achieve his goal of getting sanctions lifted without them, said Alperovitch, formerly CrowdStrike's CTO and now the co-founder and executive chairman of Silverado Policy Accelerator, a Washington think tank.

While some view Putin's actions as irrational, "All of his decisions are actually perfectly understandable, if you put yourself in his shoes," Alperovitch said. And crucially, "Many of them are predictable."

Case in point, in December 2021, Alperovitch predicted that Russia would invade Ukraine during the winter, two months before it happened.

Currently, Putin's strategy is "driven by his belief that he's actually winning,” Alperovitch said. This confidence is based on Russia's acquisition of Ukrainian territory and, more critically, its blockade of the Black Sea, which is exacerbating food prices worldwide, according to Alperovitch.

As a result, Putin thinks he has leverage to win concessions from the West on sanctions. "With that mindset, there's no point in trying to make things worse by launching cyberattacks," Alperovitch said.

However, if this fails, "He may decide that [cyber] is a tool worth pursuing" for driving inflation and economic instability even higher. Alperovitch doesn't expect that scenario to be a possibility until this coming winter at the earliest.

"Would launching cyberattacks right now help him with this goal? I would argue no. And I think he's making the same decision," Alperovitch said. "But that can — and perhaps will — change."


Judge Zia Faruqui is trying to teach you crypto, one ‘SNL’ reference at a time

His decisions on major cryptocurrency cases have quoted "The Big Lebowski," "SNL," and "Dr. Strangelove." That’s because he wants you — yes, you — to read them.

The ways Zia Faruqui (right) has weighed on cases that have come before him can give lawyers clues as to what legal frameworks will pass muster.

Photo: Carolyn Van Houten/The Washington Post via Getty Images

“Cryptocurrency and related software analytics tools are ‘The wave of the future, Dude. One hundred percent electronic.’”

That’s not a quote from "The Big Lebowski" — at least, not directly. It’s a quote from a Washington, D.C., district court memorandum opinion on the role cryptocurrency analytics tools can play in government investigations. The author is Magistrate Judge Zia Faruqui.

Keep ReadingShow less
Veronica Irwin

Veronica Irwin (@vronirwin) is a San Francisco-based reporter at Protocol covering fintech. Previously she was at the San Francisco Examiner, covering tech from a hyper-local angle. Before that, her byline was featured in SF Weekly, The Nation, Techworker, Ms. Magazine and The Frisc.

The financial technology transformation is driving competition, creating consumer choice, and shaping the future of finance. Hear from seven fintech leaders who are reshaping the future of finance, and join the inaugural Financial Technology Association Fintech Summit to learn more.

Keep ReadingShow less
The Financial Technology Association (FTA) represents industry leaders shaping the future of finance. We champion the power of technology-centered financial services and advocate for the modernization of financial regulation to support inclusion and responsible innovation.

AWS CEO: The cloud isn’t just about technology

As AWS preps for its annual re:Invent conference, Adam Selipsky talks product strategy, support for hybrid environments, and the value of the cloud in uncertain economic times.

Photo: Noah Berger/Getty Images for Amazon Web Services

AWS is gearing up for re:Invent, its annual cloud computing conference where announcements this year are expected to focus on its end-to-end data strategy and delivering new industry-specific services.

It will be the second re:Invent with CEO Adam Selipsky as leader of the industry’s largest cloud provider after his return last year to AWS from data visualization company Tableau Software.

Keep ReadingShow less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Image: Protocol

We launched Protocol in February 2020 to cover the evolving power center of tech. It is with deep sadness that just under three years later, we are winding down the publication.

As of today, we will not publish any more stories. All of our newsletters, apart from our flagship, Source Code, will no longer be sent. Source Code will be published and sent for the next few weeks, but it will also close down in December.

Keep ReadingShow less
Bennett Richardson

Bennett Richardson ( @bennettrich) is the president of Protocol. Prior to joining Protocol in 2019, Bennett was executive director of global strategic partnerships at POLITICO, where he led strategic growth efforts including POLITICO's European expansion in Brussels and POLITICO's creative agency POLITICO Focus during his six years with the company. Prior to POLITICO, Bennett was co-founder and CMO of Hinge, the mobile dating company recently acquired by Match Group. Bennett began his career in digital and social brand marketing working with major brands across tech, energy, and health care at leading marketing and communications agencies including Edelman and GMMB. Bennett is originally from Portland, Maine, and received his bachelor's degree from Colgate University.


Why large enterprises struggle to find suitable platforms for MLops

As companies expand their use of AI beyond running just a few machine learning models, and as larger enterprises go from deploying hundreds of models to thousands and even millions of models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

As companies expand their use of AI beyond running just a few machine learning models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

Photo: artpartner-images via Getty Images

On any given day, Lily AI runs hundreds of machine learning models using computer vision and natural language processing that are customized for its retail and ecommerce clients to make website product recommendations, forecast demand, and plan merchandising. But this spring when the company was in the market for a machine learning operations platform to manage its expanding model roster, it wasn’t easy to find a suitable off-the-shelf system that could handle such a large number of models in deployment while also meeting other criteria.

Some MLops platforms are not well-suited for maintaining even more than 10 machine learning models when it comes to keeping track of data, navigating their user interfaces, or reporting capabilities, Matthew Nokleby, machine learning manager for Lily AI’s product intelligence team, told Protocol earlier this year. “The duct tape starts to show,” he said.

Keep ReadingShow less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of RedTailMedia.org and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.

Latest Stories