Security experts are bracing for major cyberattacks against the West if Russia gets desperate

In response to strong sanctions and military aid to Ukraine, Russia was expected to launch disruptive cyberattacks against the West but never did. But a cyberescalation from Russia still remains possible, as soon as later this year, according to experts.

A red, black and white illustration of a computer screen with a lock on it

"I fear this is a 'calm before the storm' situation," said Chester Wisniewski, principal research scientist at Sophos.

Illustration: Nanzeeba Ibnat/iStock/Getty Images Plus

In the four months since its invasion of Ukraine, Russia hasn't intensified its usual pattern of cyberattacks against the U.S. and Western Europe in response to sanctions and Ukrainian military aid, as many expected. But that doesn't mean the risk of escalation with the West is gone, numerous experts told Protocol.

In other words, don't lower your shields just yet.

At the moment, it's clear that Vladimir Putin has made a calculation not to inflame tensions with the West, said Dmitri Alperovitch, the Russian-born cybersecurity and geopolitics expert who co-founded CrowdStrike.

But if things don't go Putin's way on Ukraine and sanctions, he "may very well resort back to cyber to increase pressure on the West," Alperovitch said.

Ciaran Martin, who was the founding CEO of the U.K. government's National Cyber Security Centre, agreed that Putin’s approach toward the West on cyber may change in response to events on the ground in Ukraine. “Russia could decide that it needs to make a point to the West, in an escalatory way," Martin said, though “the chances of [that] are not high at the moment.”

To get a better sense of the current state of the Russian cyber threat against the West, Protocol recently spoke with 20 experts — including threat researchers, former government officials and those with expertise on critical infrastructure and Russia.

A number of them are concerned that, as soon as later this year, Putin may give the green light for major cyberattacks aimed at disrupting critical infrastructure and supply chains in the West. A surge of attacks from proxy groups is also probable, according to some Russia watchers.

"I fear this is a 'calm before the storm' situation," said Chester Wisniewski, principal research scientist at cybersecurity giant Sophos.

In all likelihood, the political and economic issues facing the Kremlin will only continue to mount, raising the prospects of Russia bringing new cyber pressure against the U.S., said Chris Krebs, former director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

"Once they start losing good options, they're going to start using some of their capabilities they've kept in reserve to strike back at the U.S. and say, 'Hey, wipe off the sanctions,'" Krebs said. "How are they going to do it? It would be a highly visible, likely destructive attack."

Shields up

Initial U.S. government warnings of a potential for disruptive Russian cyberattacks did not play out the way that many expected.

On February 11, CISA issued its first "Shields Up" warning, urging increased cyber readiness as Russia amassed troops near Ukraine's borders.

Later in February, when Russia struck Ukraine with a series of data-wiper attacks followed by the invasion of the country, the CISA warning looked prescient. Surely, Russian cyberattacks would soon be directed toward the U.S. and other nations who were backing Ukraine, many experts assumed.

But as far as the public knows, this didn't happen. The past several months have actually been even quieter than usual, according to many security professionals.

"I don't think anyone expected effectively no retaliatory actions," said Ryan Olson, vice president of Threat Intelligence at Palo Alto Networks' Unit 42 group.

CISA’s "Shields Up" program has been a success in terms of raising awareness; the campaign almost instantly became a rallying point for cyber defenders in the U.S.

"I fear this is a 'calm before the storm' situation."

But while grateful that the attacks didn't materialize, cybersecurity teams started to wonder if they were supposed to stay in "Shields Up" mode indefinitely.

CISA Director Jen Easterly did consider whether to move to a status like "shields normal," she said during a panel at the RSA Conference this month. But she eventually concluded that "Shields Up" is "really the new normal."

"We all know, though, we can't sustain the highest level of alert for an extensive period of time," Easterly said during the RSA panel. That has prompted plans to develop an advisory framework that can give some indication of what the current threat is, based on intelligence and information from partners, she said. (CISA declined to make a representative available for an interview for this article.)

If Putin does decide to escalate, among the top questions is whether Russia would take the extreme measure of launching a cyberattack against U.S. critical infrastructure.

It's worth pointing out that the highest-profile attack of this type in U.S. history — which struck fuel pipeline operator Colonial Pipeline a year ago — was probably an accident. The Russia-based group behind the ransomware attack, which led to gas shortages across the Southeastern U.S., likely wasn't trying to do something so big, according to several experts.

But with U.S.-Russia relations further deteriorating thanks to the Ukraine war, some experts believe the Kremlin's appetite for critical infrastructure attacks may have changed. Now attacks like Colonial Pipeline "are the kinds of things I would expect that [the Russians] might want to do intentionally," Sophos' Wisniewski said.

Based on nearly two decades of following cybercrime activity out of Eastern Europe, he said, "My instinct is that if a group could intentionally pull that off, they would now get kudos."

This potential shift is important because, even in the wake of Colonial Pipeline, cybersecurity remains underfunded for many critical infrastructure operators.

"We have sprawling critical infrastructure that has been ignored from a security standpoint for a long time," said Katell Thielemann, a vice president analyst at Gartner. "For a determined aggressor, it's not too hard to find the weak points."

Meanwhile, the knowledge is spreading for how to attack critical infrastructure and supply chains.

Evidence suggests that two recent strains of malware targeting industrial systems were developed within weeks, while those systems have also seen an uptick in vulnerabilities, according to Thielemann. All of which means, she said, that “the risk profile has increased" for industrial environments.

Supply chains

Infrastructure that American society considers "critical" is also broader than just the electric grid and water utilities, said Justin Fier, formerly a cybersecurity specialist for Lockheed Martin and other defense contractors.

"We shouldn't just focus on the Hollywood scenarios — turning out the lights and the water," said Fier, who is now vice president of Tactical Risk and Response at Darktrace. "It could be something so much simpler."

The effects from shortages of baby formula and technology components such as chips have been significant; it's not hard to see how an intentional disruption of supply chains by a Russian cyberattack could quickly turn into a crisis, Fier said.

If the goal is to deliver a blow to critical infrastructure, a direct breach may not be necessary either. Attacking a third-party service provider or manufacturer could have a similar effect to a direct hit on a utility and would likely be met with weaker cyber defenses.

If a producer of a single component used in transformers were to go down, for example, "I don't know that you're going to be able to build a transformer anymore," said Betsy Soehren-Jones, formerly the director of cyber and physical security strategy for energy utility Exelon.

Likewise, if the company that prints bills used by a utility experiences a ransomware attack, that utility will struggle to keep business going, said Soehren-Jones, who is now COO of Fortress Information Security. When it comes to cyberattacks from Russia on critical infrastructure, she said, "I am way more worried about business continuity than I am direct hits."

Ultimately, in whatever form it takes, "that big national critical infrastructure attack is probably still very much on the horizon," Fier said.

Dave DeWalt, the former CEO of FireEye and McAfee, sees attacks on critical infrastructure and increased ransomware as probable toward the end of the year. "I believe we have a massive wave coming at us," DeWalt said.

"For every dollar of sanctions, they're going to try to get a dollar back — that's what I think they're going to do," said DeWalt, who is now founder and managing director of venture firm NightDragon. "It could be measured in trillions."

Cyberattacks could accomplish many goals at once for Putin: They would distract the national security community, exact financial costs and create fear in the populace, said Jonathan Reiber, vice president of Cybersecurity Strategy and Policy at AttackIQ.

While there's no definitive evidence that the Kremlin coordinates with the Russia-based cybercriminal groups to any degree, prominent ransomware gang Conti did vow to support Russia at the start of the Ukraine war. And the recent leaks of alleged Conti chat logs suggest ties between the group and the Russian Federal Security Service (FSB), noted Sergey Potseluy, a Ukrainian and senior researcher at Intel 471.

Conti has been characterized as an especially ruthless ransomware gang, responsible for the May 2021 attack that crippled Ireland's public health care system, among others.

In the past, nobody would've imagined that the Kremlin had directed an attack on a health care system, said Martin, who is now a professor in the Blavatnik School of Government at the University of Oxford. But Conti's statement of fealty to Russia, he said, suggests that "its relationship with the state has changed.”

And so, in the event of a future attack by Conti on a Western target, "would it be seen to be acting as an authorized proxy for the state?" Martin said. "Because then if it does something that's hugely disruptive to the welfare of a Western country, that's a different issue."

"For every dollar of sanctions, they're going to try to get a dollar back — that's what I think they're going to do."

Just how much the Kremlin might coordinate with the cybercriminal groups around a future cyber strike against the U.S. and Western Europe is up for debate.

If Russia wants to send a message to the West in response to the sanctions and military aid to Ukraine, its forces can deliver that "in a clearer format than just siccing the ransomware gangs on the West," said Matthew Olney, director of Cisco's Talos Threat Intelligence Group.

Wiper attacks

If the U.S. did face a retaliatory strike from the Kremlin, it would most likely involve data-wiping malware, Unit 42's Olson said.

The costliest cyberattack of all time, the NotPetya attack on Ukraine nearly five years ago to the day was a wiper disguised to look like ransomware. And in recent months, Russia has deployed dozens of wipers against Ukrainian agencies and critical infrastructure, some of which have posed as ransomware, researchers say.

If Russia does launch cyber retaliation against Ukraine's allies, a wiper attack on critical infrastructure pretending to be the work of a ransomware group is a strong possibility, Olson said.

If Putin can't get rid of the sanctions through other means, a wiper attack could be deployed to turn up the pressure, said Krebs, who was the first director of CISA and is now a founding partner at cybersecurity consulting firm Krebs Stamos Group.

Such an attack, he said, "would go after key sectors and segments that would get the attention" the Kremlin is seeking. "Every organization right now should be looking very hard at [the wiper threat] and saying, 'How could I be potentially affected here?'"

Going forward, threat researchers at Microsoft see a possibility for destructive attacks against financial, transportation and communications providers in regions including the European Union, said Justin Warner, senior threat intelligence analyst at the Microsoft Threat Intelligence Center, in an email.

According to a Microsoft report released last week, Russian agencies have been conducting network penetration tests across a wide swath of NATO countries in the months since the invasion, with the U.S. being the top target.

Microsoft says that 29% of the attacks successfully breached the target networks, which included government agencies, IT enterprises and critical infrastructure organizations.

"It would certainly be in keeping with the way that Russia operates to make a lot of noise over in Ukraine, [while] they are executing a much more covert and persistent attack against a completely different target," said Daniel Clayton, formerly an intelligence operations center branch chief for the U.K. government and the NSA.

"It's been my experience for a long time that you have to never look where [Russia is] making all the noise," said Clayton, who is now vice president of Global Security Services and Technical Support at Bitdefender.

Experts also anticipate an increase in disinformation activities by Russia targeting the U.S., in tandem with cyberactivity. "Putin is an opportunist, and he's going to use both tools in combination with one another," said Jessica Brandt, policy director for the Artificial Intelligence and Emerging Technology Initiative at the Brookings Institution.

Earlier this month, Russia's foreign ministry blamed the U.S. and Ukraine for cyberattacks against government institutions and critical infrastructure in the country, saying in a statement that it would "not leave aggressive actions unanswered." The statement followed comments by U.S. Army Gen. Paul Nakasone, who heads the Cyber Command and NSA, signaling that the U.S. has engaged in offensive cyber operations in support of Ukraine.

An intensification in cyberattacks against the U.S. and other NATO countries becomes more likely when Putin has either "achieved a stalemate or he's losing — where he has no other options," said Reiber, previously chief strategy officer for Cyber Policy in the Office of the Secretary of Defense during the Obama administration.

Another former Obama administration official, Jeffrey Edmonds, suspects the Russians “might be holding their punches” on cyber while waiting to see how things develop in Ukraine.

If Putin does end up wanting to send a message in the form of cyberattacks against the U.S. and Western Europe, it would have to represent an escalation above the usual baseline of activity, said Edmonds, former director for Russia on the National Security Council during the Obama administration. “They'd have to deviate from the norm,” he said.

However, Putin may not feel the need to intensify cyberattacks against the U.S. if he can achieve his goal of getting sanctions lifted without them, said Alperovitch, formerly CrowdStrike's CTO and now the co-founder and executive chairman of Silverado Policy Accelerator, a Washington think tank.

While some view Putin's actions as irrational, "All of his decisions are actually perfectly understandable, if you put yourself in his shoes," Alperovitch said. And crucially, "Many of them are predictable."

Case in point, in December 2021, Alperovitch predicted that Russia would invade Ukraine during the winter, two months before it happened.

Currently, Putin's strategy is "driven by his belief that he's actually winning,” Alperovitch said. This confidence is based on Russia's acquisition of Ukrainian territory and, more critically, its blockade of the Black Sea, which is exacerbating food prices worldwide, according to Alperovitch.

As a result, Putin thinks he has leverage to win concessions from the West on sanctions. "With that mindset, there's no point in trying to make things worse by launching cyberattacks," Alperovitch said.

However, if this fails, "He may decide that [cyber] is a tool worth pursuing" for driving inflation and economic instability even higher. Alperovitch doesn't expect that scenario to be a possibility until this coming winter at the earliest.

"Would launching cyberattacks right now help him with this goal? I would argue no. And I think he's making the same decision," Alperovitch said. "But that can — and perhaps will — change."


How GM plans to make its ambitious EV goals reality

The automaker's chief sustainability officer is optimistic that GM is well-positioned to rapidly scale up the EV side of its business.

"I think everything that’s been put in place to support the transition will be a real positive for the industry and for the country."

Photo: Eva Marie Uzcategui/Bloomberg via Getty Images

Automakers are on the cusp of an entirely new era.

The transition to electric vehicles is quickly becoming more than just theoretical: More models are coming onto the scene every day. This week, the Inflation Reduction Act was signed into law, enshrining a new structure for EV tax credits and offering a boost to domestic critical mineral mining. The transition isn’t coming a moment too soon, given that the transportation sector makes up the largest share of greenhouse gas emissions in the U.S.

Keep Reading Show less
Lisa Martine Jenkins

Lisa Martine Jenkins is a senior reporter at Protocol covering climate. Lisa previously wrote for Morning Consult, Chemical Watch and the Associated Press. Lisa is currently based in Brooklyn, and is originally from the Bay Area. Find her on Twitter ( @l_m_j_) or reach out via email (ljenkins@protocol.com).

As management teams at financial institutions look for best practices to make part of their regular toolkit, they are reaching most for the ones that increase the speed and reduce the risk of large-scale change.

That forward-thinking approach can lead financial institutions to leverage AI technology, which can help give decision-makers trusted tools to solve integral challenges vital to the health of the business. One of the leading providers of AI and machine-learning software, DataRobot continues to attract clients in financial services who want to de-risk their AI investments and rapidly scale AI to almost every part of their operations, resulting in improved productivity and higher customer satisfaction.

Keep Reading Show less
David Silverberg
David Silverberg is a Toronto-based freelance journalist, editor and writing coach. He writes for The Washington Post, BBC News, Business Insider, The Toronto Star, New Scientist, Fodor's, and several alumni magazines. He also writes for brands such as 23andme, Shopify and Bold Commerce. He has served as editor of B2B News Network, Canada's only B2B news magazine, and Digital Journal, a leading pioneer in citizen journalism. Find more about him at www.davidsilverberg.ca

How Embracer Group bought ‘Lord of the Rings’ rights for a bargain

The Swedish holding company, known best for its gaming acquisitions, bought the rights to “The Lord of the Rings.” But the deal is much more complicated than it seems.

Who really owns LOTR's rights?

Photo: New Line/WireImage

A new stakeholder has entered the complex licensing web of “The Lord of the Rings,” and the landmark deal has further complicated the already messy media empire surrounding author J.R.R. Tolkien’s fantasy epic.

The buyer, the acquisition-hungry Swedish gaming conglomerate known as Embracer Group, has purchased Middle-earth Enterprises, and with it the associated film, video game, board game, merchandise, theater production and theme park rights to the core LOTR book trilogy and “The Hobbit'' from its previous owner, The Saul Zaentz Company. Formerly Tolkien Enterprises, Zaentz’s holding group has held onto the rights since purchasing them from United Artists in 1976. (Tolkien initially sold them to UA in 1969, four years before his death.)

Keep Reading Show less
Nick Statt

Nick Statt is Protocol's video game reporter. Prior to joining Protocol, he was news editor at The Verge covering the gaming industry, mobile apps and antitrust out of San Francisco, in addition to managing coverage of Silicon Valley tech giants and startups. He now resides in Rochester, New York, home of the garbage plate and, completely coincidentally, the World Video Game Hall of Fame. He can be reached at nstatt@protocol.com.


Upstart has a new plan to sell Wall Street on its loans

The AI-powered lender will hold some loans on its balance sheet as it seeks partners for long-term capital.

Despite the current struggles, Upstart views the marketplace model as the best way to write to keep its loan business growing.

Photo: Upstart

After a revenue drop its CEO called “unacceptable,” the leadership at fintech lender Upstart is making a bet on the strength of its ability to underwrite loans with AI.

The San Mateo company is planning to leave some loans on its balance sheet that investors do not want to buy, as concerns about the economy shift Wall Street away from backing riskier consumer debt. Rather than pull back on its lending in response, the company said it will hold some loans as it seeks longer-term capital partners.

Keep Reading Show less
Ryan Deffenbaugh
Ryan Deffenbaugh is a reporter at Protocol focused on fintech. Before joining Protocol, he reported on New York's technology industry for Crain's New York Business. He is based in New York and can be reached at rdeffenbaugh@protocol.com.

Does your boss sound a little funny? It might be an audio deepfake

Voice deepfake attacks against enterprises, often aimed at tricking corporate employees into transferring money to the attackers, are on the rise. And at least in some cases, they’re succeeding.

Audio deepfakes are a new spin on the impersonation tactics that have long been used in social engineering and phishing attacks, but most people aren’t trained to disbelieve their ears.

Illustration: Christopher T. Fong/Protocol

As a cyberattack investigator, Nick Giacopuzzi’s work now includes responding to growing attacks against businesses that involve deepfaked voices — and has ultimately left him convinced that in today's world, "we need to question everything."

In particular, Giacopuzzi has investigated multiple incidents where an attacker deployed fabricated audio, created with the help of AI, that purported to be an executive or a manager at a company. You can guess how it went: The fake boss asked an employee to urgently transfer funds. And in some cases, it’s worked, he said.

Keep Reading Show less
Kyle Alspach

Kyle Alspach ( @KyleAlspach) is a senior reporter at Protocol, focused on cybersecurity. He has covered the tech industry since 2010 for outlets including VentureBeat, CRN and the Boston Globe. He lives in Portland, Oregon, and can be reached at kalspach@protocol.com.

Latest Stories