On 28 January, nearly a month before the invasion of Ukraine, security officials issued a threat warning to British businesses. In the advisory, published on the website of the government’s National Cyber Security Centre (NCSC), the officials said they had observed cyber activity in and around Ukraine that “fits with [a] pattern of Russian behaviour”.
In modern warfare, hostile cyber activity is often a precursor to military conflict. The war in Ukraine is no exception. In the days leading up to the invasion, the Kremlin launched a series of distributed denial of service (DDoS) attacks on Ukrainian institutions, while deploying sophisticated “wiper” malware that targeted government systems, destroying files and software as it spread.
The NCSC’s officials had anticipated the risk. “We identified the possibility of conflict and therefore an increasing cyber threat before the end of last year,” says Paul Maddinson, the agency’s director of national resilience and strategy. “We’ve taken some time to try and explain quite carefully what we mean by that increased threat.”
A career civil servant who has worked for the NCSC since its formation, Maddinson says that despite the organisation’s best efforts, the threat has been “portrayed in extremes” in the media. “It’s either ‘There’s going to be a cyber Armageddon tomorrow’, or, ‘Actually, there’s been no cyber incidents or attacks at all’.”
The reality, says Maddinson, is somewhere in between. There have been “quite a lot of cyber attacks against Ukraine and Ukrainian infrastructure”, he says. “And some of those have been [at a] low level of sophistication, like DDoS, but some of them have been quite sophisticated, like the wiper malware and the attack on the satellite provider.”
The Viasat broadband satellite network was hacked on the day of the invasion. It is widely regarded as the most significant cyber attack of the early part of the conflict. Although the UK was not affected, it disrupted broadband connections around Europe. The incident validated the NCSC’s warnings of the risk of “spillover attacks” that would spread beyond their targets and ensnare Western organisations.
Nevertheless, Ukrainian government infrastructure is generally believed to have held up well during the war. The NCSC and other Western security agencies have provided cyber support to Kyiv. Maddinson says that while “it’s really important to know that we don’t have particularly good insights necessarily into what’s going on in Ukraine”, the country has made a “fantastic effort, as they have in other fields, to defend themselves against this aggression”.
Once the invasion was under way, Russia’s focus largely shifted from cyber to conventional warfare. “It clearly turned very quickly into a military invasion and an attempt to seize territory and ground in Ukraine,” says Maddinson. “The cyber incidents have been in support of that strategic objective. So I think that would explain why you saw quite a lot of significant activity [from Russia] ahead of the invasion and during the invasion.”
While cyber activity has played a smaller role in the conflict than some expected, the Kremlin has sought to carry out further disruptive attacks as the war has gone on.
On 12 April, a spokesperson for the Ukrainian government revealed officials had foiled an attack on the energy grid that could have plunged two million people into darkness. “It looks like we have been extremely lucky to respond to this in a timely manner,” said Viktor Zhora, deputy chairman of Ukraine’s State Service of Special Communications.
But as the conflict has progressed, so too has the risk to Western organisations. Maddinson says the increased cyber threat to the UK and its allies is now “less to do with the military conflict on the ground” and the risk of spill over attacks and “more to do with the geopolitical tensions with Russia, whether they escalate and whether Russia decides to take measures against us”. At present, Maddinson adds, it remains a “low likelihood”, but he says the NCSC “wants organisations to be prepared”.
After Maddinson spoke to Spotlight, the UK joined forces with the US and other international security partners, to issue technical guidance on mitigating the threat posed by hostile cyber activity. The notice said the activity could “occur as a response to the unprecedented economic costs imposed on Russia as well as materiel support provided by the United States” and its allies.
However, the primary threat to British organisations from Russia remains organised cybercrime. After an attack on a major US oil pipeline last year, leading Russian ransomware operators announced they were retreating from dark web forums. Some security experts speculated that the statements may have followed an intervention by the Kremlin, but they appear to have been purely symbolic.
In early February, the UK, US and Australia published joint research on ransomware. It revealed that the threat has continued to grow over the past year and that operators have only become more sophisticated in their approach. “It’s a really successful criminal model and therefore it’s an enduring threat,” says Maddinson.
However, hackers have begun to refine their focus. There has been “a bit of a move in places like the US away from what the criminals call the ‘big-game hunting’ of going after the really large companies”, he adds. The trend is spreading across the Atlantic too, with small and medium-sized businesses in the UK increasingly finding themselves in hackers’ sights.
Given the rising ransomware rates and the risk of Russian escalation, Maddinson could be forgiven for feeling pessimistic, but he remains undeterred. The war, he notes, has “proven what we were saying in the National Cyber Strategy”, published in December. “We need to raise our cyber resilience against this kind of heightened threat. If anything, it’s prompted us to try and accelerate some of the measures that we were intending to take anyway.”
Maddinson clarifies that the NCSC is not focusing on specific sectors. “We’re trying to raise the overall bar of resilience.” By doing so, he says, government and industry will be better protected “against whatever threat may manifest itself as a result of the Russian invasion of Ukraine. But actually, we’re also raising the bar against the other threats such as ransomware and cybercrime, which continue to be a major problem too.”
Spotlight is the official media partner of the NCSC’s annual security summit, CYBERUK. To find out more, visit: www.cyberuk.uk