As Russia’s tanks rolled into Ukraine and its missiles struck targets across the country, its hackers launched waves of cyberattacks. In the weeks and days leading up to the Russian invasion, Ukrainian websites were defaced and taken offline, and data-wiping malware was unleashed on government systems. And while the physical attack may have been a surprise to most, the virtual attack was not: Russia has used its cyberweapons against Ukraine for years. Now, the question for some is whether Russia will turn its cyberweapons toward the US and how the US would respond.
According to President Biden’s address on Thursday afternoon, the US can and will launch cyberattacks on Russia — but only if Russia attacks the US first.
“If Russia pursues cyberattacks against our companies, our critical infrastructure, we’re prepared to respond,” Biden said, adding that the government has been working with the private sector “for months” to prepare for Russian cyberattacks and responses to them.
Biden’s comments suggest that the White House is keen to frame any possible American cyberattacks on Russia as retaliation for Russia attacking the US first, and not as a preemptive move by the US or a retaliation for Russia’s attack on Ukraine. This sentiment was also expressed when the administration pushed back on an NBC report claiming that, even if Russia didn’t attack first, Biden had been presented with options for using US cyberweapons against it “on a scale never before contemplated.” Press secretary Jen Psaki tweeted that the report was “off base” and “does not reflect what is actually being discussed in any shape or form.”
While a Russian cyberattack on Ukraine’s infrastructure is very possible — it has happened before — it’s less clear that this will happen to the US. While many countries have cyberweapons, few admit to using them, the US included. America is believed to be the most powerful country in the world in terms of cyber capabilities, but, for the most part, it keeps its capabilities top-secret, though it has acknowledged that they exist. While we know the US has cyberweapons, we know far less about what they are, what they have access to, and what kind of damage they can do if deployed as a weapon of war.
“Nation-states including the United States engage in intelligence-gathering operations in cyberspace, but no one has declared that activity an all-out cyberwar,” James Turgal, vice president of cyber risk, strategy, and board relations at cybersecurity firm Optiv, told Recode. “However, we are in a new era with the Russian invasion of Ukraine.”
Experts say the US has almost certainly prepared for the increased chance of a cyberattack from Russia.
“In reality, it would be a surprise if the US defensive postures weren’t already in place,” Purandar Das, CEO of Sotero, a data security software company, said. “The government has in all likelihood deployed their defense mechanisms.”
George Perera, the associate director of cybersecurity law at St. Thomas University, said that a cyberattack from Russia would likely target critical infrastructure, and, if successful, “could be devastating.”
“Potentially you could lose clean water, electricity, financial markets, to name a few,” Perera explained. Importantly, he added that the likelihood of a successful attack on the US was “minimal,” thanks to the US’s defensive capabilities.
But some warned that the private sector especially may not be sufficiently prepared, even as many companies have scrambled in recent years to better protect against cyberattacks.
“The growth in ransomware and attacks over the past decade should have put private and public entities on alert to revamp their security postures, deploy new layers and tools, train staff, and continually improve their processes,” Ryan Golden, cybersecurity expert and chief marketing officer at Halcyon, which makes anti-ransomware software, said. “Unfortunately, cybersecurity programs are still viewed as a line item on a budget sheet, leaving many organizations and institutions vulnerable to disruption.”
Russia — both officially and through cybercriminals doing its bidding — has a long history of using cyberweapons against perceived enemies, including the US. Significant Russia-linked cyberattacks on the US in recent memory include the SolarWinds hack, first discovered in late 2020, and a slew of high-profile ransomware attacks, including last year’s attack on the Colonial oil pipeline. The former, which led to the infiltration of several US government agencies along with about a hundred companies, was attributed to Russia’s intelligence service. The latter, which took a pipeline that transports half of the East Coast’s gasoline offline for several days, was attributed to Russia-based criminal organizations, likely operating with the Russian government’s knowledge and approval.
Putin denied that Russia had any part in either incident, and the Russian embassy has previously said it “doesn’t conduct operations in the cyber domain.” But the Biden administration cited the SolarWinds hack as one of the reasons for economic sanctions against Russia last April, and the president said last June that, a few weeks after the Colonial Pipeline attack, he told Putin there would be “consequences” if ransomware attacks on the US continued.
“Russia has managed to evade much of the responsibility for cyberattacks,” Josef Schroefl, deputy director of strategy and defense at the European Centre of Excellence for Countering Hybrid Threats, said. “In conventional warfare, attribution is usually straightforward. But in cyberspace it is very complex, and can be time-consuming and costly.”
Meanwhile, Ukraine has for years been under near-constant threat of cyberattacks from Russia. The country’s power grid was attacked in 2015 and 2016 and is reportedly still vulnerable today. Malware called NotPetya was unleashed on Ukraine’s financial sector in 2017 and ended up spreading to millions of computers all over the world, doing billions of dollars in damage. In October 2020, the US charged several Russian intelligence officers for their alleged involvement in the development of NotPetya and hacking attacks on Ukraine’s power grid.
For its part, the United States has also been caught using cyberweapons a few times. It, in coordination with Israel, is believed to be behind Stuxnet, a virus that targeted Iran’s nuclear program. Neither country has ever admitted to this.
As for Ukraine, Das said he believes it will carry out its own attacks on Russia — “Ukraine is already a hotbed of technical activity, and they have the skills” — although the US might help with intelligence. Schroefl said Ukraine has “expanded and greatly improved its capabilities” to defend against cyberattacks in the last few years, with the help of European Union countries and Israel. “But principally, Ukraine still needs support, especially in securing its command and control systems as well as critical infrastructure.”
It appears that Ukraine is also getting some help from hackers that aren’t affiliated with any state: It reportedly appealed to its “hacker underground,” as Reuters called it, to help protect Ukrainian infrastructure and to spy on the Russian military. The hacker collective known as Anonymous claimed on Thursday night that it was behind a DDoS attack that took down Russian state-sponsored news site RT. On the Russian side, one prominent ransomware gang has pledged its loyalty to Russia.
Karen Walsh, CEO of Allegro Solutions, noted that it’s likely the US is already engaging in some kind of offensive cyber operations. It’s also likely that we won’t know any or all of the US’s actions for a long time to come. The US government has said that Russia’s cyberattacks can be “brazen and aggressive operations, sometimes with questionable levels of operational security and secrecy.” The United States, on the other hand, has been much more secretive about any of its cyberattacks, to the point that we rarely know it’s doing anything at all.
“Until classified documents are unclassified 50 years from now, we’ll never know the full extent of our offensive cyber operations,” Walsh said. “Hopefully, any US cyberwarfare will remain targeted toward Russian military capabilities and limit the impact on the everyday Russian citizen.”
Russia’s attacks on Ukraine in the real world and in cyberspace have, so far, followed known tactics that we’ve seen before. An all-out cyberwar — one that would include hugely disruptive, dangerous, and high-profile attacks on critical infrastructure and weapons systems — hasn’t happened yet. But it’s looking more likely than ever that such a war could be here soon.