Cybercriminals Join the War

Warnings at the highest level are being issued by cybersecurity experts as Toyota and Nvidia attacks are linked to the Ukraine conflict

Cybersecurity companies across the world are issuing fresh warnings about increased cyberattacks, as the Ukraine war enters its second week. American cybersecurity firmMandiant has raised red flags about attacks on countries that have chosen to support US and NATO sanctions against Russia. The Conti ransomware group announced both its “full support” of the Russian government and its intention to strike back at anyone who organises cyberattacks or war activities against Russia. This message was posted on the Conti News leak website.

Security analysts are particularly concerned about possible attacks on energy supply chains to disrupt oil and gas supplies in Europe. If Russia judges that raising prices is not an appropriate escalatory measure, it could undertake cyberattack operations against non-European suppliers as a means to raise gas prices and disrupt supply chains, alerts Mandiant.

Russia’s ban from the Eurovision song contest, or the multiple sports organisations’ decisions to cancel sporting events with Russian teams or move competitions to new locations that were formerly scheduled to take place in Russia, could also spur Russian retaliatory action against the media and entertainment sector. Historically, Russia has placed a premium on its participation in high-profile international sports and entertainment events and has previously used cyber operations to retaliate for perceived grievances.

According to cybersecurity firm Trend Micro, the Stormous ransomware gang, known for website defacement and information theft, represents itself as a group of Arabic-speaking hackers. Active since 2021, the group has recently announced its official support for the Russian government and its intention to target Ukrainian government institutions such as the Ukrainian foreign ministry.

“As one tool in its response, we assess that Russia will almost certainly engage its offensive cyber programs to at least increase cyber-espionage against primarily government targets to enhance decision advantage, and likely also conduct additional destructive or disruptive cyber-attacks,” alerts Mandiant. Early this month, Trend Micro had issued a warning about a relatively unknown ransomware, calledNokoyawa, that encrypts frequently used personal data.

The decision to sanction Russian financial institutions as well as the cancellation of Nord Stream 2 is likely to lead to a Russian response. Russia has multiple likely options as part of their decision calculus, which could include energy cost hikes, destructive cyber-operations, or other economic measures designed to hurt Europe more than Russia.

Toyota suspended factory operations in Japan, losing around 13,000 cars of output, after a supplier of plastic parts and electronic components was hit by a suspected cyberattack. The attack came just after Japan joined Western allies in clamping down on Russia after it invaded Ukraine – although it was not clear if the attack was at all related. Leading US semiconductor manufacturer Nvidia has confirmed that hackers stole data from the company during a recent breach this month. Nvidia didn’t specify what was stolen. But the group behind the breach, LAPSUS$, claims it looted 1TB of data including files about Nvidia hardware and software. The hackers are now demanding the company pay up in cryptocurrency to keep the data secret.

Mandiant has cautioned that Russia could conduct retaliatory actions, including additional destructive or disruptive cyberattacks, particularly against the government, financial services, and energy and utilities sectors. The nature and length of NATO and Western sanctions and responses are likely to influence Russia’s perception of high-priority targets for retaliation. Organisations making public statements condemning Russian aggression and/or supporting Ukraine – as well as organisations taking actions to restrict Russian participation in international commerce, competitions, and events – face an elevated risk of future reprisals.

Disinformation is a major weapon in any cyberwar playbook, especially Russian. The Russian doctrine also views information warfare as a wide-ranging concept crucial to any armed and/or diplomatic conflict. Facebook owner Meta and Google parent Alphabet have announced efforts designed to tamp down misinformation on their platforms.

Russian information warfare combines cyber-operations, electronic warfare, psychological operations, and information operations, with the goal of controlling the “information sphere” – a vital component of Russian strategy. Apart from using destructive and disruptive cyberattacks in advance of kinetic ones (such as those seen with PAYWIPE and NEARMISS), the Russian doctrine calls for sustained information warfare throughout the conflict, both to supplement military action and as a component of the aforementioned controlled escalation.

Given that the US and EU have banded together in support of Ukraine, the scope of a cyberwar could be broad. Large-scale cyber skirmishes can become global due to a spill-over effect. There’s some precedent for what a spill-over could look like. In 2017, a suspected Russian attack featuring a piece of malware dubbed “NotPetya” disrupted Ukrainian airports, railways, and banks. It spread rapidly around the world, infecting – and temporarily shutting down – a diverse array of multinational companies including the global shipping company Maersk, the pharmaceutical giant Merck, FedEx’s European subsidiary TNT Express, and others.

Mandiant is worried that Russia would use criminal actors against NATO nations as a means of reprisal. Such criminal actors that reside in Russia often target NATO nations, and we surmise that Russia could task them again to conduct destructive or disruptive operations against financial entities, relying heavily on ransomware or wipers as the preferred method. However, other novel disruptive or destructive approaches are also possible – and the world is on its watch.