As Russia wages cyber war against Ukraine, here's how Australia (and the rest of the world) could suffer collateral damage

The Australian Cyber Security Centre^[1] is asking organisations and businesses to be on high alert amid Russia’s cyber attack bombardment of Ukraine^[2].

The United Kingdom’s National Cyber Security Centre issued a similar warning^[3], as have New Zealand^[4] and the United States Department of Homeland Security^[5].

The Australian Cyber Security Centre has said it is not aware of any specific direct threat to Australia, but that the country could be affected by “unintended disruption or uncontained malicious cyber activities”.

It wouldn’t be the first time a Russian cyber attack has caused serious collateral damage to nations that aren’t its intended target.

Attacks so far

Ukraine has suffered through a sustained digital assault from Russia over the past few weeks. One of the most penetrative attacks came on Wednesday, cutting off access^[6] to several Ukrainian government and banking websites – followed by more on Thursday.

These were distributed denial of service attacks, in which the perpetrator knocks targeted websites offline by flooding them with bot traffic.

Meanwhile, experts at the internet security company ESET identified^[7] a malicious data-wiping malware called “HermeticWiper” circulating on hundreds of computers in Ukraine, Latvia and Lithuania – which they said may have been months in the making.

According to reports^[8], experts from software company Symantec found the malware had affected Ukrainian government contractors in Latvia and Lithuania and a Ukrainian bank.

Read more: Russia is using an onslaught of cyber attacks to undermine Ukraine's defence capabilities^[9]

How the impact will be felt

Australia’s risk in the face of ongoing cyber attacks from Russia would almost certainly come in the form of a “spill over” effect.

For example, if a Ukrainian bank is targeted and goes offline, this would still impact Australians who use that bank to receive or send money to Ukraine. Attacks on banks are particularly alarming when you consider Ukraine’s dire need for financial aid and economic support^[10] right now.

All global business conducted with, or through, the bank will be affected – and the impact could reach virtually anywhere in the world. Similarly, distributed denial of service attacks on Ukrainian news media would also have global ramifications, by limiting the exchange of crucial information.

Another concern is the potential for Russia to cut off gas supplies flowing through Ukraine to Europe, either directly or through a cyber-enabled attack (the Colonial Pipeline^[11] attack being a recent example). This also introduces significant market instability, resulting in shortages and driving up prices (including for Australia^[12]).

Australian companies are a part of global supply chains. Many will have interests in Russia and/or Ukraine. Thus they will also have digital, and potentially even direct network connections with them, through a virtual private network – which allows users to establish a private network over a public internet connection (and which can be used to spread malware between connected devices).

Once a “wiper” malware – the likes of that currently circulating in Ukraine – gets enough footing, it can spread across countries within minutes. If an office in Canberra with a virtual private network connection based in Ukraine becomes compromised, it can allow the malware to jump countries.

The NotPetya malware attack in 2017 is a pertinent example. This “self-propogating” malware spread globally and caused billions of dollars’ worth of damage. It, too, was attributed to a Russian source by investigators, and traced back to the update mechanism for a tax-accounting software application used widely in Ukraine^[13].

Read more: Three ways the 'NotPetya' cyberattack is more complex than WannaCry^[14]

Leveraging the chaos

Apart from malicious Russian state-sponsored cyber crime, the current mayhem unfolding in Ukraine provides opportunity for cyber criminals more generally, too.

It’s very difficult to attribute cyber crime. While experts can analyse code taken from malware, this is usually a slow and costly process. Cyber criminals the world over may want to take advantage of the chaos, and try to carry out attacks they may not otherwise get away with.

Among all the noise, and with so many Ukrainians (including cyber security professionals) either displaced or fleeing, the chances of being caught may be lower. Also, it is likely any major cyber affliction will be blamed on Russia – at least initially.

At the same time, we might see an increase in phishing and scam attempts as a result of the crisis. Opportunistic criminals use global narratives to add credibility to their scams. For instance, they may send phishing emails posing as a Ukrainian citizen desperate for emergency funds.

How can businesses protect themselves?

A critical step in a defensive posture for companies and organisations in Australia is to determine their exposure level. This means being acutely aware of any direct or indirect connection with Ukraine and Russia, and the online systems and supply chains these countries partake in.

Employers also have a duty of care to employees who may have loved ones or other connections in Ukraine, and may be more vulnerable to various forms of cyber attacks exploiting the current situation.

And of course, the most basic cyber security advice is once more relevant. That is, individuals, businesses and organisations must take special care to ensure all devices are up-to-date and have software patches installed.

The 2017 NotPetya attacks were, in part, successful because the malware exploited a vulnerability in Microsoft Windows – even though a patch to fix it was available at the time. But the massive number of devices that hadn’t been patched meant NotPetya could spread without constraint.

In the case of Ukraine, where pirated software is common^[15], this issue is particularly prevalent. Complications with (or a lack of) proper software licensing means updates may not be accessed or installed.

References

1. ^{^} Australian Cyber Security Centre (www.cyber.gov.au)
2. ^{^} bombardment of Ukraine (theconversation.com)
3. ^{^} warning (www.ncsc.gov.uk)
4. ^{^} New Zealand (www.cisa.gov)
5. ^{^} Department of Homeland Security (www.cisa.gov)
6. ^{^} cutting off access (apnews.com)
7. ^{^} identified (www.reuters.com)
8. ^{^} to reports (www.theguardian.com)
9. ^{^} Russia is using an onslaught of cyber attacks to undermine Ukraine's defence capabilities (theconversation.com)
10. ^{^} financial aid and economic support (www.politico.eu)
11. ^{^} Colonial Pipeline (theconversation.com)
12. ^{^} Australia (theconversation.com)
13. ^{^} in Ukraine (arstechnica.com)
14. ^{^} Three ways the 'NotPetya' cyberattack is more complex than WannaCry (theconversation.com)
15. ^{^} pirated software is common (outsourcingreview.org)