ISI in the news: Why Have Russian Hackers Been So Quiet?

March 21, 2022
IMAGE COURTESY: Intelligencer and Getty Images

From the 2016 election to a spree of ransomware attacks that disrupted private industry last summer, Americans are all too familiar with the chaos Russian hackers can create. But during the first two weeks of Russia’s Ukraine invasion, the cybercriminals in league with the Kremlin haven’t played a major role. Anton Dahbura, the executive director of the Johns Hopkins Information Security Institute, explains why we’ve seen so little from the country’s notorious electronic agitators, and whether they might become more aggressive in the coming weeks.

Russia hasn’t disabled Ukraine’s internet or disabled the country’s entire power grid. What sort of cyberattacks have Russia hackers successfully pulled during the war?
With cyberconflict, one never knows exactly what’s going on — we can only put pieces together from different sources that we trust. The impact of the hackers by Russia and its cronies on Ukraine has been relatively minor. We know there were some preliminary attacks on government systems a few weeks ago. Almost everybody extrapolated that that would turn into something more severe, but it hasn’t really materialized.

The other thing is it’s obviously not business as usual in Ukraine. When you think about retail operations, health care, education — all of those aspects of the Ukrainian society and economy have been severely disrupted, if they’re operational at all. It doesn’t make sense to try to shut down a store’s IT system if the store is not even open, or if there is no power to that area. So the impact of cyberattacks has changed, and to some extent has gone by the wayside.

Now, we’re also distinguishing cyberconflict from espionage. It’s also not clear if Russia has hooks into Ukrainian intelligence systems and communications systems, which is another potential aspect of this.

Is this kind of hacking something that’s better-suited for agitating during peacetime than in a hot war?
This is an interesting case study. Now you have all these kinetic options, so in retrospect it’s not surprising that the kinetic warfare is taking precedent over cyberwarfare.

Also, the circumstances have changed. For one thing, Ukraine is at full alert now. To a large extent, hackers count on people looking the other way, not really paying close attention. In addition, the west, including the United States government, has come to Ukraine’s aid with emergency teams of cyberdefenders, so that’s quite valuable.

What methods of cyberattacks has Russia used in Ukraine?
From what I’ve seen, it’s infiltration. There are operators of industrial control systems seeing their computer systems going blank or having messages on them from Russian hackers. The Russian government, probably more than any government in the world, has this loose confederation with criminal elements, so it’s also difficult to tell who’s doing what. Some of the criminal elements have gone in different directions as well. It makes it even more confusing to figure out what’s going on in the cyberdomain in Ukraine.

What direction are the criminal groups headed?
Some of the criminal groups have tried to maintain some distance and aren’t all in as far as Ukraine. Others seem to be quite supportive. But the larger factor here is that the criminal elements are for-profit and evidently are really enjoying their sports cars and villas, and so performing hacks on Ukraine’s IT systems is not profitable. So it doesn’t really fit into their business model, and is something they probably view as something they have to do to appease mother Russia. Other than that, they don’t have an incentive to engage.

Cyberconflict is tricky in that every offensive weapon that is unleashed can be turned around and used against you. It’s not clear to what extent Russia wants to go all out and expose its cybercapabilities and the vulnerabilities in Ukrainian systems. That’s the difficult part. How much do you really hold back and when do you unleash everything you have? And there have been counterattacks into Russia, and I think Russia is very concerned about that. For all those reasons, it kind of makes sense we’re not seeing things that are visibly catastrophic caused by Russian hackers.

How can a cyberattack be used against the aggressor?
These weapons are software. So if there’s some vulnerability in a system that you exploit, odds are some of your systems suffer from the same vulnerabilities. When you use a cyberweapon and your adversary discovers it and is then able to examine it, conduct forensics on it, then understand it, then your adversary can turn around and use the same weapon against you. That’s already happened. There were some cyberweapons that the U.S. had that were leaked from the National Security Agency that turned up in all kinds of different places, unfortunately.

We’re only a few weeks into the war. I imagine the attacks could still escalate at this point?
It could go either way. The more time Ukraine has to work with its allies to strengthen its defenses, the better off it will be. There could be some time bombs that Russia has planted, and perhaps they would be in concert with a key moment: when and if Russia launches a final, all-out assault on Kyiv.

If the Russians do ramp things up, what sort of attacks could we see?
The first area we think of is critical infrastructure — and within that the power grid — and we’ve already seen on the kinetic side the risks associated with Ukrainian nuclear power plants. Russia hacked into Ukraine’s power grid in 2015 and very successfully shut part of it down for a time. Some people view that as sort of a test for Russia, just checking things out, seeing what they were capable of doing. Critical infrastructure is very broad: It includes power, water, access to health care, manufacturing, food supply, biotech. Ukraine is so disrupted right now that the primary ways of impacting the country are energy, power, and water.

Has there been a war like this before that could be a template of what may happen?
This is the first time in history that a country with significant offensive cybercapabilities has engaged in warfare and used those capabilities as part of its arsenal.

It’s changing the thinking of a lot of people who analyze these kinds of things. You have a country that is willing to mount a full-fledged invasion. That aspect of the conflict really dominates. But we now accept that cyberconflict is going to play a role in just about any conflict in the future.

This interview has been edited for length and clarity.

This article originally appeared in New York Magazine >>


JHU Information Security Institute