Synopsis
In this paper, EclecticIQ analysts examined various drivers of the Ukraine-Russia war to identify and describe possible outcomes for cyber and technology in the context of the ongoing Ukraine-Russia war. Analysts cannot predict how the situation will unfold, but it is likely that this conflict will change the trajectory of how governments around the world choose to use cyber capabilities and technology in diplomacy or armed conflict. EclecticIQ analysts describe below five plausible scenarios which may develop (or continue to develop) as the Ukraine-Russia war drags on, along with possible indicators that each scenario is playing out in earnest. These scenarios span a range of likelihood, beginning with a concept already underway and concluding with a plausible long-term shift in Russia’s cyber strategy. Ultimately, the most likely outcome is that elements from each scenario identified eventually come to fruition in ways no analytic technique can foretell.
Methodology
EclecticIQ analysts wanted to answer the question “What could the cyber conflict in the context of the Ukraine-Russia war look like in four-to-six months?” This topic is complex and exceedingly broad, so the EclecticIQ Research Team worked through a structured analytic technique (SAT) to keep the scope focused on cyber. The SAT the team used is called The Cone of Plausibility; it first prompts analysts to identify drivers to the situation, then to articulate an assumption about how each driver will develop over a specified time period (in this case, four to six months).
The team identified five possible cyber-related scenarios for events that could happen over the next four to six months as a direct result of the Ukraine-Russia War. These outcomes are not necessarily mutually exclusive, nor are they equally likely. Below is an overview of each possible outcome, an assessment of how likely or dangerous it may be, and a list of a few indicators that each outcome is coming to fruition.
Analysis
Outcome #1: Russia Escalates its Use of Technology to Bolster its Narrative Abroad
In this scenario, Russia’s efforts to message an external (international) audience becomes more directed and incendiary. Technology plays a key role in amplifying and reinforcing Moscow’s narrative that fault for the war lies squarely with the West. To accomplish this, Russia could pursue any of several different paths. It could double down on its messaging in press and social media, making near constant denials and levying constant counter accusations. Moscow could leverage its cyber capabilities to generate increasingly sophisticated fake news, which it would proliferate primarily via social media. These fake news reports would be so convincing and targeted that audiences who receive the fake news cannot or do not care to discern its legitimacy. Those who do not receive them find it difficult to believe such brazen reporting could be believed at all.
The narratives Moscow is most likely to push are those directed to Ukrainian defenders and civilians about the futility of fighting and the inevitability of Russian victory. Secondary narratives may include Russians suffering due to sanctions, security threats, or economic drain from Ukrainian refugees, and blaming the West for the invasion.
If this scenario were to escalate, Moscow could try to refute opposing narratives by directing troll farms to amplify its own reports and drown out unfavorable reports. It may increasingly target press entities or the platforms they use to disseminate news with cyberattacks, to gain the information advantage in their narrative, through intimidating media into stepping back from portraying Moscow in a negative light or disrupting access to particular news sources. If it felt it needed to remove any chance its people might learn news from the outside world, Moscow could choose to block access to VPN (Virtual Private Network) providers or block internet access altogether.
Indicators that technology is used as a tool to escalate propaganda narratives include:
- Convincing fake news videos pop up more frequently which have specific military or social intent targeting Ukrainian forces or civilians—especially fake reporting meant to shatter social cohesion and hurt morale.
- Data supporting the idea that Moscow employs troll farms and fake social media accounts to push specific anti-Western/anti-Ukranian narratives, as it previously did during the annexation of Crimea and a US Presidential election. (11)
- Press reporting or rumors which cannot be substantiated claiming Russians suffer due to sanctions, Ukranian refugees are security threats or economic drains, and the West is at fault for the invasion
- Growth in the numbers of non-Russian politicians and mainstream news sources publicly regurgitating Russian propaganda narratives.
Outcome #2: Targeted Cyberattacks Aimed to Create Uncertainty in the West
If Moscow feels increasingly internationally isolated or battlefield momentum is against it, it may choose to carry out targeted cyberattacks to message other nations’ governments and citizens. The messages could range in intensity and be directed at different targets, but each would have a specific purpose. Some attacks could aim to undermine citizens’ confidence in their government’s ability to provide continuity of basic services or withstand aggressive cyberattacks from abroad. Others could be more threatening; sending a message that pushing Russia out of the international sphere will have severe consequences for Western nations leading that call. This is especially true if the attacks come at a regular cadence, or if they successfully manage to take critical infrastructure offline in a way that disrupts daily life at a precarious time.
The tactic described in this scenario is likely to be used in tandem with other scenarios listed here—especially the scenario above in which Moscow elevates its use of technology to spread narratives, or the case below in which Russia takes a heavier hand in directing cybercriminal operations.
Russia may be using cyberattacks to message nations abroad if:
- There are more attacks timed to coincide with Ukraine-focused political or diplomatic overtures, or military operations. A good example is the DDoS (distributed denial of service) attack in mid-February, which targeted Finnish government networks precisely as President Zelensky was to speak to Finnish authorities. (1)
- A shift in the motive behind high-profile cyberattacks - fewer ransoms and extortions for payment, and more attacks causing disruption or theft of sensitive information.
- Cyberattacks targeting governments or businesses in fields relevant to geopolitics. A good example are the four attacks between February and April against companies connected to wind-turbine operations in Germany. (2, 3, 13) While these attacks could be coincidental, it is also possible they are an attempt influence Germany—a country reliant on Russian energy—either by punishing it for reducing Russian gas consumption or by convincing Germany it needs Russian gas.
Outcome #3: Previously Financially Focused Cybercriminal Platforms and Forums Fracture Along Issue-Based Interests
Up to now, most cybercriminal forums – at least on the surface – have largely been driven by financial gain and stayed out of politics, but even cybercriminal forums are not immune to politicization as a result of this war. In this case, cybercriminal forums may grow, split or form more frequently, resulting in new organizations which reflect alignment with particular political or social interests. Sites that focus on making money would still exist but would be joined by new sites which champion a particular view on a given issue perceived to align to those particular interests.
In at least one case, this has already played out. Early in the war, Conti’s perceived statement favoring Russia earned it severe backlash inside the cybercriminal underworld when an affiliate leaked the group’s internal chat logs in protest to Conti’s stance. (4, 5) At least one cyber forum banned sales to Russia-linked groups over ‘ideological differences’ and self-proclaimed members of the hacktivist collective Anonymous publicly declared war against companies refusing to cease business in Russia. (6, 7) After publicly exposing data stolen from Nestle, a message reportedly posted by a member of Anonymous stated “Hacker group Anonymous has released 10 GB of data from Swiss company Nestlé. This is the collective’s retaliation for the company’s continued business in Russia.” (8)
Should this trend continue, it is possible:
- The sheer number of online cybercriminal forums will increase, but new forums will be smaller and more narrowly focused (or will have some sort of exclusivity or membership guidelines)
- New non-Russian language forums will appear and will grow in popularity as an alternative to Russian language forums
- Profit-seeking cyber mercenaries could offer their skills to support their favored side in a conflict could become the norm
Outcome #4 – Tech Companies Forced to Adapt Early and Often as Tech Products are Used in Novel – and Unintended - Ways
The critical nature of how social media platforms and other cyber/tech tools have been used in this war will inevitably prompt tech companies to examine and change how their tools are used, governed, and perceived by their developers and users. Companies so far have already been forced to deal with tool content and use because of public demands, and the Ukraine-Russia war is an extension of these issues in the context of armed conflict.
The Russia-Ukraine war is another example of how tech tools can be helpful or harmful in already-charged situations. Tech, in particular social media, received unflattering press in recent months for its role in spreading misinformation or knowingly intensifying heated rhetoric, and for having harmful effects on youth. (12) Conversely, in war, tech tools serve as valuable communications conduits for victims, news outlets, and bystanders of conflict who need to communicate with each other and the outside world. They provide novel ways to communicate and fundraise. However, they can be used by hostile or repressive governments to spread disinformation and control the population.
All of these seem to have happened in Ukraine since the invasion, making a de facto tool of war. The Ukraine-Russia war forces companies and users to determine in a near-real-time basis what are the appropriate limits of tech usage. The decisions made in this context will not be appropriate under more normal circumstances. This will force companies and users to adjust and redirect after decisions made during crises scenarios like this one. Constantly adapting policy to events and novel uses will become the rule in the tech industry and will happen increasingly frequently.
As this scenario develops further:
- The constantly evolving nature of technology means that it will be used in novel ways, which in warfare are often not intended and which inadvertently expand the cyberattack surface. Tech companies will find themselves needing to continually redefine their policies on the tool’s security, privacy, and appropriate use, often before the ramifications of such changes are fully understood.
- Concerns will grow about the security of other nations’ tools and about how a company’s host nation government may use or exploit the company’s technology. Warnings like those issued recently about Kaspersky (a Russian company) will be more common. (9)
Outcome #5: Russia Co-ops Cybercriminal Organization to Fundraise
As Russia is increasingly cut off from the world’s legitimate financial markets, it will turn to cybercrime organizations as its government-sanctioned method for raising money—similar to the model used by North Korea. (10)
In this scenario, the Russian government more overtly directs the actions of cybercriminal groups in the country while not officially absorbing the group’s members into the government. Having a criminal group acting as a proxy, Moscow, pressures them to conduct their operations under government direction, and to hand over their profits to the government. Alternatively, or in tandem, officials may switch the focus of government cyber resources from espionage and covert cyber operations. Garnering successful ransom payments by any means necessary will become the top priority.
Analysts posit this scenario could play out a couple of different ways. One hypothesis is that cyberattacks would target widely and indiscriminately, with the aim focused on making money through blanketing a broad attack surface. Alternatively, cyber attackers may spend more time upfront assessing potential victims and their willingness to pay, so that odds of successful payment can be maximized with minimal time after launching ransomware. The most likely scenario would probably include elements of both strategies aimed at different targets; small fish could be targeted with a wide net, and especially lucrative or sensitive targets may be assessed and reconnoitered in-depth before an attack.
This scenario is more of a contingency situation for Russia. This option reflects a strategic shift on behalf of the government, and although it is not necessarily difficult, it requires some specialized infrastructure and know-how. To truly adopt this strategy, Moscow would probably want to develop in-house government expertise and policy about cryptocurrency, and it could partner with (or develop its own) decentralized finance exchange. It would also need to establish new bureaucracies and allocate resources to oversee this effort.
This option becomes increasingly worthwhile for Moscow the longer the situation does not return to the pre-war status quo. Continuation of economic sanctions or armed conflict is most likely to make this option attractive. Nonetheless, it is possible Moscow could adopt this tactic in peacetime to hedge against future sanctions and diversify its sources of revenue.
Moscow may be “nationalizing” Russian cybercrime if:
- More evidence of collusion between the Russian government and cybercriminal organizations, or evidence that the Russian government is more often directing the actions of cybercriminal groups previously only on the periphery of government operations.
- The government formalizes a tax or levy on the earnings of cybercriminal elements.
- Moscow pardons or releases from custody cyber criminals who had previously been arrested or convicted of cyberattacks targeting international entities.
- It creates new or reaffirms existing laws or doctrine describing the ambiguous role of cyber operations as national defense.
- It ceases public efforts to persuade the West to lift sanctions.
Outlook
Cybersecurity is inherently complex and always changing, and the nature of warfare is unpredictable. There is no single assessment which can fully and accurately answer the question about how the Ukraine-Russia war will change cyber in the short term. What is most likely is that parts of each scenario will play out at different times, further altering the drivers affecting the situation and the assumptions about how those drivers develop. These changes may make some scenarios more or less likely, or it may identify new possible outcomes or make some scenarios obsolete. Analysts should endeavor to continually examine lists of indicators, and occasionally re-run the entire analytic technique to capture continued changes. These steps may never yield a fully predictive scenario, but they will reduce the odds of being caught unaware and unprepared.
About EclecticIQ Threat Research
EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.
We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com or fill in the EclecticIQ Audience Interest Survey to drive our research towards your priority area.
You might also be interested in:
References
- https://www.cyberscoop.com/finland-denial-of-service-zelenskyy/
- https://www.windpowermonthly.com/article/1751954/wind-turbine-maker-nordex-shuts-down-systems-cyber-attack-hits
- https://www.butenunbinnen.de/nachrichten/cyberangriff-auf-deutsche-windtechnik-ag-bremen-102.html
- https://ddanchev.blogspot.com/2022/02/exposing-conti-ransomware-gang-osint_28.html
- https://www.theverge.com/2022/2/28/22955246/conti-ransomware-russia-ukraine-chat-logs-leaked
- https://www.zdnet.com/article/russian-language-cybercriminal-forum-xss-bans-darkside-and-other-ransomware-groups/
- https://securityaffairs.co/wordpress/129447/hacking/anonymous-companies-active-russia.html?utm_source=rss&utm_medium=rss&utm_campaign=anonymous-companies-active-russia
- https://www.itsecurityguru.org/2022/03/23/anonymous-leaks-10gb-of-nestle-data/?utm_source=rss&utm_medium=rss&utm_campaign=anonymous-leaks-10gb-of-nestle-data
- https://www.tagesschau.de/inland/bsi-kaspersky-ukraine-101.html
- https://www.reuters.com/article/us-northkorea-cyber-un/north-korea-took-2-billion-in-cyberattacks-to-fund-weapons-program-u-n-report-idUSKCN1UV1ZX
- https://www.nato.int/nato_static_fl2014/assets/pdf/2020/5/pdf/2005-deepportal2-troll-factories.pdf
- https://www.cnn.com/2021/10/25/tech/facebook-papers/index.html
- https://securityaffairs.co/wordpress/130648/hacking/deutsche-windtechnik-professional-cyberattack.html