Direct action is a risky business for Ukraine's volunteer hackers

Collateral damage

“One of the fallouts for organisations and one of the most significant threats is becoming collateral in a proxy war fought by these groups. Now more than ever, organisations across the globe need to take decisive steps to bolster their cyber security resilience,” said Geenens.

Geenens explained the addition of non-Russian and Ukrainian threat actors was making it very difficult to establish what operations were being run by patriotic hacktivists and which by the authorities. He said that even if Russia and Ukraine agree a ceasefire, which seems unlikely at the time of writing, the digital conflict will continue in the hands of third parties, increasing the risk of damaging spillover.

Geenens described this spillover as “the most significant threat” for organisations, in part because hacktivists have historically targeted organisations whose views don’t align with theirs. Anonymous, for example, is notable for conducting offensive cyber ops against Daesh in Syria, and the anti-LGBTQ+ Westboro Baptist Church. Thanks to the interconnected nature of the global business community, this tendency could make any organisation a target based on who they work with.

To avoid becoming collateral damage in guerrilla cyber warfare, Radware is advising organisations to pay attention to basic elements of security hygiene that should be familiar to IT teams from more normal times. This includes patching systems against known vulnerabilities, ensuring access controls are enforced with dual or multifactor authentication (MFA), enforcing strong passwords, reviewing and testing backups, enabling distributed denial of service (DDoS) protections, educating staff on phishing attacks, implementing incident response plans, and auditing suppliers.

Gareth Owenson, chief technology officer and co-founder of Searchlight Security, added: “It is [also] recommended that organisations stay ahead of any potential cyber attacks by increasing threat intelligence capabilities. This could include monitoring the deep and dark web for early warning signs of threat actors targeting international organisations – particularly those more susceptible to nation-state attacks that are critical to supply chains.”

Think carefully, then don’t get involved

Ukraine’s inadvertent masterstroke during the war so far has been to control the information narrative in a way that nobody predicted, and as early Russian advances foundered, momentum has gathered behind its president Volodymyr Zelensky.

Global support is rightly behind Ukraine, and it is understandable that many people in the UK, including ethical hackers, may be tempted to offer practical help, but Higgins at Comparitech said that taking direct action against Russian targets was something to be avoided.

“You don’t have the intelligence – it could be a friendly target or a covert asset. You don’t have the field knowledge – you could be attacking the same target as those you’re trying to help. You don’t know the infrastructure or network – you could be impacting civilians, aid agencies or your own side’s supply chain,” he said.

“Whatever the motivation, direct action is not guaranteed to have its desired effect. Military campaigns, whatever their origins, are based on intelligence – what to attack and when – to guarantee the best results and, ultimately, victory. Targets are researched and chosen with specific goals in mind, and attacking forces are supposed to avoid civilians or collateral damage.

“Uncoordinated cyber attacks stand just as much chance of hindering success as they do of helping, and disrupting critical national infrastructure in the midst of a large-scale conflict is almost certainly likely to affect the civilian population disproportionately.”

Yossi Naar, chief visionary officer and co-founder at Cybereason, added: “It’s hard to predict what, if any, consequences there are for an unknown attack against someone who is somewhat difficult to get a read on to begin with. This is another example of why an uncoordinated vigilante response of any kind is not the best strategy – its repercussions aren’t considered, nor is its value.

“Anyone can claim, ‘Look at me, I did this – that showed them!’, but did it really? What is the intended result? How does it contribute to the global effort to resolve the situation? Important questions must be asked when considering action and they should follow from a well-understood strategy.”

Roger Grimes, data-driven defence evangelist at KnowBe4, also cautioned against off-the-books offensive hacks. “Regardless of intent,” he said, “[it] is fraught with both ethical and legal issues, and, in general, society needs to discourage these attempts. If you rob a bank, you’re a bank robber, no matter what your intent.

“It’s also about ethics. You’re either a good and ethical hacker or you aren’t. Early on in life, you decide which you want to be. If you start carving out new reasons why you might be allowed to break laws and ethics to do something, then it becomes easier to do again for a lesser cause,” he warned.

“Today you’re fighting Russian aggression, tomorrow you’re attacking a cable company’s billing representative because you didn’t like a charge on a bill. It’s a slippery slope. If you’re an ethical hacker, you just don’t hack anyone else without their permission, period,” said Grimes.

Cybereason’s Naar summed up: “Any direct response that isn’t coordinated is, by definition, without strategy.” Just because one nation or group has the power to act, and that they are aligned against those we perceive to be our enemies, it doesn’t mean their actions are on our behalf and to our benefit.”