Ukrainian cyber defences prove resilient

The so-far low-key impact of the ongoing cyber war linked to the conventional war in Ukraine reflects the quality and resilience of Ukrainian defences more than it reflects any absence of cyber attacks from Russian military playbooks, or a change of tactics on Russia’s part, Western intelligence agencies now believe.

Before the war, cyber security experts sounded repeated alarms over the potential for the spread of a destructive cyber war, and although there have been a great many incidents – notably the discovery of a series of wiper malwares likely used by Russia on Ukrainian targets – the impact has not been nearly as pronounced or devastating as feared, nor has it had a great impact beyond Ukraine’s borders.

Speaking today, an unnamed Western intelligence official said: “We saw Russia use cyber operations as we would expect them to. There was a significant amount of intent on the part of Russia to disrupt Ukrainian systems before the invasion, and at the time of the invasion. But from our point of view, Ukraine has done an incredible job of being resilient in many ways.”

The official pointed to a significant amount of work by Ukraine’s government IT security teams at building their own resilience – having seen multiple cyber attacks originating from Russia over the past few years, the Ukrainians have plenty of experience of this – as well as a coalescence of support from both Western intelligence teams and private cyber security companies.

The intelligence official added that there is still no heightened level of cyber threat to the UK, or more generally to Nato states and other allies around the conflict, although levels of general malicious activity – such as financially motivated ransomware attacks – originating from Russia remain as high as ever. The official repeated previous messages to security teams to remain alert and aware of the potential threat, and to focus on building resilience where possible.

“Over a long period of time, we build up a picture of what Russia and other actors have an interest in – what meets both their intelligence and military objectives,” they said. “We are not seeing anything beyond that. We are not seeing them developing or looking to deploy anything like NotPetya.

“We are in a period of heightened threat. But we have to recognise that this is changing the strategic landscape and that building cyber resiliency is more important now than it was even just six months ago. That’s why we are looking at encouraging organisations to accelerate plans they already have had to raise their cyber resilience.”

Guidance from the UK’s National Cyber Security Centre (NCSC) holds that the most important thing for regular organisations to do during a time of heightened cyber threat is to make sure the fundamentals of cyber security are in place to protect their endpoints, networks and other systems.

The NCSC acknowledges that organisations are unlikely to be able to make widespread system or policy changes quickly in response to changing threat levels, but there are several actions that they should make every effort to take as a priority.

These include checking that systems are patched and up to date, that access controls are properly verified, that defences are switched on and working, that event logging and network monitoring are in place, that backups are reviewed, and that third-party access to systems and networks is secured. Organisations should also take time to review incident plans, and to brief employees on subjects such as phishing and password hygiene.