During the release of this report the Russian invasion of Ukraine is in its third week. The current trajectory seems to be towards a protracted war and increasing periods of stalemate. This means that the sanctions that are crippling Russia’s economy are likely to remain in place.
One scenario is that Russia, in order to end the sanctions, will execute attacks to destroy large quantities of computers on a limited set of western organizations operating critical infrastructure and then threaten to unleash a full-scale attack on a more global scale unless sanctions are removed.
A second scenario is that a full-scale attack on a very large number of western organizations is unleashed directly with the intent to maximize pressure on many western countries and organizations responsible for enforcing and executing sanctions. The attack is likely to utilize self-spreading payloads and could potentially become the most damaging cyber attack known to date.
In both cases Russia’s best option to cause massive damage is to target the software supply chain by delivering malicious code into IT systems using widely used and popular software components. The payload is expected to be either destructive malware that will destroy the affected IT systems or ransomware that will put the systems in a non-functional state and extort the targeted governments and organizations for enormous amounts of money, or even political concessions, to regain control of their IT systems and infrastructure.
Infiltrating the right software company to perform a successful supply chain attack can take months of preparation. As the sanctions start to affect the Russian IT industry, Russia may instead attempt to force software developers inside Russia, working on widely used software, to assist them while they still have access to the western market.
We strongly urge organizations that are using software and systems that are directly or indirectly exposed to influence from the Russian government to take measures to minimize impact of a supply chain cyber attack.
Why We Risk a Large-Scale Cyber Attack From Russia
There is a lot we don’t know about the situation on the ground in Ukraine, but the current trajectory seems to be towards a protracted war and increasing periods of stalemate. Russia is unable to break the resistance of the Ukrainian people, but Putin seems intent on doubling down on his efforts to defeat Ukraine. This means that the sanctions that are currently crippling Russia’s economy are likely to remain in place.
So far Russian cyber warfare capabilities appear to have been concentrated on cyber attacks inside Ukraine, attempting to degrade the Ukrainian state and its ability to lead the country. Despite many successful attacks on government systems, the overall goal has not been achieved. Instead, president Zelensky has proven to be a master communicator. As the war now appears to grind into a stalemate, Russian cyber warfare units may be directed outside Ukraine instead.
The most obvious target for such cyber attacks would be critical infrastructure in the West. The Russian economy is in free fall and at some point, Russia may feel compelled to strike back at the West in a way that will damage the western economy as well. So far Russia has refrained from attacking targets in the West, and NATO has clearly signaled that large-scale destructive cyber attacks on NATO could constitute grounds to invoke Article 5. The question is how Russia will react if it eventually faces a complete financial collapse.
If Russia decides to adopt the idea that “if you destroy our economy, we’ll destroy yours,” a cyber attack may initially be limited, with the threat that unless sanctions are removed, worse is to come, or it may come in the form of a decisive attack to cripple as much as possible at once.
How To Perform a Massive Cyber Attack
The most effective way for Russia to launch an all-out destructive cyber attack would be a so-called supply chain attack. A supply chain attack is when a threat actor manages to gain unauthorized access to the IT system of a large software company and use the legitimate channels to push a seemingly legitimate software update to all clients that includes a malicious code.
The most recent supply chain attack observed was the SolarWinds breach that was exposed in December 2020. A Russian intelligence agency managed to hack the software company SolarWinds that produces a very popular software and pushed a malicious update that infected systems in over 30,000 organizations worldwide. Imagine if, instead of espionage, this Russian actor had been intent on destroying all their victims’ networks.
There are several candidates that are exposed to this risk; one example is JetBrains, a company that provides software platforms for much of the global Java software development community and is heavily integrated into the fabric of the modern IT world.
If a Russian actor manages to perform a successful supply chain attack, it would quickly be discovered once they start to release their destructive payload. Even if the Russian intelligence agency that conducted the SolarWinds attack had several months to hack infected systems, they only had time to spy on a fraction of the victims. To launch a destructive cyber attack on a scale that would really hurt the financial system in the West, Russia would have to automate the attacks and make the malware self-spread on the affected networks.
This is where things may get out of control. A self-spreading malware is called a computer worm. In 2017 Russia did release such a weapon. NotPetya was a supply chain attack that included a worm. NotPetya only targeted victims in Ukraine, but the malware still ended up infecting and destroying data in thousands of machines worldwide, including reportedly inside Russia itself. The total fallout of the NotPetya attack is estimated to have been over 10 billion USD in damages, most of it outside Ukraine.
This would likely be a weapon of last resort for Russia. Russia could attempt to limit the spread outside the territory of their NATO enemies. The code could, for example, be written to check language settings and ignore systems with the right languages. However, the prevalence of the English language in the global IT industry almost guarantees that such an attack would still affect countries now sympathetic to Russia.
A Rogue Ransomware State?
If Russia manages to continue to function as an isolated rogue state, despite the sanctions, much like North Korea and Iran today, there is another risk the West may have to contend with. North Korea has for years used its army´s cyber warfare units to conduct various cybercrime attacks to outright steal money to prop up the country’s failing economy, and there are signs that Iran is starting to do the same. What if Russia orders its cyber warfare units to conduct ransomware attacks on the West?
We have already seen one example of what a large-scale ransomware attack using a supply chain attack as an initial attack vector could look like. The Kaseya hack in June 2021 was not strictly a supply chain attack, but for all intents and purposes, it had the same effect. Using a vulnerability in a commonly used software, the ransomware gang REvil managed to successfully attack over 1,000 companies simultaneously.
Russia is already the center of a thriving criminal ecosystem of ransomware syndicates and other cybercriminals tolerated by the Russian government, as long as they follow the golden rule – no attacks inside Russia or Russia’s closest allies. If the state-sponsored hacking groups of the Russian intelligence and security services joined forces with these criminals to obtain hard currency for the failing Russian economy, then the threat of ransomware and other cybercrime would likely increase exponentially. Russia could even start holding IT systems in the West ransom for political concessions.
Candidates for a Supply Chain Attack
There are many categories of software companies that could potentially be used in a future Russian supply chain attack. The requirements for being selected for a full-scale cyber attack are, however, high:
- The software needs to be widely used by a large number of western organizations.
- The software should have a large installation base on privileged systems with access to the internal networks.
- The organization lacks controls to prevent and detect malicious code in the development pipeline.
Performing a successful supply chain attack against a software company that is widely used for maximum impact can take months of preparation. There is no guarantee that the infiltration will be successful. If the Russian cyber warfare units have no likely candidate ready to strike from, they may instead pressure Russian citizens with access to the development pipeline of widely used software for a supply chain attack, including software with strong ties to Russia.
This would previously have been out of the question, as one successful attack would have led the entire Russian IT industry to become taboo in the West, but with the current trajectory, that may soon be a fact anyway. Russia may consequently feel compelled to use a closing window of opportunity.
One example of many that meets these requirements is JetBrains, one of the leading global software companies. JetBrains provides software platforms for much of the global java software development community and is heavily integrated into the fabric of the modern IT world. In 2020 one of Jetbrain’s 32 products, IntelliJ IDEA, dominated the IDE (developer tools suite for writing and testing software) market with 62% adoption among JVM developers.
Jetbrains is formally a Czech company, but it is founded by three Russian software developers, and they have offices in Moscow, St Petersburg, and Novosibirsk.
Note that we have absolutely no reason to suspect the people at JetBrains or any other Russian software company of any such nefarious plans. If anything, they will be victims of the Russian government as well, as this would destroy their reputation. There is still very little they can do if the Russian security services march through their doors.
We strongly urge organizations using software and systems that are directly or indirectly exposed to influence from the Russian government to take measures to minimize impact should the Russian government decide to initiate a large-scale cyber attack on the West. We also recommend every organization increase their security posture against ransomware attacks and similar.
Edit 2022-03-17. JetBrains has published a statement on their blog regarding their offices in Russia. They claim that all offices in Russia has been closed. We also want to reiterate that we have nothing against Russian developers, but in the current climate any Russian software should be avoided for security reasons. You can start by checking on this page.