As tensions escalate around the world, and the temperature of conflict rhetoric between Russia and the West continues to rise, security professional Richard Stiennon asked an important question recently: Will Russian hackers take the conflict into cyberspace? Russian officials this week have already announced tit-for-tat sanctions against U.S. meat, fish, and other food from the U.S. and European nations. Could some organized hacker sorties be far behind?
The murky world of cybersecurity is already full of too many publicity stunts and junior G-man talk; adding to it with speculation about possible future state-sponsored cyberattacks is generally not a good idea. It’s already hard enough for folks to separate real threats from fear-mongering. But in this case, public discussion of a possible Russian cyber threat, during a time of serious escalated conflict, is worthwhile. After all, China has gotten all the state-sponsored hacker attention lately.
Russia, many forget, helped usher in the era of cyberwar back in 2007, when much of the Estonian Internet was brought to its knees by Russian hackers during a dispute between the two nations. The incident is the first paragraph of every paper written about the cyber cold war.
Stiennon raises the menacing possibility that the worst-kept-secret-in-the-world “Russian Business Network” might be activated to undertake irritating or potentially damaging hacker attacks. He writes:
This week two sources inside the security research community informed me that there are indicators that the Kremlin will unleash the Russian Business Network (RBN) if sanctions pass a certain threshold. Just what that threshold is remains an open question. But the specter of the RBN putting their minds to patriotic hacking is daunting, especially for financial systems. Why banks, trading platforms, and exchanges? Because it would be proportionate and direct.
The RBN has been around for a long time and, whatever the group might call itself now, its skills are well-regarded. But it has not engaged in public displays like bank website hacking in some time, preferring instead to make real money in quiet ways, like all professional hackers. That doesn’t mean it won’t; in fact, someone I respect hazarded a guess that the group is probably working under general orders from the Russian government to not unnecessarily escalate a cyber cold war. At least not until the time is right.
For additional even-handed analysis, I turned to Eben Kaplan, a cybercrime expert at Control Risks, a a global business risk consultancy. He said we might still be several escalation steps away from Russian hack attacks on American interests.
Russia’s so-called “patriotic hackers” pose an ongoing threat, and they almost certainly have the ability to pack more of a punch than they have previously demonstrated. The global trend is that offensive cyber capabilities are constantly improving, and criminal groups are increasingly acquiring the ability to do things that were previously the exclusive province of nation states. Russian hackers have surely kept pace.
But the patriotic hackers have been awfully quiet compared to what transpired in Estonia in 2007 or Georgia in 2008. Even when Russia was annexing Crimea the cyber dimension of the operation was notably subdued. It seems plausible that they may have been deterred; Ukraine has some pretty capable hackers of its own, and Russia may not have wanted to risk tit-for-tat cyber attacks with them.
Deterrence is also a plausible explanation for why we haven’t seen much cyber retaliation to sanctions. Defacing websites is one thing, but DDoS attacks against national infrastructure or more sophisticated manipulation of industrial control systems could trigger an escalatory response.
I hope he’s right. Those of us who watch state-sponsored hacking for signs of a real escalation in conflict hope we never see one. The collateral damage would be pretty unpredictable, though it’s easy to imagine the worst: the blackout of 2003 provides a pretty good script for that. There’s also a lot of questions yet to be untangled: Would a hack attack on a NATO partner require a U.S. response? Would a digital (ones and zeroes) attack ever require a real-world (bullets and missiles) response? What if a digital attack resulted in blood? I prefer these questions be reserved for academic panels.