Russian invasion has dangerously destabilized cyber security norms
The inside scoop on the Ukrainian IT army, and what could happen next
Black Hat The hacktivist attacks that have occurred during the ongoing war in Ukraine are setting a dangerous precedent for cyber norms — and infrastructure security, according to journalist and author Kim Zetter.
"Of course, the situation in Ukraine is unprecedented," said Zetter, speaking during the Black Hat keynote on Thursday. "And this isn't meant to criticize the country for doing what it thinks is necessary to defend itself. But the security community and governments have to be aware of the potential path that this is leading us to."
The idea of "cyber norms" isn't an amorphous concept,she explained. In 2015 the United Nations tasked 20 nations, including the US, UK, China and Russia, with developing guidelines for how international law applies in cyberspace, especially considering the growing likelihood of cyberattacks in future conflicts.
The end result of this process was a report that outlined normal behavior and principles in cyberspace, and put a fine point on the dangers stemming from cyberattacks against critical infrastructure.
"They agreed that states should not intentionally damage other states' critical infrastructure or otherwise impair the operation of critical infrastructure that provides public services," Zetter recapped.
"They also agreed that states shouldn't allow their territory to be used for cyberattacks against other states, and should take steps to mitigate malicious activity emanating from their territory when it's aimed at critical infrastructure of other states."
As we've all witnessed, this quickly went out the window following Russia's illegal invasion of Ukraine in February.
Rise of the IT Army
Zetter, for her part, focused on Ukrainian hacktivists and sympathizers, possibly because Russia usually displays very little regard for international norms, cyber or otherwise.
Shortly after Russia invaded and began conducting data-wiper attacks against Ukrainian organizations and infrastructure, Ukraine's Vice Prime Minister Mykhailo Fedorov issued a call to arms for volunteer hacktivists to launch offensive cyber operations against Russia and issued a list of 31 government and commercial websites to attack.
The so-called IT Army quickly mobilized and within days launched DDoS attacks against the Moscow stock exchange, Russian foreign ministry and a state-owned bank. Meanwhile, the initial 31-org target list grew to more than 600.
Other cybercrime gangs including Anonymous soon joined in with more DDoS and hack-and-leak attacks, and the list of Russian organizations hit by hacktivists skyrocketed.
"In addition, there appears to be in-house teams conducting more sophisticated operations for the IT Army that either consists of Ukrainian defense and intelligence personnel, or has direct ties to them and may also be getting tasking from them," Zetter said, citing a June report by cyberdefense researcher Stefan Soesanto for Switzerland's Center for Security Studies.
In his report, Soesanto linked this government-connected team to the cyberattack that knocked RuTube offline for three days.
- Russia's invasion of Ukraine tears open political rift between cybercriminals
- Ukraine's secret cyber-defense that blunts Russian attacks: Excellent backups
- Google: Kremlin-backed goons spread Android malware disguised as pro-Ukraine app
- Inside the RSAC expo: Buzzword bingo and the bear in the room
A third potentially problematic element, according to Zetter is Ukrainian-owned security firms in and outside the country that provide support tools to the IT Army.
This, she said, includes the developers behind disBalancer, a distributed penetration testing product to help identify DDoS vulnerabilities. In March, the developed rolled out a new app called Liberator, which is essentially the same tool that can be used to conduct DDoS attacks against Russian websites.
Around that time, another Estonian company launched a bug bounty program seeking vulnerabilities in Russian critical infrastructure systems with the aim of then passing these on to Ukrainian hacktivists.
"Despite the fact that these two companies are both based in Estonia, a member of NATO and the EU, their activity doesn't seem to have sparked any criticism from other NATO and EU member states," Zetter said.
"Obviously, there are unique circumstances to consider," she added. Namely: Russia invaded its neighboring country in violation of international law and has committed alleged war crimes against Ukrainians. Plus, these cyberattacks against Russian targets are being carried out during a war.
"The IT Army also seems to be showing some restraint in not destroying or disrupting Russian emergency services," Zetter said.
'Setting dangerous precedents'
But, she added, citing Soesanto: "This activity is in danger of setting unintended legal and ethical precedents that may create significant political blowback in the future."
"What if a Russian-owned company located in Germany were to organize an offensive bug bounty program that targets Ukrainian critical infrastructure, and shares the discovered vulnerabilities with the Russian intelligence community? Would Berlin, Brussels and Washington deem this acceptable behavior by the private sector?," she asked.
Plus, what happens to the IT Army when the war ends? Do the hacktivists simply disband and stop all ethically murky cyber activity? Probably not.
"Soesanto says continuing to ignore the essence of the IT Army will wreak havoc on the future stability of cyberspace, and with it the national security landscape in Europe and beyond," Zetter said. Meanwhile, "civilian infrastructure is very much on the agenda of attackers and will only become a greater target going forward," she noted.
It's tough to argue against either point. Unfortunately we'll likely have to watch them play out in real time. ®