За останній рік російські кіберзлочинні суб’єкти розширили свої деструктивні дії за межами України, зокрема теж як відплату за надану допомогу Україні. Це безпосередньо впливає на країни-члени ЄС, які постраждали від серії масштабних кібератак зловмисників – під атакою Естонія, Польща, Румунія, Чехії, Бельгія, Нідерланди, Німеччина та інші європейські країни. Ігнорувати проблему неможливо і ЄС починає розглядати такі масштаби поширення кіберінцидентів та операцій кібервпливу як частину ширших ворожих зусиль. Це змушує Європейський Союз шукати цілісні, стратегічні рішення такі як впровадження колективної відповіді ЄС, що регулюється Договором про функціонування Європейського Союзу (TFUE) ст. 222 цього договору. 

У матеріалі “Cyber Spillover: Cyber Attack on Ukraine is an Attack on EU” підготовленому експерткою Вікторією Бойко розглядається актуальний контекст реагування на масштабні кіберінциденти з боку ЄС, наявні юридичні та політичні механізми застосування санкцій за кібератаки на Україну та країни ЄС шляхом впровадження можливої колективної відповіді країн-членів ЄС на кібератаки згідно Договору про функціонування Європейського Союзу (TFUE, ст. 222) та  взаємного захисту (регулюється ст. 42.7 Договору про ЄС (TUE) та доповнює ст. 5 Договору про НАТО).

Cyber Spillover: Cyber Attack on Ukraine is an Attack on EU 


Summary:

Over the past year, Russian cybercriminals have expanded their destructive activities beyond the borders of Ukraine, in particular as a retribution for aid provided to Ukraine. This directly affects EU member states, which have suffered from a series of large-scale cyber attacks in Estonia, Poland, Romania, the Czech Republic, Belgium, the Netherlands, Germany. The EU is considering the proliferation of cyber incidents and cyber influence operations as part of a wider hostile effort. This forces the European Union to look for integral, strategic solutions, such as the implementation of a collective EU response, regulated by the Treaty on the Functioning of the European Union (TFUE), Art. 222 of this agreement.

The material “Cyber domino effect: a cyber attack on Ukraine is an attack on the EU” prepared by Viktoria Boiko examines the current context of responding to large-scale cyber incidents by the EU, the available legal and political mechanisms for scaling up the sanctions packages for cyber attacks on Ukraine and EU countries by implementing a possible collective response of EU member states against cyber attacks in accordance with the Treaty on the Functioning of the European Union (TFUE, Article 222) and mutual protection (regulated by Article 42.7 of the Treaty on the EU (TUE) and supplemented by Article 5 of the NATO Treaty).

 

Why cyber attacks should trigger proportionate reaction 

One of the components of Russia’s large-scale armed aggression against Ukraine is destructive action in cyberspace that correlates with the kinetic dimension of war. Few hours before Russian troops invaded Ukraine on February 24, 2022 Microsoft warned about new malicious software targeting Ukrainian ministries and financial institutions. At least six Advanced Persistent Threat (APT) sources and other unidentified sources of cyber threats carried out destructive attacks and espionage, while Russian troops attacked the country on land, in air and sea.

Russia’s use of cyberattacks appears to correlate and sometimes directly timed with its kinetic military operations targeting services and institutions crucial for civilians. Russian actors launched cyberattacks against a major broadcasting company on March 1st, the same day the Russian military announced its intention to destroy Ukrainian sources of “disinformation”, and directed a missile strike against a TV tower in Kyiv.

The destructive attacks were directed at the hundreds of systems, especially dangerous were 32% of the destructive attacks that were targeting Ukrainian governmental bodies at the national, regional and municipal levels. More than 40% of destructive attacks were aimed at organizations in critical infrastructure sectors that might have negative second-order effects on the Ukrainian government, military, economy and civilians. Actors engaged in those attacks have used a variety of techniques to gain initial access to their targets including phishing, use of unpatched vulnerabilities and compromising upstream IT service providers. These actors often modified their malware with each deployment to evade detection. Microsoft  attributed these wiper malware attacks to a Russian state affiliated actor called Iridium.

As of March 2022 many key Ukrainian media (several dozen), think tanks and political parties were attacked. Several hours before the invasion, Ukrainian government agencies and banks were hit with DDoS attacks taking some of them offline. After these attacks, a data wiper malware called HermeticWiper was installed on hundreds of machines. Since February 24, Ukrainian security officials have identified at least eight new types of malware used by hackers to attack Ukraine: AcidRain, WhisperGate, WhisperKill, HermeticWiper, IsaacWiper, CaddyWiper, DoubleZero and Industroyer. The pool of cyber attacks have served as a preparation before the war began (ESET report ). Those had an impact outside of Ukraine – in Latvia and Lithuania, according to Symantec estimations. Low-level cyber attacks carried out on critical infrastructure facilities in the EU and the U.S.

The European Union’s cybersecurity agency ENISA and its in-house cyber response team CERT-EU released a joint warning saying they had “reported a substantial increase of cybersecurity threats for both private and public organizations across the EU.
AcidRain – a large-scale cyber-attack that has simultaneously hit a number of strategic sectors in several places in Europe. The cyberattack on U.S. satellite communications provider Viasat disrupted its work across central and eastern Europe. A destructive wiper malware, AcidRain rendered one of Viasat’s satelite KA-SAT network inoperable as of  February 24, the day of Russia’s invasion of Ukraine, for several days

The satellite covers 55 countries, predominantly in Europe, and provides fast internet connectivity. Among the affected Ka-Sat users: the Ukrainian armed forces, the Ukrainian police and Ukraine’s intelligence service. This attack also disconnected remote access to about 5,800 Enercon wind turbines across Germany and disrupted the work of thousands of European organizations due to issues with satellite communications. The attack took place in two phases: first, a denial of service attack coming from “several SurfBeam2 and SurfBeam2 and modems physically located within Ukraine that temporarily knocked KA-SAT modems offline. Then, the gradual disappearance of modems from the Viasat service .   

The same targeted cyberattack carried out against the Viasat satellite-based internet access provider, aimed at disrupting communications of the Ukrainian military, had repercussions on nearly 30.000 satellite terminals across Europe . As of May 10, a number of countries among them the EU, US, UK, Estonia  have attributed to russia series of cyber-attacks.

Although the EU’s response to the Viasat incident referred to norms of responsible state behavior, which are peacetime norms, and, in the same statement, referred to the incident as part of a wider “netwar”. Clearly, policymakers struggle to make sense of where cyber actions fit within the response.

 

Record of attacks on civilian cyber infrastructure during the armed conflicts
In the past, DDoS attacks failed to reach the scale-and-effects threshold for classification of an armed attack, an essential condition of Article 5, which alone did not allow Estonia to defend itself with force. Likewise in the Georgia conflict, labeled by the international media as “cyber war,” the effect of the cyber operation itself “was not serious enough to amount to severe economic damage or significant human suffering.”

It was also difficult to distinguish the damage and suffering in Georgia caused by cyber operations from that caused by the conventional armed conflict. Even if the effects could be deemed as sufficiently severe, the role of the state on behalf of the hackers and criminals was questionable enough to avoid state responsibility for the cyber operations. 

The use of proxies for misattribution prevented holding Russia responsible for the cyber operations in Georgia under the law of armed conflict—even though the cyber operations appeared to be a distinct component of the con-flict. So did the deceptive use of patriotic hackers to divert or take the blame in Estonia stymie attribution, which gave Russia a viable option for cyber coercion while plausibly denying its involvement.

Yet, in the course of a kinetic aggression against Ukraine one can clearly track how Russia uses cyber activity as a subset, and often facilitator, of the much broader domain of conventional warfare. In this context, rule 80 of the Tallinn Manual 2.0, which delineates that “cyber operations executed in the context of an armed conflict are subject to the law of armed conflict”, turns out to gain new context. 

 

Western governments’ lack of strategic answer to a semi- & non-state actors’ activity 

Following the Russian invasion of Ukraine, some non-state hacking groups, the Conti team among them, previously responsible for numerous ransomware attacks, announced their full support of russia. As the group states: “The Conti Team is officially announcing a full support of the Russian government. If anybody decides to organize a cyberattack or any war activities against Russia, we are going to use all our possible resources to strike back at the critical infrastructures of an enemy”. 

After the announcement, a security researcher with the twitter handle ‘Contileaks’ published years of Conti’s internal communications online (the Conti team has been hit before when a former employee published their attack playbook). Considering the severity of the leaks, there is a good chance that the Conti team will reorganize and its employees will move to other ransomware groups. That said, attendees agreed that Western governments still do not have a strategic answer to this criminal activity from Russia.

Also there has been commercial threat intelligence reporting on Chinese espionage activities in Ukraine and the region. Google’s Threat Analysis Group discovered an ongoing cyber operation in Ukraine from a Chinese hacking group, known as APT31, targeting Gmail users affiliated with the United States government. Yet, attendees noted that there remain significant blind spots in how Chinese cyber actors are able to exploit the war in Ukraine for intelligence collection.

Today, China actively analyzes the Ukrainian cyber army’s significance and how it stood up to the Russian army of hackers. China can be seen as the first full-fledged case of a country using private cyber armies for its strategic objectives on a mass scale, directly and indirectly. The recent shooting of Shinzo Abe where China officially expressed its “shock” at the events, its cyber groups of netizens have often expressed celebration and excitement

China for years has semi-institutionalized the thinking and actions of hundreds of millions of IT-adept citizens who can be used in a cyberwarfare. This means that regular private citizens may already be a crypto cyber force. This approach makes a lot of sense for China from the point of view of effectiveness. China doesn’t need western values, yet wants flexible solutions that serve the Party while allowing plausible deniability of the state involvement.

 

Taking out cyber from the ‘tech’ silo, putting it in the core of EU security and defense.

Over the last year, EU Member States have been hit by a series of large-scale cyber attacks by malicious actors. Among others was the Irish health system that was paralyzed by a cyberattack; then, a ransomware attack against a software company and its customers led to the countrywide closure of a major supermarket chain in Sweden. In January, oil suppliers in Belgium, the Netherlands and Germany were targeted. Last month, a major telecommunications operator in Portugal

Similar malicious actors were using the same type of attack to target Ukrainian institutions including media organizations. It was also targeting government institutions and think tanks involved in foreign policy shaping. Strontium was attempting to establish long-term access to the systems of its targets, provide tactical support for the physical invasion and exfiltrate sensitive information. 

Romanian authorities have attributed the distributed denial-of-service attack government websites to Killnet, a threat actor that specializes in DDoS attacks conducted in the interest of Russia. The attack affected Romania’s ministry of defense, its border police, the national railway, and the OTP Bank. Almost simultaneously, Romania’s largest oil refinery proprietor, Rompetrol, was attacked by the Hive ransomware group. Killnet claimed that the attacks were a retaliation for Romania’s support of Ukraine in the face of Russia’s invasion.

The attack came just one day after leading Romanian politician Marcel Ciolacu said the country may deliver weapons and provide military assistance to Ukraine.

The agency added that Killnet specializes in DDoS attacks and has previously attacked sites connected to the governments of the U.S., Estonia, Poland, the Czech Republic and other NATO members.

Russian nation-state threat actors are vastly tasked to expand their destructive actions outside of Ukraine to retaliate against those countries that decide to provide more military assistance to Ukraine and take more punitive measures against the Russian government in response to the continued aggression.

The sabotage incident in which fiber-optic cables in France were cut, severing Internet and telecommunications connections, is seen as exhibiting the vulnerability of infrastructure to physical disruption.

Cozy Bear (also called Nobelium or APT29, a threat actor associated with Russia’s SVR foreign intelligence service) has continued to engage in cyberespionage against a wide range of targets in EU countries. The campaigns have achieved initial access through spear phishing, and they’re marked by the abuse of Atlassian Trello, and other legitimate cloud service platforms, for command and control (C2) communication.

The threat of cyberattacks on European soil is two-fold: First, attacks launched on Ukrainian networks could spread to European networks. Second, Russia could choose to launch direct attacks on European targets through its intelligence services or cybercriminal groups to disrupt the West’s response to the Ukraine crisis: military assistance to Ukraine,  punitive measures against the Russian government in response to the continued aggression. We’ve observed russian-aligned actors active in Ukraine show interest in or conduct operations against organizations in the Baltics and Turkey – both NATO member states actively providing political, humanitarian or military support to Ukraine.

 

US cyber сounterstrike

The USA has undertaken coordinated actions against two cyber groups subordinated to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (General Staff of the RF Armed Forces). In particular, the US Department of Justice announced a court-sanctioned operation against the global botnet Sandworm, consisting of thousands of infected network hardware, controlled by the General Staff of the russian Armed Forces. The operation removed the Malicious Cyclops Blink malware. On April 6, Microsoft received a court order, which allowed it to take control of seven Internet domains used by the group Strontium  for cyber-attacks on state institutions, media, governmental agencies, think tanks in Ukraine but also in the United States and the European Union.

Part of the US strategy to reduce the degree of cyber hostility is via  introducing sanctions –  Treasury Department’s Office of Foreign Assets Control (OFAC) is currently imposing sanctions on russia: in particular sanctions against 21 legal entities and 13 individuals, and all property owned or controlled by them on the territory of the United States has been blocked.
These sanctions are part of a comprehensive US response to the large-scale Russian invasion of Ukraine as of February 24, 2022. Their goal is to limit access to resources used by russia to finance the war and conduct cyber operations. The United States is up to continuing countering Russia’s destructive or other destabilizing cyber activities against US allies and partners.

 

EU preparation to sanctions

Given the fact that in a number of European countries (Germany, Poland and Greece) objects of critical infrastructure (power plants, alternative energy sources), private sector enterprises and state institutions  have been subjected to various cyber attacks in the course of war in Ukraine, European Union’s cybersecurity agency ENISA and its in-house cyber response team CERT-EU together with the German Federal Office of Information Technology Security (BSI) passed a number of warnings to critical infrastructure operators, but also regional and local authorities, political parties, media resources and think tanks, thus forming a new attitude towards cyberattacks, in particular in the direction of  acts of cyberterrorism

Thus, the German company Nordex Group – one of the world’s largest manufacturers of wind turbines – on March 31, 2022 reported being the victim of a cyber attack that shut down the entire alternative energy sectors. In particular, more than 5,000 system units were affected, causing almost 11 GW of energy losses. Apart from Germany, similar malware has also been detected in Latvia and Lithuania.

So far European Commission has initiated new cyber  and information security regulations in order to increase resilience to cyber threats and respond to them in a timely manner. All institutions, bodies, offices and agencies of the European Union should have in place cybersecurity units for  the assessment and defense, and immediate information sharing on the incidents to CERT-EU and EU member states.

The regulations also opt for the establishment of a new Interinstitutional Cybersecurity Board (IICB) to monitor the implementation of regulations and coordinate the activities of CERT-EU. The mandate of CERT-EU will be widened, it will perform as an incident response coordination center, a central advisory body, and a service provider. The regulations implies also the deployment of Security Operations Centers (SOCs), which are to monitor the network tracking high-level threats around the clock in most EU institutions, bodies and agencies, cooperating with  CERT-EU on a daily basis.

Certain measures are also taken at the member states level. As of April 1, 2022, the Administrative Court of Cologne ruled (Az .: 1 L 466/22) in support of BSI to replace the products of the Russian company Kaspersky with alternative ones. The warning issued by the BSI is, in particular, a response to a series of cyberattacks on Germany’s critical infrastructure and Russia’s large-scale armed aggression against Ukraine. Kaspersky’s company has long been reasonably suspected of collaborating with the FSB, other intelligence activities, conducting offensive operations, and targeted attacks on the IT infrastructure of EU countries with significant potential for infiltration into the state networks of EU member states. On March 25 of the same year, the US government officially expressed suspicion of a high level of Russian government interference in Kaspersky Lab’s activities.

The European Union Agency for Network and Information Security (ENISA), in response to Russia’s large-scale military aggression against Ukraine,  issued recommendations to strengthen the security of public and private organizations in Europe in the light of similar steps that were undertaken some time ago in the United States and Great Britain. The actions of the Russian military and intelligence forces against  the EU, NATO are already qualified by the BSI as aggression, which is the basis for preparation for the introduction of cyber sanctions. However, until now all these measures do not trigger stronger reactions.  

When thinking in terms of the legal provisions Council Regulation (EU) 2019/796 of 17 May 2019 the EU defines a serious cyber attack as an external threat to the EU, its critical infrastructure, services or public institutions and processes that are important to support the health, safety and well-being of the population, in particular in the fields of energy, transport, banking activities, digital infrastructure et al

This cyber incidents threat gives the green light for the implementation of the EU collective response, which is regulated by the Treaty on the Functioning of the European Union (TFUE). Art. 222 of this treaty foresses solidarity clause providing an opportunity for mutual support of the  EU member states. The case of the mutual defense clause, governed by Article 42.7 of the EU Treaty24 (TUE), complementary to Article 5 of the NATO Treaty, may also apply. For the first time this mechanism was used by France in 2015 after the terrorist attacks in Paris.

Sanctions may be imposed not only against entities directly responsible for cyberattacks, but also against all entities that provide financial, technical or material support or otherwise involved in cyberattacks. This significantly expands the scope of sanctions, that may be imposed not only in response to cyber attacks directly against European institutions (institutions, bodies or offices, delegations in third countries or international organizations, operations and missions of the Common Security and Defense Policy or their special representatives), but also against member states of the Council of Europe.

The US has already imposed sanctions against many non-State actors. A wide range of entities and individuals have appeared on the US list, including the Russian Main Intelligence Directorate (GRU) and its senior officers, the Federal Security Service (FSB) and private Iranian-based companies.

 

Bottom line

Cyber domain has been for a long time a dimension of Russia’s aggression against Ukraine, from massive APT attacks and cyber influence campaigns aiming at crippling the power supply, and affecting government agencies (sensitive information on social benefits inter alia), transportation infrastructure, financial and other strategically important objects of Ukrainian critical infrastructure. 

Currently, Russia is not able to sustain its own technology needs, a shortage of microchips and the effect of sanctions will keep russia from being self-sufficient in the foreseeable future, thus increasing its’ dependency on China. Western countries should develop a common position on how to address the partnership between China and Russia in cyberspace with further designing of the sanctions regime and its effective implementation.

In a context of Russian aggression against Ukraine there is no need to ‘surpass’ the scale-and-effects threshold for the incident to be classified as an armed attack, or to prove the degree of severity as an essential condition of triggering Article 5 any more. Enough is to show the spillover scale of an incident that is triggering cross-border endeffect. 

There are a number of in-house EU provisions and international best practices in place in order to launch sanctional mechanisms, or even counter strike cyber and hack back capabilities against the country-aggressor, deterring future destructive attacks on the objects of critical infrastructure in the EU.

At any rate, for the EU it is worthwhile considering cyber incidents or cyber influence operations in relation to the overall warfare landscape, as part of the wider deployment of lethal force, and resist the temptation to analyze them in isolation. Thus, it is of utter importance to design reaction to cyber attacks as a part of a holistic answer to the destructive actions in the kinetic dimension of conventional warfare.