The Cybersecurity and Infrastructure Security Agency says companies should be extra vigilant for cyberthreats in light of Russia’s invasion of Ukraine. (Illustration: Shutterstock)
With the war underway, the risks are even higher.
Russia and its supporters could unleash cyberattacks against business and critical infrastructure in response to the U.S. and European allies’ sanctions and direct military aid. One ransomware gang vowed to attack the critical infrastructure of any country that retaliates against Russia.
“It goes to a very scary place for me,” Josh Lospinoso, co-founder and CEO of cybersecurity startup Shift5 and a former U.S. Army cyber officer. “These are really weapons of mass destruction, they really are. The idea that you can, from 5,000 miles away, cause real harm or death to civilians is unconscionable to me. And the idea that we might get into a conflict of tit for tat where there’s escalating disruptions and destruction of critical infrastructure on both sides is reprehensible.”
The U.S. is unlikely to attack Russia directly with its offensive cyber capabilities because of the potential for retaliation, Lospinoso said.
“I would be very surprised if the Biden administration employed offensive cyberattacks against critical infrastructure in Russia,” Lospinoso said. “I think their calculus for that could be a wide range of things. I guarantee a big part of that calculus is the fact they know our critical infrastructure is as vulnerable as the critical infrastructure in Russia, if not more.”
‘I’ve never interacted with a transportation system that we could not break.’
— Josh Lospinoso, CEO of Shift5
Lospinoso’s work in the Army included leading the development of hacking tools for the U.S. national security apparatus. Now in the private sector, he runs a company that specializes in protecting transportation assets — trains, planes and tanks — from cyberthreats.
“If you’ve got enough coffee and willpower to spend time with these systems, I mean, I’ve never interacted with a transportation system that we could not break,” Lospinoso said.
But so far, these kinds of attacks haven’t emerged as a serious threat. There’s little incentive for cybercriminals to do this. It’s easier and more profitable to target systems in ransomware attacks, which encrypt data with the intent of crippling business operations. The criminals make money by offering a key to unlock the data.
The logic is pretty simple: Why bother trying to disable individual trains when you can bring down a railroad’s operations systems?
But what if the motive isn’t to make money, and the attackers are a state?
The malware, called Cyclops Blink, replaces another malware called VPNFilter, according to the advisory. VPNFilter was largely used to exploit networking devices such as routers, but security researchers found that it had functionality for manipulating traffic in industrial control systems through a module.
“Control systems on ships, rail side switching infrastructure, ports, etc. all have ICS [industrial control systems] equipment targeted by that module,” Lospinoso said.
While there is no evidence yet that Cyclops Blink is capable of manipulating industrial control systems, Lospinoso said it is “highly likely” that it has that functionality.
Lospinoso said the same issue extends to civilian vehicles — where key systems weren’t designed with cybersecurity in mind.
“The digital components that are embedded in all of these military systems — guess what — they’re in all of our critical infrastructure as well,” he explained. “The manufacturers that make these things, they make the same chips and hard disks and computers and protocols that go in a Boeing 737 and an F-35, a container ship versus a destroyer, a ground combat vehicle, like a Stryker, or an Abrams tank and a locomotive. They’re the same components.”
And the leap from the digital components to control systems isn’t that big.
“So you’ve got dozens of these little electronic control units that, generally speaking, do one of two jobs, maybe both,” he said. “They sense things, they sense temperatures and pressures and orientations and these sorts of things. They actuate, they manipulate some device on the vehicle, right, they, you know, open up the fuel injector, they fire a piston, they unlock a door.”
While it remains to be seen whether these kinds of attacks will emerge as a significant threat to companies that move freight, there’s plenty to worry about even if no trucks are getting hacked yet.
While Lospinoso said the Biden administration is very unlikely to use cyberattacks against Russian infrastructure, he worries that level of hesitation isn’t mutual.
“We’ve seen in a variety of circumstances that they [Russia] have displayed a much more aggressive stance towards employing cyberattacks against critical infrastructure,” he said.
Even if the U.S. and Russia avoid direct cyberwarfare, multiple ransomware groups have been known to cooperate with the Russian government or operate with its consent. One notorious group, Conti Lockbit, publically sided with Russia, stating, “If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use our all possible resources to strike back at the critical infrastructures of an enemy.”
Ransomware gangs themselves have done plenty of harm to the U.S. and global supply chain in pursuit of making money, just in the last year. There were the high-profile attacks on Colonial Pipeline, JBS Foods and Marten Transport. Rail operators CSX and OmniTRAX were also hit, though without a significant impact on operations.
In January, the Russian Federal Security Service announced that it had arrested alleged members of REvil, the ransomware gang behind the Colonial and JBS attacks. Lospinoso questioned Russia’s motives in the arrest, saying they were likely for show. He expects the Russian government will continue to tap cybercriminals to launch attacks in line with its strategic interests.
“In these geopolitical conflicts, they love plausible deniability,” Lospinoso said of the Russian government.
