You won’t notice if the attackers sneak into your network, install their virus and wait quietly. But then, when the switch flips and the entire grid goes down, it’s too late — your power plant, government department, or company is down.
This kind of attack happened to Ukraine several times. Banks, governments and power plants went down a few years ago after hacking attacks widely believed to have originated in Russia.
Two weeks ago, computer security officers tracked down another such attack, probably targeting Ukraine again. Both researchers from Microsoft and security firm Trellix warned Ukraine and the rest of the world about the attack. If the virus is present on computers, it will now be detected and removed by virus scanners.
But it won’t be the last strike against Ukraine, experts think. If it comes to an armed conflict, it is expected that digital attacks will play an important role.
It is not officially known who is behind the recently found malware. It is difficult to say with certainty, emphasizes researcher Christiaan Beek of Trellix. “Technical clues can also be deliberately left behind, to mislead us and to blame another country or organization.”
Microsoft also does not identify a perpetrator, but does mention the “current geopolitical developments” around Ukraine. More than 100,000 Russian soldiers have gathered in the border area of that country. New York Times intelligence sources previously said they saw an increase in hacking attacks from Russia against Ukraine.
“In recent years, the Russian intelligence services have focused heavily on Ukraine,” said Hugo Vijver, a former employee of the Dutch intelligence services and who specializes in digital conflicts. “If they want to, they can bring large parts of Ukraine’s infrastructure to a standstill.”
The digital presence lurking under the radar could be turned into sabotage attacks, for example. Experts who spoke to the NOS agree that that will probably only happen if there is an armed conflict. “I don’t expect an isolated digital war,” said Dick Berlin, a former commander of the armed forces and now a consultant at a cybersecurity firm. “It will be part of a wider conflict.”
Government hackers could, for example, disrupt government communications, shut down banks or disrupt the electricity supply, but also disable defense systems, for example. “In the ensuing chaos could strike, while morale among the population plummets.”
Ukrainian security expert Vlad Styran still questions the latter. “We are now used to something in this country. We have been living here for eight years with all kinds of hack attacks, while a war is raging in the east. The surprise effect is now gone.”
The recently discovered virus would come in handy when shutting down government organizations or utilities. Once activated, the virus plays chess at two speeds: first, the digital ‘table of contents’ is erased from the hard disk, so that a computer no longer starts up, but the files on it can still be saved. In the meantime, however, all files are irretrievably deleted one by one.
If the virus attack is discovered halfway through, it still creates a lot of chaos: not all files are irreparably damaged, but because the table of contents – in jargon: the master boot record – has been deleted, they simply don’t start anymore. With one computer this is manageable, but when it comes to hundreds or thousands of computers in an organization, it can still be temporarily down.
After the previous successful hacking attacks, Ukrainian infrastructure companies and governments have got their affairs in order, says Ukrainian hacker Marina Krotofil. “The low-hanging fruit is now gone,” says Krotofil, who specializes in infrastructure security.
But preventing a digital attack one hundred percent is difficult. “Also because it is difficult for Ukrainian companies to get qualified personnel: good personnel go to Poland, or have a job that has been outsourced to Ukraine at a Western European company. That pays a lot better.”
Anyone who really wants to and has enough time and money can always break in. Even if critical parts of an organization are not connected to the internet at all, that is no guarantee. Iran noticed this ten years ago: nuclear installations in Natanz were cut off from the internet, but a sabotage virus was introduced via a smuggled USB stick. Though never officially confirmed, Israel and the US are said to be behind it.
If it does not come to an armed conflict, the attacks will not suddenly be over, experts believe. “They will then continue to simmer,” says Vijver. “Recently there have been both attacks, for example, in which government websites were digitally defaced. Annoying, but not something that makes you panic.”