Amidst Russia’s intensifying military assault on Ukraine, business leaders will need to formulate and communicate a clear corporate stance, recognizing both the reputational and cybersecurity risks inherent to this heavily charged geopolitical environment. Additional resources will likely be necessary to protect both employees and networks from retaliation by state-backed, non-state, or semi-state cyber actors—the ranks of which have vastly expanded over the past two weeks. They will also need to begin planning for Russia’s long-term technological and informational isolation from the West.
The Bottom Line:
The recent explosion in activity from non- and semi-state cyber actors—manifesting largely in unsophisticated DDoS and hack-and-leak operations—threatens spillover effects and potential retaliatory measures by Moscow on western entities.
Companies will be forced to make difficult market and reputational decisions with geopolitical ramifications and potential retaliation—from both sides of the conflict. “Neutrality” will thus be increasingly untenable. Companies share their risk profile with their users and customers.
Between Moscow’s crackdown on its information space and unilateral moves by western tech companies and service providers, the de facto split of the Russian “RuNet” from the global internet is underway and will undermine the continued interconnectivity and functionality of corporate IT and OT in Russia. While Moscow will reflexively look to India and China to compensate for this isolation, sanctions, supply, and market pressures are likely to complicate any rapid accommodation from Beijing and New Delhi—who are considering their own status and dependencies in the new geopolitical reality this conflict has created.
A Crowded Battlespace
To a domain already crowded by well-known Russian state-backed cyber actors and Russia-based ransomware groups, the conflict has led to an explosion of non-state cyber actors like Anonymous and the Belarusian Cyber Partisans, aligning behind Kyiv. Ukrainian Minister for Digital Transformation, Mykhailo Fedorov, also set about recruiting a volunteer global cyber corps to go on the offensive against Russian government and infrastructure targets; the Telegram channel for the “IT Army of Ukraine,” via which targets are tasked out, boasts hundreds of thousands of subscribers. Although no formal attribution to these actors has been made, major Russian websites, including the Kremlin’s, subsequently suffered outages.
While the majority of non-state, crowdsourced capacity appears confined to distributed denial-of-service (DDoS) or web defacement-style tactics, the unprecedented level of hacktivism is now a fixture of the geopolitical crisis engulfing Eastern Europe. Consequently, as Moscow considers itself besieged by a global cyber army—and strangled economically by a barrage of Western sanctions—the potential for spillover and retaliatory effects grows. For instance, the head of the Russian space agency warned that cyber disruptions of Russian satellites would be cause for war. Incidentally, a (yet unattributed) cyberattack on US-based satellite network provider Viasat coincided with the Russian invasion on February 24, leading to KA-SAT service outages in Central and Eastern Europe, and apparent spillover effects on German wind turbines connecting via the network.
Moscow will respond to attacks and will attribute them based less on their forensic characteristics, and more on which geopolitical interests they ultimately serve. Russian leaders are prone to “mirroring” – assuming the West operates in roughly the same manner that they do: with a strong state apparatus orchestrating on-the-ground events in a coordinated, if loosely deniable manner. Attacks by Russia-based illicit cyber actors on US or European entities, in retaliation for non-state or hacktivist activity directed at Russian entities, are likely. This threat is particularly acute for enterprises involved in servicing government, military, critical infrastructure, and key resources sectors. For example, the Conti ransomware group threatened cyber-attacks on the critical infrastructure of countries which aligned against Moscow. Subsequently, a flood of leaks exposed the cozy relationship the group had with the Russian Federal Security Service (FSB).
This wellspring of activity also bodes poorly for the already fragile state of international norms in cyberspace. As the scourge of ransomware in past years has shined a spotlight on the need for states to curb illicit cyber activity originating within their borders, Russia’s war on Ukraine now seems to have ushered in a new wave of cyber vigilantism. An outbreak of illicit cyber activity—untethered to any broader military or political goal and fraught with legal and ethical peril—makes an already chaotic environment more unpredictable and increases risk for misperception and blowback.
As cyber researcher Florian Egloff recently wrote, “rather than diminishing the state, [these actors] are reconfigured by, and in turn reconfigure the state in particular ways”—the recent groundswell of hacktivist activity places both states and multinational corporations in an unprecedented position of overlapping, shared risk. The conflict in Ukraine is already altering and intensifying the financial and political incentives for cybercriminals. This dynamic will be particularly polarizing during a period of wartime – creating new dividing lines among major semi-state actors (aligned with a given state’s objectives) and non-state cyber actors (like hacktivists and privateers) that broadly reflect the geopolitical (and economic) dividing lines between Russia and the West. It will likewise erode prior incentives for these actors to obscure their links to the state, or for states to constrain these actors.
Taking a Stance
As we outlined in a recent advisory, corporate “neutrality” will be increasingly untenable in this conflict environment. Perhaps not since World War II have the geopolitical, market, and reputational imperatives presented themselves to corporate leaders in such overlapping fashion as they have the past week. A vast range of otherwise peaceful technologies, goods, and services can take on a “dual use” character, depending on how they can be used—or be perceived as benefitting—either side of the current conflict.
Each day has brought reports of new multinational enterprises halting or withdrawing their business activities in Russia and Belarus. Companies face increasing pressure to promptly choose a side in this conflict. From Starlink to Shell Oil and even Coca-Cola, western firms continuing business in the Moscow-aligned regions are likely to face continued pressure from Ukrainian leaders and social activists to take a stance. Companies will find it harder and harder to declare their neutrality – particularly if their products and services are found to be directly or indirectly aiding Russian government or military operations. President Vladimir Putin recently appeared to warn that departing companies may even find their corporate assets seized and nationalized; Moscow passed legislation easing this process for leased aircraft.
In such a charged information environment, companies are at increased risk of insider threats, hack-and-leak, and disinformation narratives that test their corporate communications strategies. They may unwillingly find themselves in the crosshairs of a motivated hacktivist collective—which could distract limited incident response and threat intelligence resources from other priorities.
Russia Increasingly Isolated
The conflict is accelerating the “Splinternet.” Whether by Moscow’s own repressive measures, or due to unilateral moves by global service providers and tech companies, or a combination of both—Russia’s war on Ukraine has accelerated the further atomization of a globally inter-operable Internet. As the United States sanctioned additional Russian state-backed disinformation outlets and the European Union barred state-run propaganda outlets like RT and Sputnik from broadcasting, major intercontinental backbone service providers like Cogent and Lumen announced a halt of service to Russia. Tech giants Apple, Oracle, Google, Facebook, and Microsoft all trimmed their offerings in the Russian market. Sanctions pressure has left Russia with no choice but to resort to developing its own indigenous authority for issuing TLS certificates—which help a web browser confirm that a domain belongs to a verified entity, and that the exchange of information between the user and the server is encrypted—as ubiquitous browsers like Mozilla and Chrome no longer recognize them. Unconfirmed reports emerged that Russian officials were considering disconnecting the country from the global internet themselves, and Russian regulators have begun blocking VPN services, which enable access to external sources of information.
Moscow has long sought to insulate itself and its “sovereign information space”—including not only technology, but traditional and social media content—from western influence. Despite efforts under former President Dmitri Medvedev to posture Russia as a hub for global technology and innovation, reflexive paranoia and distrust of western tech and social media giants—fed by a perception that they were instrumental in the Arab Spring movement and so-called color revolutions in former Soviet states—the Kremlin ultimately prioritizes regime security over technological integration with the West. Further crackdown and isolation will exacerbate an already chronic “brain drain” of highly qualified tech talent. In fact, in an evolution of the use of economic tools to counter Russian aggression, western countries might accelerate the outflux of tech talent with targeted expedited visa programs and host country sponsorship.
In aggregate, these developments bode poorly for continued interconnectivity, functionality, and security and software updates for commercial IT and OT, as well as personal devices and applications, between Russia and the outside world. Over the long term, Moscow will look to partners like India and China—which is far better equipped for sequestration from the global Internet—to compensate for this isolation, but may find these less-than-willing partners due to sanctions, supply, and market pressures.
What You Can Do
With these dynamics in mind, business leaders should begin now to:
Formulate and communicate a clear corporate stance regarding the ongoing conflict.
Catalog the reputational and cybersecurity risks this stance may prompt, and marshal additional resources to protect both employees and networks. These risks can stem from broad corporate movements to tailor or withdraw their presence from the Russian market; retaliation by Russia-aligned cyber actors for a corporate stance on the conflict; or Ukraine-aligned hacktivists targeting businesses for avoiding such a stance. Follow our previously issued guidance closely on how to prioritize and handle these risks.
Amend planned technological and equipment investments to factor for the Russian economy’s likely detachment and isolation from western-made systems and services over the long term.
Special thanks to Al Hanson, Tracy Maleeff, Candace Moix, and Bill Moore for contributions to this post.