Russian President Vladimir Putin was stripped of his judo title recently, but experts say he employs the same principles of that martial art in his cyberwarfare strategy: Use opponents’ strength against them.
Putin, a lifelong judo enthusiast, lost his status as “honorary president and ambassador” for the International Judo Federation and his “honorary 9th dan black belt” from World Taekwondo, bestowed upon him in 2013, following his current invasion of Ukraine. Experts are concerned, however, that he will use the approach he honed in those disciplines through Russia’s enormous cyberwarfare complex.
Russia has long been considered one of the largest practitioners of state-sponsored cyberattacks, regularly receiving mention in cybersecurity-company watch lists. The country has regularly used that capacity in an asymmetrical manner to disrupt adversaries where open hostilities would not be prudent. Against the West, that means targeting a growing reliance upon interconnected networks and open-source software to power government and financial organizations.
That said, Putin’s greatest weapon in cyberwarfare is using an opponent’s reliance upon intertwined networks and information against them. When Russia hacked into Ukraine’s power grid back in December 2015 and managed to turn the lights on and off for about a quarter-million customers, the most harmful result wasn’t so much the loss of electricity, but the fear it could instill by showing they could simply do it, Sandra Joyce, head of global intelligence at Mandiant Inc.
told MarketWatch in an interview ahead of the announcement that Mandiant is being sold to Alphabet Inc.
“There is definitely the risk of Russian cyberaggressors utilizing their current accesses from which to launch an attack,” Joyce told MarketWatch. “It’s the risk of that happening that has increased in the event that Russia decides to retaliate against our sanctions and other measures that we’ve been taking.”
We have nothing to fear but fear itself
Joyce said Russian hackers can already be inside compromised networks like sleeper-cell agents, as was the case with the “Sunburst” attack on SolarWinds Corp.’s
Orion IT software in December 2020. Hackers typically roam around a compromised network for months undetected to see how much of it they can control before delivering an attack.
“That’s the scary part about that attack because it unfolded over many, many months in terms of being able to compromise source code and build environments,” George Kurtz, the co-founder and chief executive of cybersecurity company CrowdStrike Holdings Inc.
told MarketWatch in an interview.
One of the biggest concerns that organizations have is the vulnerability of open-source software that sees widespread use “in terms of some of those being tainted,” Kurtz said. Most recently, a vulnerability in Apache Software’s Log4j open-source logging tool was used by hackers for attacks earlier this year, while on a larger scale, 2017’s hack on Equifax Inc.
was carried out using an unpatched version of Apache Struts.
Kurtz said that state-sponsored cyberwarfare programs like Russia’s have the sort of time and resources to make a meaningful contribution for open-source projects just so they can utilize the vulnerabilities later.
“Someone like the Russian government would actually have the capabilities to do that,” Kurtz said. “The Cold War was over, I think it’s restarted. Lots of smart people had to figure out what to do, they’re certainly focused on cyber.”
Kurtz said he sees two areas of cybersecurity worth watching pertaining to Russia and Ukraine. The first is controlling the narrative through disinformation campaigns through social media and the like, as evidenced in past U.S. elections.
The other, Kurtz said, is “going to happen at some point — not an if, it’s a when — is that there’s going to be some deep-fake videos out there that are designed to work with the first point.”
“The real endgame is the fear, uncertainty and doubt that they can sow in the people,” Joyce said. “The effectiveness of these sanctions really is driven by the willingness of the people to support them, so you can consider the will of the people a major target for this sort of playbook that Russia’s been utilizing.”
“If we continue down fear, uncertainty and doubt, if we spin up and succumb to paranoia, we’re pretty much doing the Russian government’s job for them,” Joyce said.
Cyber defense burnout is a real problem
Another big concern that both Mandiant’s Joyce and CrowdStrike’s Kurtz share is that this is all happening at a time when there’s a lot of understaffing and burnout in the cyber defense arena. Three years ago, the research firm Cybersecurity Ventures had forecast a shortfall of about 3.5 million qualified cybersecurity workers by 2022.
What has changed with Russia’s invasion of Ukraine and threats against the West is the level of alert, much like a Defcon level, Kurtz said, and cybersecurity workers are putting in more and more extra hours.
“It’s a huge problem in the industry right now, there’s what we’d call ‘security burnout’ particularly with the security operations centers, and that’s across all organizations,” Kurtz said. Referencing the 3-million deficit forecast from 2018, Kurtz said that couldn’t have accounted for COVID-19 or the Great Resignation and a lot of people simply retired, “and we can’t fill the jobs fast enough,” he said.
Joyce told MarketWatch that the operations tempo and workload for cybersecurity personnel as of late has risen so much, it “has been crushing to many organizations.”
“I’m trying to advocate to monitor burnout of cyberdefenders because they are committed to this mission, they have the passion for this mission, and many of the ones that I know are working 24/7 to make sure they’re not missing anything,” Joyce said.