OT Security and Critical Infrastructure Attacks in the Ukraine

28 Feb 2023

Russia’s recent military conflict with Ukraine began in 2014 when pro-Russian separatists in Ukraine took over the Crimean Peninsula. In February 2022, the conflict escalated into a full-blown war that led to thousands of civilian deaths, 200,000 military casualties, and millions of displaced persons. Economic sanctions imposed on Russia by many Western countries have contributed to Russia carrying out widespread malicious cyber attacks.

Critical infrastructure attacks

Threats against critical infrastructure and industrial manufacturers have steadily increased over the past year. Even if the war stops, cyber attacks likely will not. Since the war began, Ukrainians have had to fiercely defend their critical infrastructure and digital networks against cyber attacks, as well as psychological warfare via information campaigns.

Ukraine has built some resilience to Russian cyberattacks, thanks to a proactive stance and support from the West. However, new vulnerabilities are always emerging as malware constantly becomes more sophisticated.

Russian hacker attacks on Ukrainian infrastructure are not a new phenomenon. Attacks on Ukraine’s power system in 2015 and 2016 had a widespread impact, and since then, Russia has carried out additional attacks. During the first four months of 2022, researchers identified more destructive malware attacks on Ukraine by Russia than in the previous eight years. Critical infrastructure attacks, such as electricity, water, oil, and gas cyber attacks have the potential to cause maximum harm.

SSSCIP, Ukraine’s cybersecurity agency, reported threefold growth in cyber attacks over the past year, including attacks on Ukraine’s energy infrastructure last fall that were linked to sustained bombing campaigns. The coordination between bombings and critical infrastructure attacks is being called a war crime by Ukrainian officials.

Russia is also leveraging disinformation and propaganda and disinformation to create panic. There are allegations that Russia is attempting to penetrate networks and extract data to identify and target people who may threaten their military offensive.

Ongoing cyber attacks have affected citizens and businesses in various sectors across multiple countries, particularly in verticals where Russia has a strong economic interest. For example:

  • In an early oil and gas cyber security attack, a series of attacks against 21 US-based liquid natural gas producers was carried out by Russian-supported hackers just before the war began. At least one of the groups involved has been linked to Russia’s military intelligence unit. There is reason to believe that Russia may have European LNG companies in its crosshairs as well.
  • A large-scale ransomware attack in January 2022 disrupted oil terminal operations in Belgium, Germany, and the Netherlands. The Russia-linked BlackCat cybercrime group is behind the attack, having carried out other high-impact attacks in the US, Europe, and the Philippines.
  • Hackers targeted three Germany-based wind energy companies as governments reported a move to transition away from reliance on Russian fuel. Cyber attacks on energy infrastructure shut down systems and impacted large numbers of citizens.
  • Russian hackers have targeted Italy several times. In late May 2022, Russia carried out a major cyber attack on Italy after Italian officials expressed its support for Ukraine in the conflict. The attack compromised several targets, including the Italian postal system. In September 2022, the BlackCat group stole 700 gigabytes in data from Italy’s energy agency and threatened to publish the information if its ransom demands were not met.
  • In October 2022, Russia-linked Hive ransomware group attacked Tata Power, India’s largest integrated power company. In the attack, Hive stole and leaked sensitive data, including client information, financial records, and engineering drawings.
  • In January 2023, Russia-backed LockBit ransomware group disrupted the UK’s postal service, putting international deliveries on hold for several days. Attacks by the group have risen 600% since 2021, with more increasingly sophisticated approaches to extorting victims.

Increased regulatory requirements

In response, regulatory requirements about critical infrastructure attacks have been stepped up in many countries. In the US, transparency about certain cyber attacks is now required by law. Operators of critical national infrastructure (CNI) must report substantial cyber attacks to the Cybersecurity and Infrastructure Security Agency (CISA). Attacks must be reported within 72 hours and any ransomware payments made must be reported within 24 hours. These reports will further the government’s understanding of attacks on critical networks and infrastructure and improve the ability to mitigate damage from attacks.

In January 2023, the US Justice Department shared that a global law enforcement operation destroyed hacker group Hive after it had already targeted more than 1,500 victims in over 80 countries, including businesses and public health agencies. While the operation sends a clear message that cybercriminals will be held accountable, group members are likely to join other groups or rebuild.

ENISA, the European Union Agency for Cybersecurity, along with the European Commission (DG CNECT) has taken a more active stance against OT cyber security and has disclosed major recent cyber attacks. The agency updated existing cybersecurity legislation and proposed the Cyber Resilience Act that would impose cybersecurity requirements on hardware and software manufacturers.

The EU’s updated legislation on cybersecurity, the NIS2 Directive, outlines legal measures to increase the level of cybersecurity throughout the Union. The directive’s broadened scope addresses energy, healthcare entities, digital infrastructure service providers, public administration, the food sector, and waste management. The passage of cybersecurity legislation such as the EU’s NIS2 and America’s Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) mean that industrial manufacturers and critical infrastructure organizations have greater obligations to protect themselves.

Experts warn that cyber attacks on critical infrastructure are likely to continue and spread to Asia-Pacific countries due to political and military support for Ukraine from countries like Australia and South Korea.

The US issued an alert regarding Russian-sponsored cyber attacks on critical infrastructure in April 2022. In the alert, cybersecurity authorities in the US, Canada, the UK, Australia, and New Zealand “urge critical infrastructure network defenders to prepare for and mitigate potential cyber threats – including destructive malware, ransomware, DDoS attacks, and cyber espionage – by hardening their cyber defenses and performing due diligence in identifying indicators of malicious activity.”

Agencies in the UK have also issued warnings about the threat, urging that critical infrastructure owners and operators take steps to protect themselves and their businesses. In light of the war between Ukraine and Russia, OT security in industries worldwide is at risk.

The events of the past year make it clear that critical infrastructure organizations must be proactive about improving their security posture. Malicious attacks have been brought to the fore by the recent conflict between Russia and Ukraine, and their proliferation makes it clear that these threats are not going away anytime soon.

Talk to an OT Expert