UK warned to bolster defences against cyber attacks as Russia threatens Ukraine

UK organisations are being urged to bolster their defences amid fears cyber attacks linked to the conflict in Ukraine could move beyond its borders.

The National Cyber Security Centre (NCSC) has issued new guidance, saying it is vital companies stay ahead of a potential threat.

The centre said it was unaware of any specific threats to UK organisations.

It follows a series of cyber attacks in Ukraine which are suspected to have involved Russia, which Moscow denies.

In December 2015, engineers in Ukrainian power stations saw cursors on their computer screens moving by themselves. They had been hacked. Hundreds of thousands of people lost power for hours.

It was the first time a power station had been taken offline, a sign that cyber intrusions were moving beyond stealing information into disrupting the infrastructure on which everyday life depends. Russia was blamed.

"It was a complex operation," says John Hultquist, an expert on Russian cyber operations at the US security firm Mandiant. "They even disrupted the telephone lines so that the engineers couldn't make calls."

Ukraine has been on the front line of a cyber conflict for years. But if Russia does invade the country soon, tanks and troops will still be at the forefront.

"If the aim is to conquer Ukraine, you don't do that with computers," says Ciaran Martin, who ran NCSC until 2020 - an arm of the UK's intelligence, security and cyber agency, GCHQ.

But cyber attacks are likely to support hard power, disrupting key services like power and communications to sow confusion. And even if the military conflict remains confined within Ukraine's borders, there are fears cyber attacks could spread.

In June 2017, Ukraine was the epicentre of an incident with global repercussions. Hackers got inside software used to file tax returns. Companies were then hit with ransomware - a demand they pay money to unlock their computers. Western governments would later say Russian military intelligence was responsible and that the real intent was not to profit but disrupt and blame it on criminals. Russia denied any role in this and other attacks.

In that case, the attack spun out of control as the malicious software spread beyond Ukraine's borders. International companies, including many in the UK, found their operations crippled.

"At one point around a fifth of the world's merchant shipping fleet was being controlled by WhatsApp because their computer systems weren't working," recalls Ciaran Martin. The global cost was estimated at $5-10bn.

In the last few weeks, Ukrainian institutions - this time largely government - have been hit again. Although there has been no conclusive proof of who was responsible, US authorities issued a sweeping warning because of "alarming" similarities to 2017, telling all organisations in the US - regardless of sector or size - to take "urgent" steps to reduce the likelihood of a damaging attack, and for anyone working with Ukrainian organisations to take extra care.

That warning was just one sign of growing concern of spill over. GCHQ and NSA - the US's cyber intelligence agency, have both been closely monitoring Russian cyber plans and working to share information faster, including with Ukraine.

In recent weeks, security meetings have taken place looking at the possible domestic impact of events in Ukraine with a series of alerts issued to industry.

The most worrying possibility is that Russia goes after Western infrastructure in an echo of the 2015 attack on Ukrainian power stations. "We've seen them trying to gain access all through Europe and the US for years by targeting those energy systems, water systems, airports," says John Hultquist. "We think that they're dug in already there."

That knowledge has led US and UK security authorities to issue alerts in recent weeks specifically aimed at critical industries.

In the US, infrastructure companies have been told to adopt a "heightened state of awareness" and search for signs of Russian hackers already on their systems.

In the UK in recent weeks, critical national infrastructure - which includes energy supply, water supply, transportation, health and telecommunications - have been warned by the NCSC about specific vulnerabilities known to be exploited by Russian hackers. Based on experience in Ukraine, energy and transport are most likely to be in the cross-hairs if anything were to happen.

"While we are unaware of any specific cyber threats to UK organisations in relation to events in Ukraine, we are monitoring the situation closely and it is vital that organisations follow the guidance to ensure they are resilient," Paul Chichester, the NCSC director of operations said in a statement accompanying the latest guidance issued on Friday.

Many experts are cautious about the likelihood of attacks on infrastructure actually taking place though. "It is not impossible. But it is quite unlikely,' says Ciaran Martin. "It's certainly not a cause for panic."

One reason is that, although the US and UK will not admit it, their own intelligence agencies are also deep inside Russian networks and able to retaliate. Moscow knows this, leading to a recognition of the dangers of escalating towards mutually-assured cyber destruction.

"The Russians will likely initially try hard to keep any of their cyber offensive activity contained to Ukraine - so as not to escalate the conflict with US and Nato at the same time as they are prosecuting a war with Ukraine," argues Dmitri Alperovitch, founder of the US-based Silverado Policy Accelerator and an expert on Russian cyber operations

"That calculus may change, however, if they have severe economic sanctions imposed upon them by the West - then the gloves may come off."

This is where the risks may lie. If the West does impose significant economic sanctions in response to Russian military action, Moscow could respond by targeting Western economies through cyberspace.

And here it may have options beyond a risky full-frontal assault. In recent years, criminal groups based in Russia have been blamed for a growing tide of ransomware attacks, those affected including UK schools and councils and even the Irish health system. An attack on a US energy pipeline led President Biden to call on Russia to clamp down on the hackers.

This month, Russia surprised observers by seeming to do just that, publicly arresting members of one group - known as REvil.

This could have been a message, Ciaran Martin argues. "Our basic assumption has to be that these (arrests) are cynically timed and designed to show the West that they can control these people should they choose to. If they don't like certain sanctions or other parts of the Western response, it is possible that some of these criminal gangs get the softer treatment."

Such a scenario is one of those being considered credible by UK security officials. And if they are hit online, the US and UK will have to work out how to respond - all amid fears of a cyber-conflict that could escalate.