The following interview was originally published as part of Corvus’s quarterly Cyber Risk Aggregation report, known as the Nutcracker Report. We deliver these insights on trends in the aggregation of cyber risk to a select group of reinsurers, reinsurance brokers, and program managers. If that describes you and you’d like to receive the report in the future, please send your inquiry to email@example.com.
The Corvus Team spoke to John Hultquist about the impact of the war in Ukraine on ransomware and Russia’s cyber warfare capabilities. John has led teams creating best-in-class reporting on global cyber threats for over a decade. His work at Mandiant helps Fortune 500 companies and government agencies manage risk in a rapidly evolving landscape. A U.S. Army veteran, John also founded a conference focused on cyber warfare, CYBERWARCON, and is an adjunct professor at Georgetown University.
Join as we learn about the cybercrime ecosystem, Russia’s disruptive capabilities, and more:
We’ve seen some interesting trends in cybercrime and ransomware coinciding with Russia’s invasion of Ukraine. Do you foresee any of these changes in the cybercrime ecosystem lasting, or is this a temporary reshuffling?
The problem of ransomware is largely a structural one. It’s going to be hard for any single event to really make a dent, even a war. It’s true we have seen some groups of threat actors implode due to fallout from the war, and on top of that one of the best things we have going for us right now in the fight against ransomware is the prices of cryptocurrencies dropping. All that being said, there is still so much money to be made that the structural problem is not going away. We expect that most of these threat actors will get their acts together again, and flourish.
The biggest reason for the structural nature of the problem is that the criminal underground is really a marketplace. It’s easy to see the major ransomware group names in the headlines and think that these big groups are the center of the problem. But the reality of it is that a ransomware attack is a series of transactions between multiple players. Somebody might gain access to your systems, then sell that access to an intrusion operations team. That team might build out the access to your organization, then work with the actual ransomware group on deploying the ransomware and negotiating with the target. With three different unique “players,” if one gets shut down they can simply work with others — an intrusion team can work with multiple ransomware service groups simultaneously. There is a fully developed underground economy and marketplace. For us, it’s like a game of Whac-A-Mole.
What do we know about Russia's capabilities (or their tendencies) in cyber warfare, and how do they compare with the West/NATO?
Relative to everyone else, Russia is far more aggressive — and by that, I mean showing off their destructive and disruptive capabilities. They will cross the line again and again — more so even than Iranians and North Koreans. Russia has attacked elections, attempting to gain access to the U.S. elections network to influence trust on our systems; they attacked the Olympics, trying to take down the opening ceremony. With that kind of brazenness, no other country comes close to them. We believe that the U.S. and NATO have strong capabilities, but we simply have a much higher threshold for the “line crossing” and so haven’t flaunted them.
So much of the impact of Russia’s actions are the suggestion of effect rather than the practical impact. They might know that they can't really change the outcome of an election, but they know they can suggest that something is awry. Or take the blackouts [caused by Russian cyberattacks] in Ukraine — they didn't last very long, and blackouts happen all the time anyway, so it wasn’t a big deal in a practical sense, but the message “hey, we can turn your lights off” is a powerful one — just what Russia was trying to accomplish.
In the “cyber theater” of the war so far have you seen anything that deviates from what would have been expected from Russia?
So far, no. Russia has not really surprised us with any new capabilities. [Russian agencies] the GRU, FSB — we know who they are, how they operate. Of course, that doesn’t mean it couldn’t happen. They have some highly sophisticated tools we haven’t seen them use yet in the context of this conflict; for example, the Triton tool they used to shut down an industrial plant in the Middle East.
Is there anything that a typical organization in the U.S. can take away from this cyber warfare activity regarding their own security?
Certainly. One major takeaway is that — good news — much of what we’ve advised our clients about previously still holds up. We know who the actors are and how they operate, so if you can focus on these actors and the targets they hit, you can thus limit the scope of your concerns. That’s a huge advantage — one of the biggest problems we face in security is trying to boil the ocean. If you're not focusing on the right problem, you’re wasting 90% of your energy. I always say you don’t want to be building walls when the enemies have planes, and in this case, we know what the enemies have.
What would an escalation in cyber warfare look like, beyond the tactics we've seen so far?
There are two scenarios we’re concerned about. One is the “NotPetya” scenario. So far there have been many attacks on Ukraine but none has achieved a massive scale. If they were to gain access to a large number of systems using the software supply chain and launch a simplistic but destructive attack — like NotPetya — they could eventually hit critical infrastructure. The other scenario is hitting critical infrastructure head-on. That takes time, and a lot of careful work, but the payoff can be huge in that it affects many beyond just the initial target.
There’s a strange and interesting paradox in cyber warfare. Cyber attacks are typically non-lethal, and generally reversible. That's the good news. But because they’re not lethal — because they might not trip the wire to open war — the actor has a much freer hand to use them. They know they can get away with it. While that’s a good constraint for keeping attacks from being as destructive as they might theoretically be, it’s not a good thing for the businesses and insurers who have to bear the brunt of frequent attacks.