On the cyber front, the war between Ukraine and Russia has had no major consequences in France. It also shows the Ukrainian resistance capacities, other than on the conventional ground. On the other hand, it is a game-changer and causes an evolution of the threat landscape.
Between July 2021 and July 2022, the European Union Agency for Cybersecurity (ENISA), which has just published its latest threat survey report, notes that the main actors and threats remain more or less the same. from one year to the next. ” However, geopolitical situations, especially the Russian invasion of Ukraine, were game changers during the reporting period for the global cyber domain. “says the agency, which has observed the emergence of a wider range of vectors, such as disinformation, deepfakes where the zero day exploits. France, it has been relatively spared until now by a conflict which nevertheless shakes the whole world. At the Assises de la sécurité in Monaco, we took the pulse of several major players in the cyber world, to see what is going on.
No cyber warfare, rather incidents and targeted cyber attacks
” From the beginning of the war, we saw that there was a really very targeted volume of attacks between Russia and Ukraine notes Xavier Duros, Technical Director at Check Point Software. The pirate groups then sided with one bloc or the other. ” We expected to have repercussions », Continues the cyber expert, explaining that « there weren’t that many in fact, including in France “.
There were, however, peaks. Xavier Duros evokes the case where ” as soon as a country communicated saying it was offering additional resources to Ukraine, we saw that there was a targeted attack “. From one actor to another, cyber specialists come together.
” Yes, there are things happening in the cyber world related to this crisis. But in practice, it is a crisis which is above all military “, continues Ivan Kwiatkowski, researcher at Kaspersky’s GReAT. ” Cyber is a bit secondary to shells dropping or troops advancing and retreating. We clearly saw less cyber activity than was expected at the start of the conflict. Cyberwar did not happen “.
Russia uses the cyber weapon also for communication purposes
Among the notable attacks, we can mention those carried out on local power stations, or the famous incident of the Viasat KA-SAT satellite, which occurred in the spring. ” Apart from some side effects that there could have been on some activities, particularly at the start of the invasion in the month of February, the rest is done mostly on the battlefield, which does not prevent an increase in terms of the level of protection of all Western states on the potential for Russian action on their territory. The real cyber impact of this war, we have not seen it specifically concludes Mandiant’s European Technical Director, David Grout, on this question.
If the cyberwar in parallel with the armed conflict has not really taken place, this does not mean that the strategies and threats are therefore non-existent, nor that they began before last February. ” We have seen upstream, and when I say upstream it is from October and November 2021, many interventions on ministries of Foreign Affairs or authorities and personalities who have power at European level, on which we intervened in response to incidents on Russian groups says David Grout. These Russian groups operated a collection of information that was in the service of decision-making, with the aim of knowing how European states would potentially react. ” And since the outbreak of the conflict at the beginning of the year, we have remained on something more territorial “, he recalls.
Russia uses the cyber tool very regularly, but perhaps more to serve its communication. ” Russia’s ability to use information influence is extremely strong. Anything fake news or information leak networks is very powerful. The cyber spectrum is therefore part of the conflict “. Thefts of intellectual property, intelligence and intelligence are also part of the conflict between the two neighboring countries.
A trend towards “hacktivism”, beneficial to Ukraine
Where Ukraine shines is in its ability to resist computer attacks launched by Russia. But for the experts, this is only half a surprise. ” Ukraine had already suffered cyber attacks a few years ago. We already did not expect the country to resist so well on the war in its conventional part », is surprised Xavier Duros. ” But in the cyber theater, they were even better prepared. There are a lot of attacks on energy or water that could not succeed “, he adds.
” There is a parallel between the physical and the cyber that is undeniable, and it will continue anyway. Economic intelligences position themselves and take sides. There is talk of a transformation towards hacktivism at the cyber level “. The point raised by Xavier Ducros is interesting, because this “hacktivism” is raised quite extensively by ENISA in its latest annual report on the state of the threat, published on 3 November. ” A new wave of hacktivism can be observed especially since the beginning of the Russian-Ukrainian crisis », Notes the European agency.
In 2021, hacktivist operations were still small in number, sophistication and impact. But things changed in the space of a few months. ” About 70 hacktivist groups are involved in the conflict between Russia and Ukraine. These groups target critical organizations and infrastructures through DDoS (denial of service) attacks, degradations or data leaks.
These groups (from two major “camps”) coordinate today on channels like Telegram, which make it easy to join, participate and even download the tools needed to carry out DDoS-type attacks, for example. ” The dark web has historically been transferred to Telegram, which makes it possible to have these very large discussion groups, with no audience limit where everything is encrypted. There are recruitments through Telegram groups, which help to have a very distributed strike force », adds Xavier Duros.
ENISA mentions in particular the hacking of the Belarusian Ministry of the Interior in July 2021, or the targeting of railway supply lines on January 24, which allowed, using a modified ransomware to bring down the system railway and encrypt Belarusian servers, databases and workstations, to slow down the movement of Russian troops.
” Typically, large groups try to find the weakest link in the chain of an industry in a sensitive sector. As we target a nuclear power plant on the physical plane, there they are looking for an airport in terms of cyber. If they find a service provider, a supplier, an airport ecosystem that is vulnerable, that is where they will attack and make the most impact possible. The goal, in this type of attack, is to make unavailable the production of the system that we are going to attack », Explains our Check Point expert.
France, little exposed and well protected
France does not have much to fear on the cyber level, at least as long as it remains at a reasonable distance from Ukraine and Russia. But the more the French state takes sides in favor of Ukraine, the more it will be potentially exposed. The country is today well protected on its sensitive infrastructures. Pirates could then be led to attack more institutional structures, such as ministries for example.
” Overall, France is well endowed from an organizational and political point of view. Today, there is a real political will on the defensive struggle. From a military point of view, things exist and have been written down. France is a mature country in terms of defensive struggle “, reassures David Grout, of Mandiant.
What about the future then and the evolution of the place taken by cyber in conflicts and geopolitical tensions? ” In the future, I think that in Europe and in the United States, there will be sabotage operations for protest, and I am not sure that we will be able to identify the link between the industrial accident, the thing that no longer works and the cyber attack at the origin. That will happen in a second phase which will be interesting to study predicts Ivan Kwiatkowski. ” I don’t know when that will change or even if we realize it. We must not lose sight that in the rest of the world, things continue to happen in security, that vulnerabilities are discovered with people who haven’t patched yet, and that ransomware groups are still active and come from regions of the world where the international police cooperation is sadly dead “Concludes the Kaspersky expert.
Alongside our thematic files on the protection of hospitalson the ransomware and the payment (or not) of the ransom and on the potential recovery of its data after a hack, this article concludes our large special page devoted to cybersecurity after our visit to the Assises de la sécurité. Thank you for following us in our adventures, and for your precious loyalty.
4