Russia would consider conducting a cyberattack on the US homeland if Moscow perceived that a US or NATO response to a potential Russian invasion of Ukraine “threatened [Russia’s] long-term national security,” according to a Department of Homeland Security intelligence bulletin obtained by CNN.
“Russia maintains a range of offensive cyber tools that it could employ against US networks—from low-level denials-of-service to destructive attacks targeting critical infrastructure,” says the January 23 memo, which DHS distributed to critical infrastructure operators and state and local governments.
Despite US tensions with Russia over Ukraine, DHS analysts assess that Moscow’s threshold for conducting disruptive or destructive cyberattacks on the US homeland “probably remains very high,” the memo says. “[W]e have not observed Moscow directly employ these types of cyber attacks against US critical infrastructure—notwithstanding cyber espionage and potential prepositioning operations in the past.”
Asked for comment, a DHS spokesperson said, “The Department of Homeland Security regularly shares information with federal, state, local, tribal, and territorial officials to ensure the safety and security of all communities across the country.”
US officials have been bracing for potential retaliatory cyberattacks from the Kremlin as Russia has threatened to invade Ukraine by amassing some 100,000 troops along the Ukraine border. The Treasury Department held a classified briefing that covered the issue for big US banks, while the Energy Department has briefed America’s largest electric utilities on Russian cyber capabilities, CNN previously reported.
Ukraine ‘a sort of testing ground’ for cyberattacks
Cyber operations have been a recurring aspect of the military conflict in Ukraine, analysts say, which began when Russia annexed Crimea in 2014.
Suspected Russian hackers cut power in parts of Ukraine in 2015 and 2016, and unleashed devastating malware known as NotPetya in 2017 that began infecting organizations in Ukraine but spread globally, causing billions of dollars in damage. The US Justice Department blamed all three incidents on Russia’s GRU military intelligence agency.
“I am concerned that Russia has been using Ukraine as a sort of testing ground for its cyber capabilities,” Sen. Mark Warner, a Virginia Democrat who chairs the Senate Intelligence Committee, told CNN.
“For years, I’ve been making the case that we need rules of the road in cyberspace, just like we have defined norms around armed conflict,” Warner said. “We need to ensure that the Kremlin knows that if they were to use destructive cyberattacks against the United States, there would be serious consequences.”
The Biden administration has repeatedly tried to impose costs in response to Russian hacking activity, including by sanctioning Russian technology firms.
President Joe Biden said at a press conference last week that the US could respond with cyberoperations of its own should Russia conduct additional cyberattacks in Ukraine.
Biden spoke days after a pair of cyberattacks targeted several Ukrainian government agencies that investigators believe were carried out by the same actor.
In some cases, the hackers replaced content on government websites with threatening messages claiming Ukrainians’ data had been stolen. In other cases, malicious software deleted data from roughly 20 computer servers and workstations at at least two Ukrainian government agencies, according to Victor Zhora, a Ukrainian official investigating the incident.
The impact of the hacks has so far been limited, but Ukraine’s recent history has officials on alert.
“One possibility … is that this attack is just a front for a much stronger attack that we may face in the future,” Serhiy Demedyuk, deputy secretary of Ukraine’s National Security and Defense Council, told CNN.
Ukraine preparing cyberdefenses
As Ukraine readies its military to defend against a potential Russian invasion, Ukrainian officials have held urgent cybersecurity meetings and drawn on US support to fortify their networks. Zhora told CNN that officials at the US Embassy in Kyiv were quick to offer help in recovering from the hacks.
There is “no doubt that [any Russian invasion] can be supported by cyber aggression — or at least they will stay active in cyberspace,” said Zhora, who is a deputy chairman at Ukraine’s State Service for Special Communications and Information Protection.
It’s unclear, for now, who was responsible for the recent website defacements and the small amount of data-wiping on Ukrainian government networks. Some of the tactics used are similar to those of Russian hackers, Zhora and Demedyuk said in separate interviews, but the evidence so far is inconclusive.
Demedyuk has also suggested that a hacking group linked with Belarus intelligence could be involved, but he told CNN that theory is unproven as of now. “The sheer amount of digital evidence involved in this attack has made it more difficult to pin down which group is responsible.”
One immediate focus is on ensuring that the intruders have been kicked out of Ukrainian networks so they can’t do more damage. “We need to be sure [of that],” Zhora said from his office in Kyiv.
This story has been updated with additional reporting and background information.