Developing herd immunity against Russian malware

On February 24th, Russia launched an unprovoked attack against Ukraine. In addition to a direct military invasion and assault, it was widely expected they would use cyberattacks against critical infrastructure in order to claim a fast victory.

While they have been engaging in cyberwarfare, it hasn’t been as consequential as predicted. One attack against the Ukrainian power grid was unsuccessful. The FBI recently announced they disrupted a Russian botnet before it could be used in an attack.

How did we get to this point, where both Russia’s infantry and cyberoperations have stalled? It reminds me of a meme I saw long ago

What if there is some truth to this myth? Let me explore this idea in a little more detail.

Sandworm

Two years ago I read a book, “Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers”. In it, the author describes an escalating series of attacks which started in 2014. Russia had triggered blackouts by striking at Ukrainian power plants, creating cascading consequences. Later, in 2017, the NotPetya ransomware spread and infected American companies.

Ransomware has continued to be a problem around the world despite cybersecurity being a critical problem. After the Colonial Pipeline hack, the White House made cybersecurity a priority.

Are computers like humans? No. And yet as we take a broader view we are able to see some interesting macro-similarities.

Humans, much like computers on a network, interact in a large web of connections. When a human with COVID-19 interacts with another, there’s a chance that they too get sick. Similarly, when a malicious computer interacts with another computer, there is a chance that computer becomes infected.

For many years Russian-sponsored malware has spread across computers on the network. Mitigation started slow, with cybersecurity professionals working hard to defend their turf. Once an organization has been hacked, they tend to put more resources into securing against a future incident. It would’ve been better had the resources been there ahead of time, but at least going forward there’s greater assurance.

Have we reached a sort of herd immunity, where so many networks have been infected and now reinforced that Russian attacks are not effective?

Digital Antibodies

Consider the power grid attack. The cybersecurity firm ESET called the malware Industroyer2, a sequel to the original Industroyer malware which was used six years ago. As Ukrainian networks had already seen this used once before, it was possible to catch it a second time and neutralize it before it could act.

Anticipating attacks on communication systems, Starlink provided its service to Ukraine in order to provide a secondary form of communication. When it faced jamming, Starlink engineers were able to get around it.

Speak softly and carry a big stick

With eight years of similar attacks being carried out, the world had a fair amount of experience in Russia’s capabilities. This appears to have been a mistake, as they have showed their full hand. We know what to expect and how to defend against it.

With large organizations including the FBI able to disrupt malware before it strikes, it ends up protecting downstream companies and civilians who may have less protection. Security flaws are being fixed faster than ever, improving the entire network.

But now Russia is beginning to see itself under threat, with DDoSecrets leaking massive amounts of Russian emails. These organizations, which have never been on the offensive, have capabilities that are unknown and thus harder to stop.

What’s next?

As the war continues, it’s getting harder to look at Russia’s military with worry. Not only have their cyber operations stalled, but their weapons industry has stalled too.

I wonder what would’ve happened if the last eight years didn’t happen. A sort of digital blitzkrieg would’ve caught Ukraine completely off-guard. Ransomware striking allies and logistics networks would’ve made it impossible to organize an effective counter. The world could’ve been in the dark due to a communications blackout until Russian invaders turned the lights on.

That didn’t happen. Because we knew what to expect, because we knew Russia would invade, we were in a sense inoculated. We used our previous experience towards a more effective counter. It’s an interesting type of emergent phenomenon.

Things aren’t great, and I don’t want to diminish real threats. But it could’ve been worse, much worse, and it wasn’t. By exposing some organizations to somewhat random Russian malware, we have effectively developed herd immunity against it.

Or at the very least we’re on our way to being immune.