On January 13, 2022, a unique malware was detected on Ukrainian government, IT, and non-profit organizations’ systems. According to the Microsoft Threat Intelligence Center, which raised the alarm, the malware had all the characteristics of ransomware but lacked a ransom recovery mechanism. Instead, the malware was intended to wipe hard drives.
The incident has unsettling echoes of Russia’s 2017 NotPetya attack against Ukraine—an attack that ricocheted through Ukraine’s ministries, the banking sector, and nuclear power plant systems. It used a similar disguise to target systems. In the more recent attack, Microsoft attributes the wiper activities to a non-named state actor, because, among other reasons, the lack of a ransom recovery key is inconsistent with cybercrime activities. It points to a nation state whose primary aim is political rather than financial in nature. Serhiy Demedyuk, deputy secretary of the Ukrainian National Security and Defense Council, has highlighted the similarity of the current malware to malware that had previously been used by Russian actors posing cyber threats.
A separate cyber-attack targeted Ukraine shortly thereafter. On the morning of January 14, Oleg Nikolenko, the spokesperson for the Ukrainian Ministry of Foreign Affairs tweeted that the websites of various ministries were down due to a massive cyber-attack. In total, 70 government agencies were hit. Attackers seem to have compromised a commercial company that had administrator privileges to these defaced websites. In this case, Ukraine’s Ministry of Digital Development said that “all evidence indicates that Russia is behind the attack.” While Russia may have orchestrated the attack, Ukrainian officials blamed a hacker group associated with the Belarusian intelligence agency for carrying out the website-defacement attacks.
Violation of Agreed Norms
In the final report of the2019-2021 UN Open-Ended Working Group, all UN member states—including Russia and Belarus—endorsed a 2015 agreement to honor 11 norms of responsible behavior in cyberspace. These norms are, of course, voluntary non-binding norms, thus clearly not legally binding. However, they still constitute political commitments, and a breach of them could lead to other states condemning these actions and holding states in breach accountable.
If the wiper attack that Microsoft detected in Ukraine can indeed be attributed to a state, it most likely violates norm 13(k) of the 2015 UNGGE report, which indicates that states should not attack other states’ emergency response teams. The wiper attack of January 13 targeted Ukrainian entities that included “government agencies that provide critical executive branch or emergency response functions and an IT firm that manages websites for public and private sector clients, including government agencies whose websites were recently defaced.”
In both the wiper and website defacement attacks, the aggressor state is also most likely in violation of norm 13(f), which holds that states should not intentionally damage or impair the use and operation of critical infrastructure of another state. It is important to note that each country defines what it considers as critical infrastructure. It is still largely unclear what Ukraine considers to be such. The 2017 Law on Basic Principles of Cybersecurity in Ukraine, for instance, does not define the term. But considering that Ukrainian government websites (which stored, among other things, vaccination certificates and electronic passports) were down for several hours and the types of agencies attacked, it is likely that a violation of norm 13(f) took place.
If attribution cannot be clearly proven, but there are indications that both cyber operations originated from Russian and/or Belarusian territory, then Russia and/or Belarus may have to demonstrate that they did not knowingly allow their territory to be used for international malicious cyber activities, which norm 13(c) of the UNGGE report proscribes. Only if they do so will Russia and Belarus demonstrate that they are responsible cyber actors.
Taking Appropriate Action
There are a number of different actions that Ukraine and the international community could and should take in response to these attacks.
One is attributing cyber aggression in a timely and concerted manner. Ukraine, the G7, and other countries that place value in upholding the normative framework of responsible state behavior in cyberspace—as was agreed upon at the United Nations—should form an ad hoc international attribution coalition. This coalition should attribute the cyber operations and condemn these actions in a joint statement. This needs to occur quickly in order to have an impact on the constantly evolving crisis in Ukraine. The attributions could be used to justify further sanctions and would give Ukraine additional international backing in the current conflict.
Another measure is upholding the credibility of norms through condemnation in UN fora. If attributed to Russia and Belarus, the latest cyber-attacks on Ukraine should have repercussions for Moscow and Minsk in the multilateral system, particularly in the UN. Regarding Russia, the current cyber aggressions further undermine its already weak credibility in the UN’s First Committee. There, a Russian-sponsored OEWG 2021-2025 is tasked with, inter alia, continuing the discussion of norms of responsible state behavior and how international law applies to cyberspace. Russia has even been the strongest proponent for a legally-binding instrument on regulating the use of new technology, and attacks like those on Ukraine in January clearly go against such an initiative.
If it can indeed be proven that Russia and Belarus are responsible for the current malicious activities in cyberspace, UN member countries should explicitly state which norms Russia and Belarus violated in this incident, as indicated above. In doing so, they would signal that they respect the framework of responsible state behavior and that the reports are not just a cumulation of empty words. For example, states could raise this issue in their next discussion on norms, rules, and principles at the Second Substantive session of the OEWG 2021-2025, which is due to take place in March and April of this year.
Expanding Cyber Defense Assistance to Ukraine
And there is also cyber defense assistance to Ukraine: The recent defacements of websites and breaches of Ukrainian systems have sown confusion among the public and raised doubts among Ukrainian network defenders about their defense capabilities. If Russia and Belarus are indeed behind the attacks, these actions might aim to show how deeply compromised Ukrainian systems are.
The past has shown how deadly a compromise of systems can be. In the mid-2010s Ukrainian soldiers’ cellphones were hacked by Fancy Bear, a Russian hacking group associated with the Russian military intelligence agency, GRU. Ukrainian soldiers’ geolocation was then used to target them with counter-battery fire.
In light of these threats, cyber-defense assistance to Ukraine needs to be expanded quickly. On January 14, Josep Borrell, the European Union’s High Representative for Foreign Affairs and Security Policy, announced the EU’s willingness to train Ukrainian officers in cyber defense. On January 17, German Foreign Minister Annalena Baerbock visiting Kyiv stated that Germany may support Ukraine to bolster its cyber defense, but remained vague as to what this would mean. One concrete measure could consist of Germany assisting Ukraine, similarly to the way in which the United States had previously done in Ukraine, North Macedonia, and Montenegro. US Cyber Command was deployed to those countries to assist with the fending off of intrusions. This deployment was also of benefit to the US, since it gathered information on advanced threat actors that could also target the US.
The German and EU announcements are welcome but they should be quickly turned into action. The United Kingdom, for example, is deploying instructors and defensive anti-tank missiles to Ukraine to help with its self-defense. The UK’s effort on the ground should be complemented by a strong cyber-defense component. NATO is another example of tangible and clear-cut engagement on the ground. NATO experts are already in Ukraine fending off current attacks against the country. In addition, it was announced this month that Ukraine and NATO will shortly sign an agreement to bolster “cooperation, including Ukrainian access to NATO’s malware information sharing platform.”
Some 100,000 Russian soldiers are concentrated near Ukraine’s borders. In this geopolitical context more cyber intrusions are to be expected. Therefore, it is particularly important that Ukraine, the G7, and other UN member states—which subscribe to the normative framework on responsible behavior in cyberspace negotiated over many years at the United Nations—attribute and condemn the malicious cyber activity that has already occurred in a concerted manner. Germany, the EU and NATO should quickly expedite further cyber defense support to Ukraine. Speed is of the essence. Otherwise, all countermeasures may come too late.
Valentin Weber is a Research Fellow in the German Council on Foreign Relations’ (DGAP) Technology and Global Affairs program.
