Analysts and officials are expecting retaliation from Kremlin-linked cyber groups after sanctions were imposed by Boris Johnson and the government announced plans to send extra military support to Ukraine.
The National Cyber Security Centre has already urged British organisations to “bolster their online defences” amid a deterioration in relations between Russia and the West.
This follows several high-profile cyber attacks that have been launched against Ukraine’s government agencies by suspected Russian forces since the beginning of 2022.
It’s now feared the same tactics, in which Ukrainian websites have been defaced or breached by destructive wiper malware, could also be deployed against UK websites if the current crisis further deepens in the weeks to come.
Stefano De Blasi, an analyst at Digital Shadows, which specialises in digital risk protection, said it was “realistically possible that Russia will eventually retaliate against the sanctions recently imposed on them with targeted cyber operations”.
He said distributed denial of service (DDoS) attacks – an attempt to hinder the running of a server or network by overwhelming it with a flood of internet traffic – could be launched against Western organisations, alongside the dissemination of destructive malware.
Digital Shadows, along with other cyber surveillance and protection companies, have detected a rise in attacks against Ukrainian targets in recent weeks.
This include defacement attacks, espionage campaigns, wiper malware deployments, disinformation campaigns, and DDoS operations, Mr De Blasi said.
“Although some of these attacks haven’t been attributed to the Russian Federation, overlapping motivations and goals likely indicate a common origin,” he said.
“These attacks showcase the breadth of offensive operations that the Russian Federation maintains in its toolkit, and it suggests the potential for future attacks targeting Ukraine and its allies if the situation was to escalate.”
On Tuesday, first minister Nicola Sturgeon also warned that the international community must be “vigilant” to retaliatory cyber attacks engineered by the Kremlin and its allies.
“I think that is something that we have to be very vigilant about,” she said. “The discussions I’ve mentioned already about domestic impacts, cyber security is one of those.
“We know, even before the current situation in Ukraine, that Russia was very active around cyber activity.”
Russian state-associated threat groups have consistently used destructive cyber-attacks during military conflicts in the past, Digital Shadows said.
This hybrid warfare approach has become a staple of Russian military doctrine and has been observed during its 2008 conflict with Georgia in Abkhazia and South Ossetia, and against Ukraine since 2014.
In an attempt to combat the spread of Russian disinformation and propaganda, the culture secretary has told Ofcom to review the operation of the Kremlin-backed Russia Today (RT) news channel in the UK.
Writing to the regulator, Nadine Dorries said RT was “demonstrably part of Russia’s global disinformation campaign”.
Labour leader Sir Keir Starmer said RT was president Vladimir Putin’s “personal propaganda tool” and argued there is “no reason why it should be allowed to continue to broadcast in this country.”
Currently, the NCSC said it was not aware of any specific cyber threats to UK organisations in relation to events in and around Ukraine, while Digital Shadows said “given the tense situation in Ukraine, Moscow is likely to focus on the conflict and on establishing financial and political frameworks to lessen the impact of Western sanctions,” rather than pursuing cyber operations.
However, John Hultquist, a vice-president of intelligence analysis at Mandiant, a cyber security consultancy, said there was likely to be an increase in “more aggressive information operations and disruptive cyber attacks within and outside of Ukraine” as the crisis continues.
“Russia’s military intelligence service is the most aggressive of its peers when it comes to cyberattacks and other activity in the sphere,” he added. “We have seen them carry out DDoS attacks on several occasions which they use to harass and undermine institutions.
“It’s also important not to misjudge the purpose of these attacks – the disruption they cause is designed to intimidate and undermine and is not an end in itself. Furthermore, they may be timed or accompanied by other elements to magnify their psychological impact.”