One year after the invasion of Ukraine, it is clear that war is also raging in cyberspace. Although the effects remained behind the initially suspected fears, the German KRITIS sector in particular still has to face special threats. The BSI advises vigilance.
The German BSI takes stock of security incidents in connection with the war in Ukraine and warns against attacks on critical infrastructure (CIP). There was reason for this right at the beginning of the Russian attack.
Only a few days left until the first anniversary of the Russian invasion of Ukraine. But long before the outbreak of the war it was prepared in cyberspace, initiated in advance by cyber attacks. Just a few minutes after the military attack on Ukraine, Russia shut down the KA-Sat satellite network. This attack was intended to disrupt the Ukrainian military's communications. However, internet services in Germany were also affected. "Der Spiegel" reported on this: "At five o'clock in the morning of the Russian attack, previously unknown attackers activated a faulty update for certain customers of the Viasat service KA-SAT". As a result, more than 3000 wind turbines networked via the satellite provider were no longer accessible."
Spy, disrupt, destroy
Cyber attacks by nation states are fundamentally different from typical attacks by cyber criminals with a financial interest. While the actual actors are often the same, state actions are not aimed at capturing money. Rather, their goal is to disrupt, destroy or explore. The responsible hacker groups have massive resources at their disposal for this purpose. The great advantage of hostile actions in cyberspace: they are cheaper and require far fewer human resources than conventional warfare or espionage, for example. Moreover, any distances can be bridged without any problems - even across continents.
Attacks on energy sector feared
Shortly before the anniversary of the war of aggression the BSI warned warned of attacks on the energy sector: "Due to the existing dependencies on energy imports, the electricity, gas and mineral oil sectors are currently of exceptional relevance. The energy sector is therefore currently a particularly attractive target for cyber attacks." The reason for the updated "Cyber security situation in connection with the Russian attack on Ukraine" is is probably the promise of tank deliveries to Ukraine.
Because shortly before, the Federal Office had detected massive DDoS attacks on German institutions. According to the BSI, the targets of the DDoS campaign were websites of airports, the financial sector as well as federal and state administrations. "As a result, some websites of the attacked companies were temporarily unavailable." Fortunately: "The BSI does not have any indications of direct effects on the respective service and, according to the BSI's assessment, these are not to be expected if usual protective measures against DDoS attacks are taken." The BSI again sees Killnet as the culprit: "The attacks were announced by the Russian hacker group Killnet."
Killnet is one of the Russian main players in cyberwar, which experts also count the Russian groups Sandworm and SaintBear aka UNC2589. However, actors who serve anyone who pays them, who are in effect cyber mercenaries, also appear frequently.
DDoS protection remains essential
There was no lack of spectacular actions on both sides, most recently a Zoom conference of Russian delegates was hacked and the Ukrainian anthem was played. The delegates, who then looked puzzled, frantically tried to turn off their cameras. But the effects of the cyberwar feared by experts largely failed to materialise. One of the main forms of attack remains DDoS attacks, which increased massively shortly after the invasion of Ukraine. "Already since the end of April 2022, the BSI has repeatedly observed Distributed Denial of Service (DDoS) attacks by hacktivists on targets in Germany and internationally," the office writes in its statement. These attacks aim to overload the server at the attacked party and are easy to realise. They can be bought for little money on the darknet. In the meantime, however, they are just as easy to ward off if the appropriate precautions have been taken in advance. In most cases, the internet traffic is routed through a so-called scrubbing centre at the provider's or at special service providers' premises, where the regular data packets are separated from the attack volume and only the former are forwarded to the attacked customer. The BSI has published an overview of certified DDoS mitigation service providers.
The BSI also informs: "In addition, since the beginning of Russia's attack on Ukraine, there have been individual, related security incidents in Germany, which, however, have only had isolated effects,". And further: "These were, among other things, collateral damage from cyber activities in the context of the war as well as individual targeted attacks against companies and organisations". All in all, the effects of the cyber war have so far fallen far short of the expected impact. This is probably due not least to increased protective measures in recent years. Cybercrime and IT security have increasingly moved into the awareness of the public and IT managers. But the BSI warns: "The security situation remains dynamic and can change at any time. In particular, the BSI assumes that all critical infrastructure facilities - i.e. facilities that supply the general public - can be potential targets of attacks.
