Why this threat intelligence expert believes cyberattacks aren’t Ukraine’s biggest concern
In recent weeks, cybersecurity and intelligence agencies in the United States, the United Kingdom, Canada and elsewhere have been issuing warnings about potential cyberattacks linked to Russia, which has been massing military forces on the Ukrainian border. Late last month, The New York Times reported that the U.S. and Britain have gone so far as to dispatch cyberwarfare experts to Ukraine to thwart possible attacks on critical infrastructure.
Dmitri Alperovitch, the former chief technology officer of CrowdStrike who co-founded the now $38 billion cybersecurity giant in 2011, says that while a Russian attack on Ukraine is almost certain, cyber will only play a supporting role.
“Don’t overplay the importance of cyber in this conflict,” said Alperovitch, who currently serves as chairman of the nonprofit Silverado Policy Accelerator and founder of the Alperovitch Institute for Cybersecurity Studies at Johns Hopkins University. “It will have a role, it does in every modern conflict, but it’s not going to be the main capability.”
Alperovitch, who was born in Moscow and is no stranger to Ukrainian politics, talked to The Record this week about Russia’s recent arrest of REvil hackers, the defacement of Ukrainian websites in the region, and what a potential invasion might look like. The conversation below has been lightly edited for clarity:
The Record: What do you think the likelihood of invasion is right now?
Dmitri Alperovitch: I think it’s extraordinarily likely — 95% likely that it is going to come in the next two to three weeks. I was at about 70% in mid-December, and that has been growing steadily because diplomatic efforts have blown up and there have been increasing military deployments and other events on the ground. Just last night, the Russians started evacuating the embassy in Kyiv and consulates, and they deployed forces in Belarus, which was a major sign that I was looking for. Everything seems aligned for invasion.
TR: You say 95%, which means you think there’s still a 5% chance that this could be avoided. What do you think would need to happen for that outcome?
DA: Honestly, I don't think that there's a lot that we could do, that we're willing to do. If we were to give ironclad promises, guarantees of NATO not expanding to former Soviet republics, that probably would stave off invasion, but we're not willing to do so. And I don't think that even at present if Biden wanted to give such guarantees he has the ability to get them through the Senate and get allies to agree.
The 5%, there's always something unpredictable that could happen. You could have the Zelensky government fall in Ukraine—that might give Putin pause, and make him think of different ways to accomplish his objectives. But besides something unpredictable right now, I don’t think there’s a lot that we could do to forestall it.
TR: What do you think an invasion would look like? What role will cyberattacks play?
DA: It’s definitely not going to be all cyber. Cyber will at best play a supporting role in the conflict. For Putin to accomplish his objective, which is imposing his will on Kyiv, he certainly can’t do that with cyber and he can’t do that with artillery and airstrikes — he needs to do that with ground forces. I believe that they're going to invade Eastern Ukraine with an encirclement campaign going from the north from Kursk down into Kharkiv. They're going to invade from the west from Belarus. They're going to go from the east as well from the Rostov-on-Don, and from the south up from Crimea, essentially trying to encircle the Ukrainian forces and destroy them first through long range fires—through artillery, missiles, airstrikes—and then through an actual ground operation. They’ll try to get, in my view, to the Dnieper River, which kind of divides Ukraine into west and east. I don't see them crossing significantly to the west — I don't think that that's going to be a top priority for them, it presents a lot of dangers.
Now, cyber will play a role here. Mostly, I think, in very tactical scenarios of trying to facilitate intelligence collection that is useful for military operations. Potentially some disruptive operations against key military objectives that they can reach through cyber, but they'll be fairly limited. Potentially psyops campaigns to mislead the Ukrainian public that resistance is futile, whether it's going to be successful or not remains to be seen. They may try attacks in the financial sector, potentially making it difficult for people to get access to the banking sector. They may try to take down TV stations, to make it harder for the government to communicate with the people, things of that nature.
TR: Do you think recent events, like the REvil arrests and defacement campaigns, are a distraction?
DA: I think they're very different. With the REvil arrests, these ransomware operators are pawns for the Russian government, who they're willing to sacrifice for a broader strategic goal. And I've always believed that. I don't think that they cared a whole lot about these people, but they weren't willing to give the US a win in terms of shutting them down until they actually thought that they could get something for it. I think what they're getting for it right now is a message to the US that we can indeed take action, and we're willing to take action against these ransomware actors that you care so much about—but don't expect that type of cooperation if you retaliate significantly in response to our invasion of Ukraine. And by the way, I fully expect that if there are severe sanctions put in place on the Russian economy, that those people will suddenly, miraculously, find themselves freed and maybe even proclamations made about how the intelligence that US provided was faulty, and we unfortunately fell for it and arrested innocent Russians by trusting the treacherous United States. It's quite possible that something like that will happen.
Now, on the defacements, they are pretty basic attacks. Even the wiper attack didn't seem to have been very effective or inflict significant damage. They're sort of all designed to keep the Ukrainians on their toes, make them feel like they're on their own and no one is going to come to their help, and they're going to be attacked from all sides when the attack actually launches.
TR: What do you make of the timing of the REvil arrests? Is it possible that they were made to discredit US intelligence, which pinned the Colonial Pipeline attack on DarkSide?
DA: I think since they said they were acting on this information, and that the information seems to be good—I don't think it was designed to discredit. I think it just shows you that the affiliates that are involved in these ransomware groups often work for multiple groups, including DarkSide and REvil.
TR: Are there any takeaways from who was involved in the arrests?
DA: We don't have much information, their names are not fully out and the details behind their roles are not out either. It’s just too early to say.
TR: Just videos of them in their underwear getting arrested.
DA: And lots of money.
TR: Do you think moves like taking people out of embassies could just be mind games? Putin has been known to play tricks like this in the past, right?
DA: There are some people that think that all of this is a bluff—the military mobilization, the exercises in Belarus, the cyber stuff, people leaving the embassies. My problem with that thinking is that if it's a bluff, then you'd expect that the Russians would want to keep negotiating and keep asking for something that is realistic.
TR: Is Ukraine in a better position to defend itself from cyberattacks than it has been in the past, or is it a sitting duck?
DA: Yes and yes. Is it better? Absolutely, they’ve come a long way in building up their security. But in the scenario of a war breaking out, you’ve got air bombings, you've got artillery, you've got ground troops invading, you've got likely bombings of power stations to turn off the lights. Doing incident response under those scenarios is not going to be easy for anyone. They’re just not going to have the ability to respond and withstand an onslaught either kinetic or cyber.
TR: So to the people warning about power grid cyberattacks, you’d say the bigger issue is if critical infrastructure gets bombed.
DA: Actually, I don’t think there’s going to be a significant cyberattack on the power grid. Maybe just in the first hours before they start air strikes. But if they want to turn off the power, they have other ways to do it. Cyber is mostly going to be psychological…
Don’t overplay the importance of cyber in this conflict. It will have a role, it does in every modern conflict, but it’s not going to be the main capability.
Adam Janofsky is the founding editor-in-chief of The Record by Recorded Future. He previously was the cybersecurity and privacy reporter for Protocol, and prior to that covered cybersecurity, AI, and other emerging technology for The Wall Street Journal.