Cyberwarfare Targets Ukraine’s Payment Infrastructure
Ph.D. in U.S. History, Columbia University in the City of New York
Post-Doctoral Researcher in Global Correspondent Banking, 1870-2000 – Mexico and South America, University of Oxford
This post is also available in:
In recent years, state-sponsored hackers have attacked computer systems worldwide, including the cashMoney in physical form such as banknotes and coins. More and banking infrastructure. A Carnegie Endowment timeline of cyberattacks on financial infrastructure includes 13 cyber-incidents targeting ATMs between 2007 and 2021, 7 with nonstate actors (since 2008) and six events with state-sponsored actors (since 2013).
On January 16, amid tensions between Russia and the West on Ukraine, a cyberattack crippled Ukrainian computer systems. Computers showed the message “Be afraid and expect the worst” and demanded a ransom paymentA transfer of funds which discharges an obligation on the part of a payer vis-à-vis a payee. More.
- Shortly after, British and U.S. authorities warned that their countries’ private and state-run networks could be next.
- The Biden government tasked Anne Neuberger (the White House’s top cybersecurity official) to prepare NATO for Russian cyberattacks against Ukraine and Europe.
- On February 8, the National Bank of Ukraine (NBU) joined the international Task Force on Computer Security Incident Response Teams (TF-CSIRT) to combat and respond to cyber incidents.
Dmitri Alperovitch, co-founder and former chief technology officer of cybersecurity firm CrowdStrike, aptly describes the threat in Foreign Affairs:
Russia could conduct psychological operations to sow confusion and doubt among the Ukrainian population, thereby eroding the public’s will to resist Russian aggression. Moscow could launch a cyberattack against Kyiv’s power grid, for instance, leaving millions of people without heat or electricity in the dead of Ukraine’s brutally cold winter. Or it could attack Ukraine’s financial system and make it difficult for civilians to buy groceries with a credit card or withdraw cash from an ATM.
The Next Frontier: Cyberwarfare
Russia is not alone in developing cyberweapons and engaging in cyberattacks. For years, several countries, including North Korea, Iran, China, Israel, and the United States, have expanded their cyberwarfare capabilities, probing each other’s vulnerabilities.
Experts believe Israel and the United States developed the Stuxnet virus that destroyed Iran’s uranium centrifuge in 2010, although neither took credit for the attack. According to Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers, by Andy Greenberg, had the Stuxnet virus failed, a more powerful cyberweapon called Nitro Zeus would have targeted the Iranian power grid, communications systems, and air defences.
In her review of Sandworm, Sue Halpern aptly describes how a cyberattack targeting critical infrastructure might cause devastating damage:
Had it been deployed, Nitro Zeus could have crippled the entire country with a cascading series of catastrophes: hospitals could not have been able to function, banks could have been shuttered and ATMs could have ceased to work, transportation could have come to a standstill. Without moneyFrom the Latin word moneta, nickname that was given by Romans to the goddess Juno because there was a minting workshop next to her temple. Money is any item that is generally accepted as payment for goods and services and repayment of debts, such as taxes, in a particular region, country or socio-economic context. Its onset dates back to the origins of humanity and its physical representation has taken on very varied forms until the appearance of metal coins. The banknote, a typical representati... More, people might not have been able to buy food. Without a functioning supply chain, there would have been no food to buy. The many disaster scenarios that could have followed are not hard to imagine and can be summed up in just a few words: people would have died.
In August 2021, experts tasked by the United Nations advised member-states to secure the information and communications technology in critical infrastructure sectors such as “health care, […] energy, power generation, water and sanitation, education, commercial and financial services, transportation, telecommunications, and electoral processes.”
The Estonia 2007 attack
In 2007, after officials in Tallinn relocated a memorial to the Soviet Red Army, a cyberattack crippled Estonia’s business and government computer systems for 22 days. Attackers shut down the network of Hansabank, Estonia’s biggest bank, causing losses of $1 million. The BBC reported that “cash machines and online banking services were sporadically out of action.” Estonian officers suspected Russia was behind the attack but could not identify the culprits.
“If let’s say an airport or bank or state infrastructure is attacked by a missile it’s clear war, but if the same result is done by computers, then what do you call it? Is it a state of war? Those questions must be addressed,” said Madis Mikko, a spokesman at the Estonian Defense Ministry.
The NotPetya 2017 Attack on Ukraine
On June 27, 2017, hackers attacked Ukrainian computer systems with the malware NotPetya, in what Wired magazine called “the most devastating cyberattack in history.” The cyberattack targeted the popular and mandatory M.E.Doc tax preparation software, crippling private and state-run computer networks with a fake ransomware attack a day before a holiday celebrating Ukraine’s constitution.
The attack caused widespread collateral damage worldwide, hitting companies such as a FedEx subsidiary, the pharmaceutical company Merck, and the Danish container-shipping company A.P. Moller-Maersk, among others.
“If I had to guess, I would think this was done to send a political message […] You don’t hit the day before Constitution Day for no reason,” said Craig Williams, senior technical researcher at the Talos security division of Cisco, a computer networking firm.
NotPetya Shuts Down the Payments Infrastructure
The NotPetya attack hit government agencies, telecommunication companies, public utilities, and more than 22 banks, including the country’s central bank. NotPetya targeted banks’ servers and workstations, ATM control systems, SWIFT transfers, payment gateways and card processors.
- The “most massive computer attack in the history of Ukraine” sought to paralyze the country’s economy and was only “masked as an effort to extort money from computer users,” according to Anton Gerashenko, a member of Parliament.
- “This attack [was] about disabling how large companies and government can operate. You get a double whammy of the initial cyber attack and then organizations being forced to shut down their operations,” said Brian Lord, former deputy director for intelligence and computer operations at the British Government Communications Headquarters.
Delay and Obfuscate
According to experts, Russian-backed hackers might be using fake ransomware attacks to hide their true intentions: destroying data or crippling computer systems managing critical infrastructure.
- “You can be pretty sure what we saw was state activity, using the false flag of criminal activity. They wanted it to have this broad impact on critical infrastructure in Ukraine and make it look like it was a criminal thing that went awry,” said Jim Richberg, a vice-president at security firm Fortinet.
- The Sandworm hacking unit linked to the Russian military agency (G.R.U.) has been developing “more sophisticated means of critical infrastructure attack. They also perfected the fake ransomware attack. They were doing this before NotPetya (in 2017), and they tried many times after,” said John Hultquist, a cyberintelligence analyst at Mandiant, a security firm.
This post is also available in: