Dennis Underwood
Published on
July 15, 2022

Russian oil and gas set afire in cyber attacks - how is NATO affected?

Russian oil and gas have been set afire in cyberattacks, but, how is NATO affected by this?

On March 23, 2022, I published the article (here) titled, "There will be no 'digital Pearl Harbor'". The idea is that a cyberattack on NATO critical infrastructure that would cause Hollywood-style explosions would create a swell of public pressure and NATO member unity in attacking Russia. It is much more likely that attacks from Putin will be economically punitive in nature, and against businesses. The goal will be to hurt the quality of life in a manner that causes hesitation, disagreement, and confusion between citizens, their respective governments, and between NATO Member countries.

I'd like to use a quote heard in many alcohol-infused parties across the world, before doing something dangerous and sometimes spectacular.

The Ukrainian military has shocked many with its resilience and effectiveness against the Russian armies. Not to be outshone, GURMO (the Ukrainian Main Directorate of Intelligence, at the Ministry of Defense), after gaining access to Gazprom's (Russian oil and gas industry) network, said, "Hold my beer."

No alt text provided for this image

GURMO computer network operations (CNO) professionals ("state-sponsored hackers") used their access to Gazprom to set 2 pipelines on fire.

It appears GURMO may have the access required to do a great deal more damage. Those decisions are not merely technical ("can we?"), but there should be a variety of political and great military strategy decisions that influence what happens next there.

Let's pause for a second, and make sure we focus this article on the changes to risk assessment and management for NATO members and leave any assessment of what GURMO should or should not do to some other article. Also, though I'm sure our analysis here may be easily extended to non-NATO critical infrastructure, let's simplify our references to only NATO.

A Quick Word on Attribution

Attribution is an inexact science, even without criminals or governments trying to direct threat intelligence professionals to the wrong perpetrator. If any evidence appears suggesting it was not just GURMO doing the attack (say, US-based "vigilante hackers" were involved), that potentially dramatically changes this thesis, and I'll write another article.

The "not" evolving cyber-attack risk in Ukraine

Let's say it was just GURMO for now, and that Russia intends to retaliate only against Ukraine. In the past few weeks, we've seen the disjointed kinetic (aka, bullets and bombs) coordination within Russia's military operations. Military folks call that topic combined arms, and really forward-leaning folks would include cyber attacks in the mix with airpower, naval power, tanks, etc. With the poor coordination in military strategy, we may see independent (not well coordinated) kinetic and cyber attacks against Ukrainian critical infrastructure. Targets will be infrastructure that Russia wants to destroy, due to an inability for them to seize control, a lack of desire to do so, or both.

The big question, then, is what would change between Ukraine and Russia? My prediction is just a temporary shift in wording by Russia, attributing Russian bombs or cyber attacks to the Gazprom attacks during press conferences. "Look what you made me do" type behavior from Russia, to describe what already had been occurring. Unlike the sometimes rapidly changing kinetic military front, the cyber attack realized risk appears largely static. Not good, but static.

The evolving cyber-attack risk to NATO

For NATO, there is a tactical risk and a more long-term one. The long-term is easy to describe - we are seeing the continued normalization of critical infrastructure being attacked, with the goal of physical facility destruction. The various attacks between Russia and Ukraine are simply more examples. The truth of the matter is that this has been going on for quite some time, and will continue to get worse. I don't think we're at the plot of Jericho just yet, but the increasing regularity of the use of cyberattacks like this lends these attacks to be expected, not novel. How much press did Stuxnet create, compared to the recent attacks, outside of cybersecurity circles?

The tactical risk to NATO is much more serious, though, due to sloppy targeting Russia has displayed in their cyber operations.

Onto the here and now. In every combat theater, there is risk of the combat drawing in bordering territories and countries. History is full of "leaks" across political boundaries. Inaccurate targeting by Russia exacerbates the risk of drawing NATO members into the fight. Arguably that's a greater risk than a formal attack against NATO. Back to the "no digital Pearl Harbor" argument - a disaster occurring near Tallinn, caused by an improperly-targeted critical infrastructure attack by Russia, is a much different emotional scenario than Russian tanks rolling west from Belarus on the way to Warsaw.

What concrete, recent evidence do I have to back up my assertion? First, the satellite hack that occurred disrupted a variety of Internet users beyond Ukraine's border. Without getting into details, there are very accurate ways of geolocating users of commercial satellite Internet terminals (often called vsat modems). Accuracy can go from "GPS coordinates" to the town or region. Victims stretched from Ukraine to France. That's simply improper targeting, given the available capabilities, if the target was indeed Ukraine instead of "a random sampling of European Internet users."

The second piece of evidence is a bit more circumstantial, but I'm using it because history is full of odd coincidences that have big effects on the world. In this example, we see a Soviet-era "suicide drone" (drone with a bomb on it), which flew over NATO borders from Ukraine, over Romania, and over Hungary, before crashing into the Jarun district of Zagreb, Croatia.

No alt text provided for this image

The route for the drone is entered in advance before it is launched. There is a Yuran' in Ukraine, and there is a Jarun in Croatia. Since most readers here are English speaking, go ahead and search for "Ярунь, Zhytomyr Oblast, Ukraine", and "Ярун, Zagreb, Croatia" in Google Maps. Do you notice how close those are to Cyrillic? This news article picked up on the language association as well.

Now, we are normalizing targeting mistakes in destructive cyber attacks.

The point here is that "mischance" (an unhappy antonym to "serendipity"), should not be discounted or minimized. If the drone really was designed for Yuran, Ukraine - it would have been a data entry problem. A targeting data entry error creates plausible deniability of maliciousness, which brings us right back to the original reasoning behind our, "no digital Pearl Harbor" thesis. Confusion will reign, not obviously malicious, simultaneous explosions across 25 cities.

In Summary

Which brings us to the thesis of the argument. We are limiting arguments here to Ukraine being the source of the cyberattack against NATO, and that Putin will not respond to the critical infrastructure attacks from Ukraine, with retaliation in kind against NATO. This risk is twofold - first that we're increasingly normalizing these types of attacks, and second is that we're normalizing sloppy targeting that includes NATO member critical infrastructure.

We should expect this engineered chaos to be leveraged by Russia, and plan for possible attacks against the business-side of critical infrastructure.

I, personally, think the attacks (arguably counter-attacks) by GURMO elevate the risk to NATO of destructive cyberattacks on critical infrastructure. Not because there is a direct correlation, but because this type of attack is now aligning more closely to the psychological operations shrouding Russian military operations over the past several years. Russia is a master of psychological warfare. We should expect this engineered chaos to be leveraged by Russia, and plan for possible attacks against the business side of critical infrastructure. These attacks are non-obvious targets from a military reaction standpoint, that would have a dramatic effect on NATO's quality of life.

About the author
Dennis Underwood

Dennis Underwood is a veteran, cybersecurity leader, inventor, and entrepreneur with over 20 years of experience. He is an expert at cryptography, intrusion discovery and analysis, having discovered multiple previously unreported intrusions to clients throughout his career. Currently, he is leading a team of like-minded experts delivering next generation intrusion discovery and ransomware response automation tools to consumers.

Start a free trial today

Sign up for Cyber Crucible today to protect your system against ransomware extortion.

Create an account