By Adam Boileau*
Opinion - The escalating conflict in Ukraine is geographically far from New Zealand, but like many western governments, New Zealand's security services have warned businesses to be ready for impacts to the country's computers and networks.
Cyberattacks on Ukraine attributed to Russia have been ongoing for many years, with reports today of computers being rendered inoperable. Some of these attacks in the past have caused collateral damage to multinational organisations with operations in Ukraine, the most notable being the 2017 crippling of shipping firm Maersk as part of the Russian "NotPetya" attack.
The infamous NotPetya attack targeted users of a very common Ukranian tax filing software, gaining access to nearly any organisation in the country. This was then used to deploy destructive software that would spread around the network it found itself in, and then destroy the data computers, rendering them inoperable.
This attack was triggered on the eve of Ukraine's Constitution Day public holiday when the country honours its independence. It is not clear that Russia expected this attack to propagate from the Ukranian offices of multinationals as effectively as it did, causing disruption as far afield as a Cadbury chocolate factory in Tasmania, and Maersk's operations at the ports of Auckland and Tauranga.
A similar campaign is underway in recent days in Ukraine and the Baltics, albeit with more controlled targeting of companies supporting Ukraine.
The interconnected nature of computer systems and globalised businesses makes it difficult to control the impact of cyberattacks precisely, especially in a fast-moving conflict.
The unconstrained use of hacking in wartime by a nation with top-shelf capability - if it eventuates - is also a new situation, with real uncertainties about how Cold-War era understandings of deterrence and mutually assured destruction apply.
The United States and its allies have also spent many years getting into position to carry out similar attacks on its adversaries, with Biden reportedly offered options in recent days to disrupt Russian rail systems.
It is possible that as a non-violent option cyberattacks are presented to the US leadership as less escalatory, but escalation in the cyber domain is a real unknown. The US has also asserted its willingness to respond to hacking of its infrastructure with real-world military action.
The distinction between civilian and military infrastructure is also increasingly blurred - the Global Positioning System satellite navigation network for example - where a cyber or kinetic attack could have significant consequences to communications, logistics and other civilian use.
It is unlikely that New Zealand or Australia will be direct targets of Russian cyberattacks in response to our political support for Ukraine and NATO, due to our lower geopolitical relevance to Russia.
That said, New Zealand businesses and infrastructure operators should be ready for cyberattacks, and expect disruptions to supply chains and international partners as the conflict escalates. This could be things like: ensuring business continuity plans are ready, threat hunting for specific Russian tradecraft in computer networks, and ensuring that situational awareness is maintained through following trusted sources in industry and government.
The warnings issued by the government and private sector intelligence recognise the heightened level of risk to global systems such as communications, logistics and energy.
There is also a chance that Russian-aligned criminal groups may increase ransomware or cyber extortion of western businesses out of patriotism or economic necessity. If extensive sanctions isolate Russian citizens from the traditional global financial network, the loss of income and ability of digital currencies to circumvent such controls make cybercrime an attractive alternative.
Russian government directed hacking in Ukraine has targeted power, turning off electricity to 250,000 people in 2015, as well wiping the computers of government agencies, bombarding websites with traffic to prevent them being used, and leveraging widely used software to gain access to private sector organisations.
We are highly unlikely to see government ordered hacking in New Zealand, but the less sophisticated attacks overlap with the skills of criminals, as seen with the attacks on Waikato DHB, or the denial of service attacks on NZX stock exchange.
Many businesses have relied on insurance to cover hacking and extortion, but sanctions and war may complicate claiming on existing policies. This could leave the bill with the victim, but at the same time may change the calculus for attackers who have sometimes chosen to attack the insured, because they are more likely to pay.
As a member of the Five Eyes intelligence alliance, and the government's political stance, New Zealand is clear on which side of the conflict it sits. Russian criminals and patriots will take whatever easy targets they can find, and our geographic isolation means little more than a few hundred extra milliseconds of latency on the internet.
*Adam Boileau leads CyberCX's security testing practice in New Zealand. He's been a hacker for 25 years, and is the co-host of the Risky Business security news podcast. For businesses and organisations looking to identify a compromise, the Australian Signals Directorate has some examples of sources and "indicators of compromise" here.