The fog of cyberwar
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Annelise Capossela/Axios
An actual shooting war on the ground makes the business of flagging and blocking cybersecurity threats even more devilishly tricky than usual.
The big picture: With Ukraine fending off Russia's invasion, every new hack — like the recent exploits of the Lapsus$ group — ends up being viewed not only on its own terms but through the lens of that conflict.
- Russia has long been a major actor on the cyber stage, but its Ukraine invasion came with heightened predictions of an extraordinary barrage of cyberattacks — and the warnings have kept up.
- Each time a new incident comes to light, security leaders ask themselves: "Is it Russia? Is it someone who wants us to think it's Russia? Is it just somebody who thinks we might be more vulnerable because we're so busy dealing with Russia?"
Driving the news: Lapsus$, a group that has tried to extort payments from companies like Nvidia and Microsoft, this week claimed to have broken into the systems of Okta, a single sign-on provider with thousands of client companies and hundreds of millions of users.
- That would be big news at any time — even if, as the story has unfolded so far, it's not clear whether the limited access the hackers gained via a third-party customer service provider won them any opportunities for deeper mayhem.
During the Ukraine war, an incident like this carries an extra burden of urgency.
- It could be a setup for a larger Russian operation.
- It could be a deliberate distraction from some other Russian operation.
- It could have nothing at all to do with Russia! So far, in fact, that's where the very limited evidence points.
The latest: Security researchers followed the Lapsus$ trail and believe the group's mastermind is a 16-year-old living at his mother's house near Oxford, U.K., Bloomberg reported Wednesday.
Be smart: That doesn't sound like a Russian operation. Then again, until we know more, it doesn't totally rule it out, either.
In this environment, no incident gets the benefit of the doubt, even when there's no evidence of foul play.
For instance: Apple's cloud-based services have been bouncing off and online for much of this week.
- Apple has so far stayed mum about what's going on, and the odds are that it's a technical snafu of some sort. But in this climate, the public is going to raise suspicions even when the evidence doesn't.
All this puts even more burden on the work of "attribution" — naming the parties responsible for any attack, which security experts typically make a first run at but governments ultimately decide.
- The perpetrators of the massive SolarWinds hack of late 2020 were linked to a Russian government-backed group fairly quickly, and the Biden administration ultimately imposed sanctions.
A cyberattack at the start of the February invasion took out Viasat's KA-SAT, a key satellite system used by the Ukrainian government.
- The incident could plausibly be viewed as part of a Russian cyberoffensive since it served the Kremlin's interests so well, but no one has yet conclusively pointed a finger at Moscow.
All this uncertainty is part of what makes the entire realm of cybersecurity — from outright cyberwarfare to espionage to run-of-the-mill online crime — so challenging.
- It's a world of asymmetrical conflict with a murky battlefield and participants who don't declare their allegiances.
- You have to view every dustup as a potential attack and every actor as a possible enemy.
