Gerôme Billois, cybersecurity expert at the consulting firm Wavestone, analyzes for franceinfo the risks associated with digital attacks after the Russian military invasion of Ukraine.
Before the invasion, paralyzed computer networks. While the international community feared a Russian attack on its neighbor, the sites of several Ukrainian banks and ministries, including that of Foreign Affairs, were targeted by a cyberattack on Wednesday afternoon, February 23, making them inaccessible.
>> Threats to Kiev, capture of Chernobyl… Follow the evolution of Russian forces in Ukraine in our live
Beyond the Ukrainian targets, Kiev's Western allies now fear that Russian computer attacks will target other countries, in particular the states that have voted for sanctions against Russia. What to fear? Is it possible to protect yourself? To see more clearly, franceinfo interviewed Gérôme Billois, cybersecurity expert at the consulting firm Wavestone.
Franceinfo: Which structures have recently been targeted by Russian cyberattacks? How are they targeted?
Gérôme Billois: There are two main types of different cyberattacks. The first, of medium intensity, are attacks by distributed denial of service (DDoS, for Distributed Denial of Service). They consist of saturating requests from websites so that they are no longer accessible, with the aim of worrying users. The targets are often government or media sites. Fortunately, we recover very easily: as soon as the requests stop soliciting the site, it generally becomes accessible again in a few minutes.
The second type of attacks is much more problematic. These are destructive attacks, called wiper (from the verb wipe, "to erase" in English), which will delete the content of the targeted computers before blocking them. You then have to reinstall everything before you can reuse these machines, which becomes very annoying when hundreds, even thousands of computers are affected. Typically, affected organizations take two to three weeks to recover. This was observed when Ukraine was first targeted in 2017.
What are the means used to launch these two types of attack?
To carry out a denial of service attack, it is necessary either to take control of machines equipped with a large bandwidth, or to remotely control thousands, or even millions of computers (we then speak of zombies), to make them launch requests to the target repeatedly, until the targeted site is completely saturated.
Instead, the wiper uses a form of virus. The attacker must first break through the defenses of the targeted organization (for example by sending booby-trapped e-mails, or by exploiting a flaw in a site that has not been updated), before taking the controls computers to install its malware. The attacker then only has to wait for the moment of his choice to activate his software and lock everything down simultaneously.
Can Western countries currently sanctioning Moscow after the invasion in Ukraine expect to be targeted by such cyberattacks?
It is indeed a fear. At present, there are some overflows of these cyberattacks in countries such as Latvia and Slovakia, but it seems that the victims are directly linked to the Ukrainian structures targeted. We can hypothesize that these are collateral victims, linked to the interconnection of certain systems.
Russia is in any case fully capable of retaliating against Western sanctions in the digital field. In this matter, attackers rarely attack in the open, but previous cases have often involved Russian intelligence, either directly or indirectly.
How is it possible to protect oneself from this type of offensive?
In the event of an emergency, the protection systems must be checked quickly: are the filters (firewall type) in place? Are the virus detection systems correctly positioned? Have security backups been recently performed and tested? It is also necessary to have personnel capable, 24 hours a day, seven days a week, of detecting whether attacks are in progress and reacting to them if necessary, for example by disconnecting part of the network or closing certain systems. .