Russia plans to conduct “massive cyberattacks” on Ukraine and its allies’ critical infrastructure and energy sector, according to Kyiv.

“The occupiers are preparing massive cyber attacks on critical infrastructure facilities of Ukraine and its allies,” according to a statement from Ukraine’s Defense Ministry issued on Monday.

“The Kremlin plans to carry out massive cyberattacks on critical infrastructure facilities of Ukrainian enterprises and critical infrastructure institutions of Ukraine’s allies. First of all, the blow will be aimed at enterprises of the energy sector. The experience of cyberattacks on Ukraine’s energy systems in 2015 and 2016 will be used when conducting operations.”

These earlier attacks, attributed to Russia’s GRU cybergoons, used BlackEnergy (2015) and Industroyer (2016) malware to disrupt Ukrainian power supplies and industrial output.

Last month, in a surprise visit to Black Hat, Ukraine’s lead cybersecurity official Victor Zhora said his country’s threat intelligence team uncovered “Industroyer2,” an apparent successor to the malware from the 2016 cyberattack.

In addition to launching cyberattacks on Ukrainian energy facilities, “the Kremlin also intends to increase the intensity of DDoS attacks on the critical infrastructure of Ukraine’s closest allies, primarily Poland and the Baltic states,” the Defense Ministry warned.

Distributed denial of service (DDoS) attacks against Ukraine and its friends has been a favorite Russian tactic since even before the physical, illegal invasion happened, with these network traffic floods hitting an all-time high during the first quarter of 2022.

The latest cyberthreats come as Russian President Vladimir Putin drafts upwards of 300,000 military reservists while Ukraine reclaimed territory in the east and south in a surprise counteroffensive that started in August. 

Putin has also threatened to use nuclear weapons amid the Russian military setbacks, though cyberattacks may be the safer option for the Kremlin, according to Google’s Mandiant threat intel team.

“Russia is under enormous pressure, and cyber attacks may give them a means to respond without risking serious military consequences,” John Hultquist, VP of intelligence analysis at Mandiant, told The Register.

“Many of the disruptive and destructive cyber attacks we have seen thus far have been disrupted, isolated, or largely limited to Ukraine, where there is intense focus,” he explained.

“With a few exceptions we have not seen the scaled, serious attacks we expected even before the war began. There is still significant room for Russia to escalate, especially in regard to Ukraine’s allies.”

To date, Russia’s cyberattacks outside of Ukraine “have been very restrained,” Hultquist added.

This, despite repeated alerts from CISA and other Five Eyes nations’ cybersecurity agencies urging critical infrastructure owners and operators to be ready for attacks by crews backed by – or sympathetic to – Moscow amid strong Western opposition to Russia’s invasion of Ukraine.

Mandiant last Friday published research about hacktivist groups coordinating their operations with GRU-sponsored cyber threat actors. 

When asked if the Google-owned security biz’s team had observed any recent activity indicating planned cyberattacks against Western infrastructure and corporations, Hultquist told The Register: “We have not independently identified any specific threat to organizations outside of Ukraine, but these actors have a long history of staying below the radar.” ®