“Consequences you’ve never experienced before.” This is what Vladimir Putin threatens the countries that oppose him. The statement has not escaped cyber experts who are familiar with the Kremlin’s nuisance capabilities. The risk that Russia will launch cyberattacks against a country like France is “to be taken seriously, given the nature of the conflict and the very strong deterioration of our relations with this country”, confirms Julien Nocetti, associate researcher at the French Institute of International Relations.
In a “digital space without borders”, cyberattacks targeting Ukraine can also spread to other countries, notes the National Agency for Information Systems Security (Anssi). On February 26, Anssi therefore called for increased vigilance. Because while attackers are sometimes content to saturate a website or alter its appearance, there are more dangerous programs that encrypt a company’s data or erase it. Some are capable of contaminating tens of thousands of computers in an hour. Affected companies take weeks to recover. With the risk of not recovering from it if data recovery is impossible or takes too long.
A “secret defense” list of strategic operators
The reassuring point is that France has put in place many safety nets. In particular, the State has understood the need to protect activities of vital importance: it has drawn up a classified “defence secret” list of around 250 strategic operators, spread over 12 sectors such as health, food, water, energy, military activities or transport.
In 2014, a law also required them to take specific precautions. “These operators have isolated their critical systems so that they are not taken away in the event of a cyberattack”, explains Gérôme Billois, Wavestone’s cybersecurity expert. This does not mean, of course, that they would work perfectly, “but a minimum service guaranteeing the safety of people and goods would be ensured”.
The French State also has substantial teams dedicated to cybersecurity. First, a defensive component with, in the center, Anssi, which employs 600 people. It raises the awareness of private and public entities in France on the protective measures to be put in place and sets the rules that operators of vital importance must respect.
“It also regularly analyzes the French Internet, to check that there are no attacks in progress or visible vulnerabilities that hackers could exploit”, explains Wandrille Krafft, cybersecurity engineer at Lexfo. There are also experts on these subjects in the police, gendarmerie and justice services: they are the ones who work on cybercrimes and offences.
3,400 cyber fighters and hundreds of companies
The Ministry of the Armed Forces is bringing together sizeable forces, in particular the Cyber Defense Command (Comcyber) and its 3,400 “cyber combatants” – there should be 5,000 by 2025. Teams whose mission is to protect the information systems of the Ministry of the Armed Forces and to conduct military cyber defense operations. “They can, for example, help operations of the Barkhane type, by ensuring the security of the systems that the forces use in the field”, specifies Gérôme Billois.
These state poles are not the only dams against the cyber threat. France also has a dynamic private ecosystem in the field. “There are around 600 companies and tens of thousands of employees in the sector,” says the Wavestone expert. A label awarded after an audit by Anssi makes it possible to distinguish the safest service providers in this ultra-sensitive area.
All these layers of protection, France has been fine-tuning them for about ten years. Because the threat is not new. Cybercriminals looking for companies to ransom have become very professional, in particular by structuring themselves around operators who design malware and make it available to them, in exchange for a commission on their future earnings.
Current tensions between Russia and countries that condemn its war however, increase the risks. Operators of vital importance are watched like milk on fire. And the financial sector is on high alert. With European sanctions targeting Russia in the wallet, Moscow might be tempted to respond at this level. The French media would also be a symbolic target, at a time when RT and Sputnik were unplugged.
Computers falling like dominoes
The most exposed French companies, however, are those with sites in Ukraine: the country is targeted by a wave of cyberattacks, or infected machines there could transmit malicious files to other branches of a company.
“In 2017, we saw the serious consequences,” recalls the Wavestone cybersecurity expert. The NotPetya malware, which targeted Ukraine, had indeed contaminated the computers of the local branches of many foreign companies (Saint-Gobain, Merck, Fedex, etc.). “But as the machines often communicate with offices located in other countries, in particular the headquarters, NotPetya was able to spread all over the world”, explains Gérôme Billois. Loss report? Ten billion dollars…
Faced with current tensions, Anssi has listed several “priority cyber preventive measures”. The most obvious? Secure access to highly exposed accounts (administrator, management) by imposing, for example, in addition to a password, the use of a card or the entry of an SMS code. “You also have to check your detection capabilities by testing them,” advises Arnaud Le Men, CEO of Erium.
Anssi also recommends backing up its critical data and applications to locations disconnected from the Internet (external hard drives, magnetic tapes). And suggests that companies using Russian security software such as Kaspersky antivirus consider other “mid-term” options. The idea is not to deactivate them without a fallback solution, but, according to Anssi, the isolation of Moscow could gradually affect the ability of these publishers to provide the updates so essential to the proper functioning of the product.
Bisbill among Russian-speaking hackers
Of course, whatever defenses are established, one must also be prepared to deal with an attack that pierces them. The first decision to be made is often to disconnect the systems. “It’s war medicine, but it prevents the situation from escalating,” says Gérôme Billois. Then comes the time of the investigation to identify the areas spared which can be restarted, then that of the reconstruction.
A reassuring point in this tense context is that Russian cyber forces may not be so easy to mobilize. Alongside state services that are experts in the subject, Russia also relies on a pool of cybercriminal groups that it has allowed to thrive on its soil. But affiliates of these groups come from all walks of life and may have widely differing political views. Some of the Russian-speaking cybercriminals have thus indicated that they do not want to position themselves in this conflict, underlines Anssi. Others have even revealed that they “wish and be able to target Russian critical infrastructure”.
As for the cybercriminal group Conti, which officially gave its full support to the Kremlin, it paid the price. A few days later, a Ukrainian security researcher who had managed to infiltrate him published a host of internal documents giving information on his modus operandi. A fairly unprecedented data leak in a sector that usually knows how to protect its secrets very well.