With the war in Ukraine, the risk of a large-scale cyberattack cannot be ruled out. Corinne Henin, cybersecurity specialist, deciphers the main cyber threats and lines of defence. To analyse.
War is not limited to physical battlefields. Cyberspace is not free from battles. But in the field, prejudices are rife. What are the threats? Is France ready? Corinne Henin, cybersecurity expert and consultant for the Montpellier Court of Appeal tries to demystify the real impact of the war in Ukraine on the Internet.
How does the war in Ukraine materialize in cyberspace?
There is a lot of talk about conflict in cyberspace. It’s very fantasy. If there really was a conflict that generates a big problem in a state, it would be like a declaration of war. From there, there would be other actions, not just in cyberspace. If tomorrow Russia ostensibly hacked nuclear power plants or the Elysée site, it would be a declaration of war on France. And if they (Russia, editor’s note) do it in a hidden way, it doesn’t matter.
As long as we are not at war officially, we should not consider large-scale attacks. Still tomorrow, we would be at war against Russia, it will necessarily be easier for the Russians to send a commando to try to infiltrate a drinking water plant and pour the products themselves than to try to hack the system. It’s easier to cut the transatlantic Internet cable than to try to hack routers.
Does Russia have specialized hacker teams?
We have always had a great idea of Russian hackers. Russian hackers are always a kind of mafia trying to extract money. It is quite possible because each country has its own group.
In France, we have the Comcyber (Cyber Defense Command, editor’s note) which is there to manage everything related to attack and defence, from a cyber point of view, I don’t see why the Russians don’t wouldn’t have their own pole. The cyber defense command is an armed group, with skills in the field of IT and cybersecurity. It is not an army of the same type as the air force or the army.
How does France prepare for a large-scale attack?
France has defined a notion of operator of vital importance (OIV). This is a list of sectors essential to the proper functioning of France. This is the case for Energy, telecommunications, drinking water management, transport, etc. In each sector there is a confidential list of defined companies. These companies and public bodies have very specific security criteria that must be respected. You cannot, for example, have your key sectors connected to the Internet.
It would be an aberration to have the heart of a nuclear power plant connected to the Internet. There are very specific criteria, regular audits to check the security policies and the good match with what is done in the field. From an infrastructure point of view, in France, we are quite good. That doesn’t mean the nuclear plant accountant’s computer won’t get hacked, but the plant won’t blow up because someone can play with the cursor.
Could Russia use a yet unknown flaw (zero day) to hack a strategic administration?
To use a zero day, for example on the Chrome Internet browser (a flaw has been discovered in recent days, editor’s note), Russia would have to manage to make you go to a site that hosts the zero day (the flaw unknown to the public , Editor’s note). It’s really a restricted attack window. It would be necessary, for example, that Russia has succeeded in hacking a very well-known website and that it has deposited the charge of the attack on this site.
After a hack, can we identify the attacker?
Most of the time, the attacker is not identified. The hacker is not going to hack you directly from his home to yours. It will have fun bouncing around by many places on the internet. If he is in Russia, he can decide to go through a machine in China, then one in Australia, then in Brazil… After the attack, either international cooperation breaks down, or we do not find sufficiently convincing traces to know the origin of the attack.
Often, when we attribute an attack to Russia via ransomware (software that blocks the computer and demands a ransom, editor’s note), it is often that by analyzing the code of the program, we realized that it there were Cyrillic characters inside. It is in this way, most of the time, that we go back to the source. But it’s quite rare to be able to identify exactly where the attack is coming from.
