Explosions heard near the capital of Kyiv have punctuated the launch of Russia’s invasion of Ukraine, which has sent markets into chaos and stoked international fear.

In recent weeks, Ukraine has weathered a series of cyberattacks against critical infrastructure, including banks and government agencies, which Ukraine and the U.S. [and other countries] attributed to Russia.

For cybersecurity experts, it’s another sign of the shifting dynamics of international aggression, and it comes amid a sharp rise in ransomware attacks globally. For more, Marketplace’s Sabri Ben-Achour spoke to Adam Meyers, senior vice president of intelligence at the cybersecurity firm CrowdStrike. Below is an edited transcript of their conversation.

Sabri Ben-Achour: U.S. officials have warned U.S. businesses and local governments to watch out for potential ransomware attacks and other attacks as soon as the president announced sanctions. Would you agree with that assessment — that the risk is now heightened, even for run-of-the-mill businesses in the U.S.?

Adam Meyers: Well, I think that it would be unlikely for Russian threat actors to directly target U.S. businesses. I think what’s more likely is that they will target Ukraine. And I think that the bigger concern for U.S. companies and Western entities is that there would be potential collateral impact against them if there is some sort of cyberattack against Ukraine. And we saw this back in 2017 with Petya [malware], for example. Organizations will do offshore development in Ukraine and things like that, so a lot of organizations had connections there, and because of that, they ended up having disruptive impact from that.

Ben-Achour: So how do these kinds of attacks work — without malware, without some flaw opening up a backdoor in some software?

Meyers: So it doesn’t mean that there’s no malware. What it means is that the initial way that the threat actor gets in, the initial attack vector, may not involve malware. They may have already compromised credentials somehow, and they’re logging in as a legitimate user. It could be that they found a vulnerability in a [virtual private network] concentrator or some externally facing device, and they’re able to exploit that vulnerability and then move deeper into the enterprise or the network. That is when they’ll end up deploying malware. And I think what is notable is that we’ve seen a move, over the last year, where more and more of these attacks are not relying on things like phishing attacks that have malicious attachments. And that’s kind of how these nation-state threat actors behave.

Ben-Achour: Speaking of nation-state threat actors, we know governments engage in cyberattacks. We also hear about independent groups that are either loosely associated or not associated with governments. Who is doing it more these days — governments or random criminals?

Meyers: It depends on who you are and what kind of target profile you have. E-crime actors tend to be fairly opportunistic, and they’re going after businesses based off of their revenue. When you look at a nation state, whether it be China, Iran, North Korea or Russia, they all have different motivations. For example, North Korea has been heavily targeting cryptocurrency platforms because they’re stealing cryptocurrency in order to fund activities of the regime — and that’s happened to the tune of hundreds of millions, if not billions, of dollars that they’ve been able to steal. China has engaged in aggressive espionage campaigns that are targeting stealing intellectual property and using that to drive economic objectives — whether it be part of the Belt and Road Initiative or the 14th five-year plan. They also conduct intelligence collection to go after people that are problematic for the regime — whether it be groups like the Uyghurs or democracy activists. Obviously, with the situation in Ukraine unfolding, everybody is concerned about what the Russian threat actors do. And Russian threat actors can engage in espionage, but they also engage in disruptive and destructive attacks. And we’ve seen this play out numerous times over the last nine years in Ukraine.

Ben-Achour: Overall, worldwide, what’s the biggest source of cyberattacks today?

Meyers: Hands down it’s criminal threat actors. They are largely based in Eastern Europe and Russia, and they engage in just an unprecedented amount of incidents that involve either big-game hunting [cyberattacks that target high-value data] or data theft and leak attacks. Just in the last year, I think we’ve seen over 2,700 big-game hunting attacks. So they’re far and away that most prevalent actor. Nation-state actors are continuously operating as well, but they tend to operate a little bit more under the radar. They don’t conduct as many widespread and widely known attacks. They try to, obviously, steal information without it being identified that they’ve stolen it.

Stories You Might Like

As companies brace for cyberattacks from Russia, specialists are in short supply

White House warns companies of growing cyberattack risk

How the war in Ukraine is affecting debt troubles for developing countries

What military aid is the U.S. sending Ukraine?

Western countries may have a hard time confiscating Russian assets they’ve frozen

Could the United States dollar be dethroned?