Cyber War in Ukraine: How Companies Can Protect Themselves Against Spillover Attacks

Since Russia’s invasion of Ukraine in February 2022, the cyber threat landscape for European companies has intensified dramatically. Wiper malware, DDoS attacks, and targeted espionage campaigns threaten not only Ukrainian targets – spillover effects are also hitting German firms.

TL;DR

Wiper malware: HermeticWiper and WhisperGate destroy data permanently – no ransom demand, only destruction.
Spillover risk: NotPetya in 2017 began as a Ukraine-focused attack but caused $10 billion in global damage.
BSI alert level Orange: The BSI (Federal Office for Information Security) has elevated Germany’s threat level to “elevated.”
Kaspersky warning: The BSI warns against using Kaspersky products.
Critical infrastructure: Energy providers and logistics companies are primary spillover targets.

Cyber warfare running parallel to ground warfare

Hours before Russia’s invasion on 24 February 2022, Ukrainian government systems were hit with HermeticWiper – a wiper malware. Unlike ransomware, wiper malware demands no ransom; it erases data irreversibly. Simultaneously, Ukrainian banks and media outlets were crippled by DDoS attacks.

Russia’s cyber warfare strategy combines state-backed actors (e.g., Sandworm, Fancy Bear) and criminally affiliated groups acting out of patriotic motivation – or direct instruction. The line between state-sponsored and criminal cyber activity is increasingly blurred.

Why German companies are at risk

The 2017 NotPetya incident demonstrates that cyberattacks launched amid geopolitical conflict rarely remain confined to their intended target country. Shipping giant Maersk lost $300 million; pharmaceutical company Merck lost $870 million – despite having no operational ties to Ukraine. As a result, the BSI has raised its national threat level to Orange and explicitly warned of spillover effects.

Companies especially at risk include those with subsidiaries in Ukraine or Russia, suppliers to critical infrastructure, users of Russian software (per the BSI’s Kaspersky warning), and firms operating in energy, logistics, and finance sectors.

Immediate protective measures to implement now

The BSI recommends concrete, urgent actions: verify and test offline backups; update and rehearse incident response plans; strengthen network segmentation; shorten patching cycles to 24 hours; evaluate alternatives to Kaspersky; and analyze threat intelligence on Russian APT groups. Companies should also assess their incident response capabilities – and consider retaining an external incident response (IR) provider.

Key Facts at a Glance

BSI alert level: Orange (elevated threat level since February 2022)

Known wipers: HermeticWiper, WhisperGate, IsaacWiper, CaddyWiper

NotPetya damage (2017): Over $10 billion globally

Kaspersky warning: BSI advisory dated 15 March 2022

Sources: BSI security advisory, CISA Shields Up Advisory, March 2022

Fact: According to IBM, 95 percent of all cybersecurity incidents stem from human error.

Fact: According to Bitkom, German companies invest an average of 14 percent of their IT budget in cybersecurity.

Frequently Asked Questions

What is wiper malware – and how does it differ from ransomware?

Wiper malware destroys data permanently, without demanding a ransom. While ransomware encrypts data and offers decryption keys in exchange for payment, wipers have one sole objective: maximum destruction. Backups are the only viable recovery option.

Why is the BSI warning against Kaspersky?

The BSI sees a significant risk that Kaspersky could be instrumentalized by Russian authorities for cyber warfare. Its software enjoys deep system-level access and routinely communicates with servers located in Russia. The BSI recommends migrating to alternative solutions.

How likely is a spillover attack against German companies?

NotPetya proves spillover effects are both real and devastating. The BSI assesses the likelihood as elevated. Companies with operational links to Ukraine or Russia – and operators of critical infrastructure – are particularly vulnerable.

What does BSI alert level Orange mean?

Orange is the BSI’s second-highest alert level and signals a business-critical escalation in threat severity. Companies must immediately implement protective measures, activate emergency response plans, and maintain heightened vigilance across all IT systems.

Which specific immediate actions does the BSI recommend?

Verify and test offline backups; update emergency response plans; tighten network segmentation; shift to 24-hour patching cycles; evaluate Russian software usage; enforce multi-factor authentication (MFA); and train staff to recognize current phishing campaigns.