We’ve recently asked a number of subject matter experts for their input on how the war in Ukraine is impacting cybersecurity and cyber risk management.
Today, we’re sharing our conversation with Billy Gouveia of incident response firm Surefire Cyber about how cybersecurity concerns have evolved in the earliest days of the conflict.
What cybersecurity concerns do you have about the unfolding scenario with Russia and Ukraine?
The tragic war unfolding in the Ukraine has several important cyber dimensions. Some have concluded that the cyber front has been quiet thus far. Let’s look at the key cyber actions of the last six weeks:
- First, prior to the invasion of ground forces, Russia attempted significant cyberattacks on Ukraine’s electrical grid and internet providers. For reasons that aren’t yet clear, these attacks—which included destructive wiper malware—were not successful.
- Then, according to claims made by Ukraine’s intelligence service, China allegedly launched a major cyberattack on Ukraine’s military and nuclear facilities. These attacks, using different Tactics, Techniques, and Procedures (TTPs) from those that Russia would have used, were also largely unsuccessful (although these attacks may have been responsible for a three-day outage of a power sub-grid).
- Immediately after the invasion, Ukraine formed an “IT army” to counter Russia’s disinformation campaign and disrupt the digital infrastructure of Russia. The international hacker collective known as Anonymous then came in to support Ukraine and conducted cyberattacks on Russia’s critical infrastructure. Moscow’s stock exchange and Sberbank’s websites went down, and Conti, a well-known ransomware threat actor, had its systems hacked as well.
- As a counter, Ukraine’s foreign affairs website was among many hacked.
In short: The cyber volleys, while drowned out by the gripping news of the kinetic war, haven’t subsided. Given what we know about the close ties between many ransomware groups and the Russian government, I think it’s fair to say that the immediate focus has been more on Ukrainian targets than it has been on American companies. That said, my key concern is that as US support for Ukraine grows, so does our desirability as a target for capable hackers supportive of Russia. These hackers could be:
- members of Russia’s intelligence and military services
- organized criminal gangs with strong support from the Russian government
- independent hackers who are sympathetic to Russia
- allies acting at the direct request of the Russian government
- state-sponsored groups conducting opportunistic attacks.
Although US companies have not seen an increase in attacks, just recently, the FBI declared a $10M reward for each of four Russian hackers for targeting nuclear and electrical plants in 135 countries and attempting to cause physical damage with cyber weapons.
Perhaps Russia has conducted cyber actions against US targets that haven’t been successful given increased pressure and heightened vigilance. Perhaps Russia might want to avoid the additional retaliation promised by the US in the case of a cyberwar. Or, perhaps Russia may have chosen to delay cyberattacks against US targets, and is instead focused on infiltrating and gaining footholds.
What cyber trends are you seeing related to that situation?
To pick up on this last point and look further out on the horizon, our nation’s adversaries are knocking on doors and scanning our critical infrastructure daily. The long-term concern is that this staging activity could lead to an attack on US critical infrastructure, particularly on the banking sector in response to its role in economic sanctions. Specifically, sanctions on Russia are expected to have an impact that rivals the 1998 financial crisis with JPMorgan forecasting the Russian economy to contract 35% in Q2. This could lead to not only state-sponsored retaliatory events but also an increase in financially-motivated attacks like ransomware and business email compromise.
What we’re seeing at the moment is an intensive crossfire of localized cyber campaigns—with denial of service, ransomware, and wiperware—in Ukraine and Russia, as well as the immediate periphery of Poland, Belarus, the Baltic countries, and Germany. This makes sense as cyber campaigns in these areas will have the highest impact on the conflict’s critical logistical hubs and supply routes.
Would USA organizations be facing heightened risks?
Definitely; even if we’re not seeing it materialize just yet. US organizations have long been targeted, and, given the ongoing challenge of attribution in the cyber domain, the Russian government can operate with plausible deniability. Our NATO allies face a similarly heightened target profile, and again, the longer the conflict goes on, the higher the likelihood of spillover cyberattacks beyond Ukraine’s immediate periphery.
To put it another way, Russian-aligned actors have more reason to target US organizations and less to lose by doing so. For example, Russia’s removal from SWIFT means that they can conduct cyber operations against the global provider of financial transactions. At the same time, we have to be increasingly vigilant about threats such as Iranian APT groups such as MuddyWater and possible Chinese cyber groups conducting staging operations against Taiwan.
Again, my sense is that the longer the conflict goes, the wider these campaigns will spread. As I commented above, campaigns against the US may now be in the preparation and planning stages with threat actors working to gain access to our infrastructure and performing reconnaissance to establish their priority target lists. There has also been an uptick in dark web activity, particularly with access brokers increasing the sale of network and admin credentials. Increased dark web activity tends to be a good indicator of future ransomware incidents with a historical dwell time of one to three months between the sale of access and the initial compromise.
What proactive cyber-related actions do you suggest, considering the situation?
Put simply, I suggest the same cyber measures that organizations should always take, with an added dose of vigilance. There are several key actions that every organization must implement:
- Deploying an endpoint detection and response tool on every workstation, laptop, and server
- Enabling multifactor authentication for, at a minimum, email and remote access points
- Configuring a sound backup solution and data restoration process to minimize downtime in the event of a destructive and business interrupting cyber event
- Proactively planning for incidents and establishing relationships with the stakeholders that would support you during an incident: your cyber insurance carriers and brokers, external counsel, and specialized incident response teams.
- Have that response playbook ready and practice, practice, practice your incident response plans.
We’d like to thank Billy for his thoughts on this quickly evolving situation. U.S. entities should maintain vigilance in the face of the threats mentioned in Billy’s responses above.
You can also stay sharp and informed as the industry changes in real-time by logging in to your eRiskHub® portal to access up-to-date threat intel, cyber awareness training, and more.