We’ve asked a number of subject matter experts for their input on how the war in Ukraine is impacting cybersecurity and cyber risk management. Today, we’re sharing our conversation with Evgueni Erchov of Arete Incidence Response about his observations on the cyber front of the war.
What cybersecurity concerns do you have about the unfolding scenario with Russia and Ukraine?
Based on our experience with previous Russian hybrid-military operations (i.e. Georgia, Estonia and Crimea), where offensive cyber capabilities were deployed, we expect (and have already seen reports of activities) by APT 28, APT 29 and Turla state-sponsored actors targeting Ukrainian government agencies and organizations in the energy/financial sector.
It’s also not uncommon for hackers to “join the fight” from both sides, but typically their activities are not too damaging. Usually we see a lot of DDoS attacks, website defacements and data leaks.
So far, CERT-UA and private partners are doing a very good job catching new threats quickly and deploying countermeasures. For instance, when a new variant of data-wiper malware—similar to what happened during the Crimea annexation—was detected, Microsoft released a new update for Windows Defender and pushed the update to all users within a few hours.
What cyber trends are you seeing related to that situation?
So far, for the most part, we’ve seen the same playbook being used. The only new developments during this conflict were:
- Involvement of Belorussian APT UNC1151 that attempted to compromise email accounts of Ukrainian military service-members. I don’t recall them being involved in previous conflicts.
- The use of new technologies for misinformation campaigns (e.g., the use of AI “deep fake” videos of president Zelensky)
- Very poor operational security by Russian military and use of insecure methods of communications that are being intercepted by Ukrainian military and SBU. This one is a bit ironic. Several years ago, a special secure phone was designed and provided to Russian military units, but it relies on 4G/5G mobile internet access. For some reason, when Russian troops were advancing in Ukraine, they methodically kept destroying 4G/5G towers, so their secure phones didn’t work.
Would US organizations or those in other geographic regions be facing heightened risks?
We don’t see a spike in US organizations being targeted yet, but as this conflict evolves and more sanctions are being rolled out, I think it would be fair to expect a retaliation against agencies like the DoD and CDC as well as NGOs, and energy and financial organizations in the US, UK and EU.
What proactive cyber-related actions would you suggest taking right now?
Along with the typical cyber hygiene recommendations (i.e., complex password policies, multifactor authentication, sophisticated AV/MDR solutions, offline backups, etc.), I’d also suggest keeping an eye on announcements from DHS CISA (https://www.cisa.gov/) and CERT-UA (https://cert.gov.ua/) for the latest information.
We’re grateful for Evgueni’s insights and valued take on how this war looks different from previous Russian offensives—at least on the cyber front.