Since well before the launch of the Russian war in Ukraine, experts prognosticated that the growing conflict would catastrophically impact global cybersecurity. In the months since the war has unfolded, the situation has certainly evolved, with the U.S. government warning critical industries about potential attacks. We talked to Ron Plesco, Partner at the global law firm DLA Piper about what cybersecurity concerns the war has wrought and what companies can do to get ahead of these risks.
What are the cybersecurity consequences of the war in Ukraine?
For one thing, Russia’s version of the NSA, the SVR, has partnered with Russian organized crime entities. Not only have they been utilized for ransomware and hacking activities, but they’ve also been used to destroy critical infrastructure in Ukraine, such as the electric grid. These active operations are being carried out with the blessing of Russian military and police, with both getting a kickback. As the war has progressed, the military has been too busy with the war itself to conduct cyber operations, so it has handed over military grade cyber weapons to the organized crime entities. These are now being wielded against American companies and other companies around the world.
What do these actions against U.S. and global companies look like?
As with any intelligence operation, it’s a low and slow threat and if it’s in the Russian national interest they will stay in the network and gather intelligence for as long as they need to, using this information to advance their interests. I’ve now worked on a couple of cases where threat actors gained access to Fortune 100 companies and stayed in their system gathering data for as long as two years.
The other thing we have seen in the past year is a rise in data extortion campaigns. Russian military data that was obtained through hacking or other illegal means is now being sold out the back door by organized crime. The most viable theory for why this is happening is that the Russian economy has tanked with global companies pulling out of the country, so both the military and organized crime are feeling the pinch and they need to make money.
How have these developments changed the landscape for global cybercrime?
The subtext of all of this is that prior to the war, Eastern European organized crime groups had worked closely with Russian organized crime to conduct cyber operations—some of the most sophisticated ransomware and ransomware-as-a-service technology and techniques came out of Eastern Europe. But when Putin mobilized Russian organized crime to create an information operation—essentially propaganda for the war—there was a big blowback from the Eastern European side, so much so that threat actors began to make public intimate chats exchanged about their criminal operations public.
How do you expect this situation to evolve in the coming months?
It’s going to get worse until our country and corporations start to build better defenses. The threat actors need more money, so there is motive. They have better technology and tools, so there is more opportunity and with ransomware-as-a-service anyone can do this. And what we see ahead for Russia is a harsh winter, with sanctions, the downturn in the crypto market, and inflation, so it’s a dire situation.
What can companies do to protect against these threats?
That really depends on the company and their operating expenses. If you look at statistics on this, information security should be anywhere from 6 to 9 percent of overall capital expenditures. Most companies are still behind on this. I’m also finding that compliance does not equate to adequate security to prevent these attacks. In almost every one of the breaches I’ve ever worked on, the companies have been fully compliant with applicable regulation.
What companies need to do is invest in security controls that are actually functional and map those to the data that they have and the data that they’re trying to protect. I’m a huge fan of the zero trust model. If a nation state wants to get in, they most likely will—it’s simply a matter of detecting it and responding in time. Most companies don’t need to significantly scale their security, unless they are the Department of Defense.
What’s more important is the basic work, such as making cyber governance a boardroom issue so that cybersecurity IT is inextricably intertwined with business functionality; patching systems; having network visibility, and using best in class endpoint detection and response systems. Most SMEs would benefit from a managed security model and outsourcing experts that are watching your network around the clock. Of course another important layer is preventing human error—training your staff to avoid making costly mistakes and testing the efficacy of your training.
If you think about the state of play and where this is all heading, everyone needs to be investing more in cybersecurity and govern that risk from the highest leadership levels on down to stay ahead of the threats.
Thanks again to Ron for his insights on the evolving threats in the global cyber landscape. DLA Piper is a NetDiligence-authorized Breach Coach® law firm. To learn more about DLA Piper, visit their website.
For a full list of NetDiligence Breach Coach firms, click here.