What has the war in Ukraine got to do with cybersecurity?
On February 24, 2022, Russia began the invasion of Ukraine. By February 28th, Russia had already launched 380 missiles against Ukraine. However, this most modern of wars has many faces. The hybrid nature of modern war was first introduced as a concept by Frank Hoffman. In describing war as a hybrid, encapsulated a conflict fought on many fronts including conventional, irregular attacks that include assignations, and cyber-attacks.
Cyber-attacks are increasingly used as a strategy in warfare because they have far-reaching effects and can cause massive upheaval and damage. Cyber-attacks carried out by state-sponsored hacking gangs are used to disrupt critical infrastructures, including financial, healthcare, and manufacturing. Because of the extended supply chains of these infrastructures, potentially all companies of all sizes are a potential cyber-warfare target.
Here is what has happened, so far, as the invasion of Ukraine plays out, along with some ideas on how to protect your organization from cyber-warfare.
Russian-sponsored hacking groups, ransomware, and possible war-chests
Russia is no stranger to the sponsoring of hacking groups. One of the biggest cyber-attacks of all time was the U.S. Colonial Pipeline ransomware attack of May 2021 carried out by the hacking group, Darkside. The attack on Colonial impacted 50 million customers and led to fuel shortages. The DarkSide hacking group, who are believed to be associated with another group REvil, are infamous Russian hackers. The attack prompted a meeting between Putin and Biden in June 2021 to discuss the type of targets that ransomware gangs were focusing on, in an effort to prevent them. It is worth noting that in 2021, 74% of the money from ransomware attacks was sent to Russia-associated hackers. The question must be asked, was the Russian-associated ransomware activity of the last few years part of an effort to build a war chest to bankroll the Ukraine invasion? And will ransomware attacks continue to be used to prop up a heavily-sanctioned state?
Cyber-attacks on Ukraine
As the invasion against Ukraine became increasingly likely, a spate of cyber-attacks against the Ukrainian government occurred. In January 2022, 70 Ukrainian government websites were defaced with an onscreen ominous warning appearing on the websites:
“be afraid and expect the worst”
The attack’s origin was likely Russian intelligence, but Russia denied involvement. A Microsoft blog posted on February the 28th gave this statement:
“On February 24, Microsoft’s Threat Intelligence Center (MSTIC) detected a new round of offensive and destructive cyberattacks directed against Ukraine’s digital infrastructure.”
The cyber-attacks against Ukraine’s government websites and other online infrastructure have spawned a series of new ransomware variants. Some of the latest to be identified by security researchers are HermeticWiper, and WhisperGate malware. Both corrupt and/or wipe data; another variant, known as, HermeticRansom, uses extortion. The cyber-attackers behind the Russian-backed cyber-attacks are also using malware ‘worms’ which are designed to self-replicate and propagate across a network. One of the latest of these worms is called HermeticWizard, which is used to deliver HermeticWiper malware.
Malware worms use several methods to infect a network, including phishing emails, malicious links in social media posts, and infected removable media.
Cybersecurity advisories for companies
Governments across the world have been publishing advisories to help companies prepare for possible retaliatory cyber-attacks associated with the invasion of Ukraine.
U.S. CISA (Cybersecurity and Infrastructure Security Agency) has placed an advisory covered by the ‘Shields Up’ campaign about the Russian ransomware group, Conti:
“The Conti ransomware actors threaten “retaliatory measures” targeting critical infrastructure in response to “a cyberattack or any war activities against Russia.”
CISA continues to warn “Conti cyber threat actors remain active and reported Conti ransomware attacks against U.S. and international organizations have risen to more than 1,000.”
Similar warnings are being published in the UK, Australia, and Europe where organizations and citizens are being warned to prepare for a cyber-attack. The Financial Services Information Sharing and Analysis Center (FS-ISAC) warns that financial firms must brace themselves for an increased volume of cyberattacks.
Ways to protect your company
The war in Ukraine could spill over into cyberwar as part of retaliation attacks on any country that takes the side of Ukraine. Individual companies and their supply chain, who sanction Russia, could also become targets. Google’s Threat Analysis Group (TAG), has already found evidence of heightened attacks against Poland.
Phishing campaigns, often associated with ransomware attacks or credential theft, often take advantage of heightened urgency and global events. During the Covid-19 pandemic, massive spikes in phishing campaign volumes were observed. A similar surge in phishing campaigns that take advantage of the war in Ukraine are beginning to become a serious threat.
All organizations, from the smallest company to global enterprises, must take precautions now to harden their defenses against possible retaliatory cyber-attacks. Some areas to focus on to prevent a cyber-attack during this time of heightened threats are:
Teach employees how to spot tell-tale signs of phishing campaigns, especially those tied to the current invasion of Ukraine. Ensure that you keep security awareness training up to date as the situation may change quickly.
Access control to critical resources
Control access to critical applications and data. Use the principle of least privilege to make sure only those who need access are allowed access. Always use multi-factor authentication wherever it is supported.
Make sure that you have visibility of all the endpoints across your network (including those used by remote workers). Ensure each is protected and consider using Endpoint Detection Response (EDR).
Business continuity and disaster recovery
Test out your disaster recovery plans and make sure that you can continue business if your organization is a victim of ransomware. Explore secure backup options.
Make your organization a no cyber-threat zone
We can only hope that the war in Ukraine comes to a peaceful end very quickly. However, it is unlikely that the cyber-threat landscape will suddenly end peacefully. All organizations the world over must take stock of their cyber-defenses now and harden their approach against state-sponsored cybercriminals.