On February 24, 2022, Russian forces invaded Ukraine. While there has been tension between these two countries since 2014, the recent invasion is the resulting buildup of a timeline of events, beginning in November 2021. Even though this is happening in Eastern Europe, it impacts the rest of the world, especially as it relates to cybersecurity. According to a recent SANS webcast, all organizations are potential cyberattack targets. Russia maintains a range of offensive cyber tools that it could deploy against global networks. These include offenses from low-level denials-of-service to destructive attacks targeting critical infrastructure.
Several advanced activity groups, attributed to different departments and sections of Russian security and intelligence services, are actively involved. These groups leverage relationships with cybercriminals and hacktivist groups to support state-sponsored activities. Working together, these groups deploy cyberattacks against the rest of the world.
Some of the key events and cybercriminal groups include:
- Sandworm, also known as Unit 74455, is an alleged Russian cyber-military unit, currently launching attacks. They were responsible for several past attacks on Ukraine and other nations, including an attack on Ukrainian power systems in 2015, denial of service attacks against Georgia in 2019, and attacks on the Olympics in previous years.
- UNC1151 is a Belarusian group reportedly behind a misinformation campaign and active spear phishing attempts. Their tactics include using password-stealing emails to break into email accounts and send malicious messages.
- DEV-0586 is a cybercriminal group responsible for the WhisperGate Wiper attack this past January, and is also suspected of being involved in attacking Ukranian targets in February with Hermetic Wiper, a particularly destructive form of malware. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported that Russian state-sponsored cyber actors have recently targeted sensitive US defense information and technology.
- There’s a reported rise in misinformation campaigns, aimed at creating a lack of confidence in leaders of rival nations and undermining support for actions against Russia.
While the focus is on Ukraine, it’s likely that other parts of the world will be targeted, and attacks will exceed further. These may come in the form of malware attacks, phishing, or misinformation. While Russian operators are busy with government targets, other groups like hacktivists might pose a threat. CISA and the Federal Bureau of Investigation issued warnings that the wiper malware used to attack Ukraine could affect businesses in the United States.
What is a wiper attack?
A cyberattack that wipes, overwrites, or removes data from the victim’s network or device is known as a wiper attack. Unlike most cyberattacks, that focus on monetary gain, wiper attacks are meant to permanently delete information, posing a potentially greater threat than ransomware attacks.
Could I be targeted?
During the SANS webcast on February 25, Jake Williams, an Infosec specialist and former member of the National Security Agency’s hacking unit, provided guidance around if an organization should worry about becoming a target at this time. He advised that if retaliatory cyberattacks are performed on US and EU industries, Russia would need to consider five points when choosing a potential target.
Russia would be most likely to choose targets that:
- Cause disruption, undermining public support for actions against Russia
- Will not be seen as an act of war by the victim
- Does not burn capabilities that cannot be easily replaced
- Will not limit future intelligence collection against the target
- Is not a target Russia will want to impact if US/EU escalates
According to Williams, based on the five-point test above, the US and EU industries that are most likely to be targeted include:
- Financial services providers
- Educational institutions
- State and local governments
- Smaller federal agencies
This could change if the US or other nations start ground operations against Russia.
However, the Conti Gang, a Russian ransomware group, said they will use “all possible resources to strike back at the critical [infrastructure] of an enemy”– that includes a cyberattack or any war activities against Russia.
In response, the hacktivist group Anonymous declared cyber war on Russian President Vladimir Putin and the Russian government. They released a video with a message to Putin after the invasion began, stating their intent and warning of internal dissension from hackers in Russia.
Things You Can Do
Organizations can harden their exposure to cybersecurity threats by utilizing the following security best practices:
- Enforce Strong, Unique Passwords: Passwords should be unique; not reused across multiple accounts nor stored on the system where threat actors could gain access. Phrases provide passwords that are easy for you to remember, but harder for the threat actors to compromise.
- Enable Multi-Factor Authentication (MFA): MFA is a security method that requires the user to provide two or more verification factors to gain access to a system. This provides an additional layer of security to validate user identity.
- Account Lockouts and Time-Based Features: Setting an account to lock after a certain number of failed attempts can prevent a threat actor from using brute force with multiple password attempts to compromise a system. The Just-In-Time (JIT) access method can be helpful as well. JIT is a process where a network-wide policy is set in place to only allow administrator accounts at the Active Directory (AD) level when the account is needed, and automatically disables when it is not.
- Endpoint Detection and Response (EDR): EDR allows a high degree of visibility into the security status of endpoints and can be an effective defense against threat actors. Finding a partner to provide this through a managed detection and response (MDR) solution can add another layer of security to an organization.
- Training and Information: While there are great tools to protect infrastructure, the human element is always a target. Keep your team aware of current threats and potential misinformation campaigns.
For more information, please see the SANS Ukraine-Russia Conflict – Cyber Resource Center located at https://www.sans.org/blog/ukraine-russia-conflict-cyber-resource-center/
CAI’s cybersecurity experts work with you directly to map out security solutions that align with your most important criteria, including impact, timing, resource availability, deployment, and financial considerations. If you have any questions, please contact me.