With 2022 only a few weeks underway, part of the world’s attention is now focused on Ukraine, where numerous published reports indicate that thousands of Russian troops have gathered at that country’s border for what could be military action as part of the ongoing conflict between the two countries. Cybersecurity (and cyberattacks) could play a huge role in this potential crisis.
On Jan. 10, U.S. and Russia officials met to discuss the situation, and although any resolution to the conflict appears months away, some observers did see glimmers of a cooling-down period following the talks. Further talks with NATO and European officials are expected to follow.
Still, the notion of Russia turning its military attention to Ukraine has some experts warning about the potential use of cyber capabilities as a tactic—either in conjunction with a possible military invasion or through a series of separate attacks that could destabilize the country’s infrastructure.
Russia has targeted Ukraine before using cyber techniques, including in 2014, when security firm FireEyepublished a report noting increasing malware activity following increasing tension between Russia and Ukraine, especially leading up to the annexation of the Crimea region. Other government agencies and experts believe that Russia used distributed denial of service (DDOS) attacks against both Georgia and Estonia around the same time.
More importantly, however, when Russia turned its attention back to Ukraine in 2017, the U.S. government suspected that members of the country’s Main Intelligence Directorate, also known as the GRU, deployed malware dubbed NotPetya against the country, causing billions in damage. Later, investigators found the NotPetya attack spread beyond its intended target and also compromised organizations such as Danish shipping giant Maersk, the Heritage Valley Health System in Pennsylvania, FedEx's TNT Express, and more.
With the potential for another possible cyber threat connected to a Russian dispute over Ukraine, some cybersecurity experts are warning that IT and security professionals should take time now to review their cybersecurity practices to avoid a similar situation to what happened in 2017.
“The best preparation, frankly, is to invest in an ongoing capacity to detect and respond to adversaries that have bypassed preventive controls and are lurking inside an organization—whether those are criminals or nation-states, or the threat is somewhat higher today than it was yesterday, the reality that there is always someone motivated in attacking an enterprise and the solution isn’t temporary vigilance,” Tim Wade, former security and technical manager for the U.S. Air Force and the technical director at security company Vectra AI, told Dice recently.
“In today’s highly connected world, organizations are always under siege in some form or another,” Wade added.
Making Connections
Knowing that the NotPetya malware moved from Ukraine-based organizations to other targets in the U.S. and Europe in 2017, John Bambenek, principal threat hunter at security firm Netenrich, believes that one of the best security checks an enterprise can do right now is to determine if there’s any connection to Ukraine and how that connection could make a network vulnerable.
“While NotPetya targeted Ukrainian organizations, businesses with a Ukrainian presence were also affected even though they were headquartered in the United States,” Bambenek told Dice. “Countering this possible attack involves letting key staff know attacks could come using the geopolitical intrigue as a lure, and making sure key IT and security staff are available to work on a breach in short notice. The primary attack vectors tend to be DDoS and phishing, so making sure the organization is prepared for those two attacks would be what I would focus on.”
Some security experts, including Dmitri Alperovitch, the co-founder of CrowdStrike who is now the chairman of Silverado Policy Accelerator, have noted an increase in cyber intrusions targeting organizations, both private and governmental, throughout Ukraine since December.
Joshua Aagard, vulnerability analyst with the Photon Research Team at security firm Digital Shadows, noted that one of the biggest concerns for organizations in the U.S. (as well as in other countries) is getting hit with a secondary attack or victimized by collateral damage. Three possible scenarios include:
- DDoS attacks that result in temporary degradation or loss of service on commercial and government servers. These attacks could be operational, such as a nexus of telecommunications and logistics. DDoS attacks could also potentially be symbolic, directed against a moment, statue or other location linked to major events and historical figures.
- Zero-day attacks that provide tactical exponential force against servers, applications and services.
- Hybrid or blended attacks that could include physical attacks on data centers (or the inverse: cyberattacks on installations). This is the increasing result of asymmetric thinking among militaries around the world.
Aagard is urging vulnerable organizations, along with their IT and security staff, to review their threat models, as well as take other steps to bolster cybersecurity.
“Review your existing environmental requirements at the appropriate level. Some organizations naturally require more action items than others; one size does not fit all,” Aagard told Dice. “Identify possible adversaries: Your organization may be a political entity, corporation or something else entirely. Also, take a cue from your competitors and note similar challenges and obstacles that they have faced.”
Basics Can Help
To date, the U.S. government has not issued any specific public warnings about cyber operations connected to the ongoing Russia and Ukraine conflict. On Jan. 11, however, a joint alert published by the FBI, the National Security Agency and the Cybersecurity and Infrastructure Security Agency detailed how a Russia-sponsored advanced persistent threat group had been using a number of well-known vulnerabilities found in products from Oracle, Microsoft, Cisco, VMware and others to gain initial access to networks.
Some of the organizations, targeted between September and December 2020, included those the oversee U.S. critical infrastructure, according to the alert.
When thinking about certain tactics used by nation-state groups and other attackers, Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, believes that many organizations could reduce their risk by rethinking how they handle credentials and identity, as this type of compromise can result in adversaries gaining a foothold in a network.
“For organizations to reduce the risks of becoming the next victim, they must double down on the basics and make weak credentials a thing of the past,” Carson told Dice. “Strong password management, privileged access security and multifactor authentication will make it difficult for an attacker to be successful at gaining the initial foothold. This will likely force them to look for an easier target elsewhere.”
Carson also noted that investments in incident response, as well as creating resilient systems that can recover from an attack, are other ways to ensure cybersecurity during uncertain times.
“Resiliency is vital to an organization’s ability to recover and get back to business quickly,” Carson said. “As organizations make it more difficult for attackers, they will take more risks. This will result in more noise on the network, giving the defenders a better chance at detecting them.”