Cyberwarfare is the use of cyber-attacks against an enemy state with intentions of causing comparable harm to actual warfare and disrupting vital computer systems. One of the notable names who practice this type of warfare is Russia. With the ongoing conflict in Ukraine, we are here to shed some light on the cyberattacks going on between Russia and Ukraine, how it is shaping the geopolitical landscapes, and the cybersecurity impact the war is having on organizations and businesses around the world.
Brief History of Cyberattacks Between Russia and Ukraine
“Ukrainian! Your private information has been downloaded to public networks, and all the data on this computer will be permanently destroyed…” starts a warning message, displayed in Ukrainian, Russian, and Polish languages, which members of the Ukrainian Foreign Ministry received on January 14th, 2022. Ukraine has been hit heavily by the Russian cyberattacks this year, which intensified as the war between the countries broke out on February 24th. However, the cyberwar between Russia and Ukraine goes back to the start of the conflict in 2013, when then president Yanukovich, backed by Russia, was ousted by protests across Ukraine.
Since 2013, Ukraine has become one of Russia’s biggest targets in terms of cyberattacks. One of the very first attacks, launched by the Russians, was on the information systems of private enterprises and state institutions of Ukraine in 2013. It was followed by an immensely powerful 8-minute Distributed Denial of Service (DDoS) attack against an unidentified computer network in Ukraine, which was notable for being 32 times larger than the DDoS attack on Georgia in 2008, also conducted by Russia.
This was just the beginning of the many attacks which Russia launched against the neighboring state. Russia later conducted cyberattacks against USA, France, Germany, Kyrgyzstan, Poland, Romania, South Korea, Venezuela, UK, and Estonia.
The attacks on Ukraine from 2013 till 2022:
- 2013- Operation “Armageddon” targeting government, law enforcement, and military officials.
- 2014- Operation “Snake”, February, directed at government agencies. A sophisticated malware was used to siphon data to outside servers.
- 2014- Attacks on the automated system “Elections.”
- 2015- Ukraine power grid hack, December 2015. Attacks using the Trojan virus Black Energy on energy companies in Ukraine which supplied energy to Kyiv, Ivano-Frankivsk and Chernivtsi regions. This was the first successful cyber-attack on a power grid.
- 2016- Second power grid hack against Ukraine, December 2016
- 2016- Paralysis of the State Treasury of Ukraine, December 2016
- 2017- more cyberattacks on Ukraine. Mass hacker supply-chain attack in June 2017 using “Petya” According to the US Presidential Administration, this attack became the largest known hacker attack.
- 2022- Cyberattacks on Ukrainian government websites in January 2022, following the failed US-Russian negotiations on Ukraine’s place in NATO.
- 2022- Cyberattacks in February 2022 as Russian troops invaded eastern regions of Ukraine. The attacks took down several major Ukrainian governmental and banking websites. U.S. intelligence attributed the attacks to Russian-sponsored threat actors, although the Russian government denied involvement.
In response, Ukraine launched its own chain of cyberattacks. Let us take a look at some notable cases:
- 2016 Operation “Prikormka” (Ground bait) in May 2016. The cyberespionage malware targeted separatists in self-declared republics of Luhansk and Donetsk.
- 2016 Operation “May 9” in 2016 produced nine successful hacks of the sites of the separatist group “Donetsk People’s Republic,” as well as Russian sites of anti-Ukrainian propaganda and resources of Russian private military companies.
- 2016 “Channel One” break, June 2016. The corporate server of the Russian “Channel One” by the Ukrainian Cyber Alliance of hackers Falcons Flame, Trinity and Rukh.
- 2016 The Surkov Leaks in October 2016 — a leak of 2,337 e-mails and hundreds of attachments, which reveal plans for seizing Crimea from Ukraine and fomenting separatist unrest in Donbas (documents were dated between September 2013 and December 2014).
- 2022 The IT Army of Ukraine was set up by Mykhailo Fedorov, the First Vice Prime Minister and Minister of Digital Transformation, on 25 February 2022. The effort was started as a result of the 2022 Russian invasion of Ukraine. The primary aim is cyberwarfare against Russia. Fedorov requested the assistance of cyber specialist and tweeted a Telegram channel with a list of 31 websites of Russian business and state organizations.
Impact on Other Nations and Organizations Worldwide
Not considering attacks on Ukraine, Russia has been one of the leading sources of the cyberwarfare for the past decade. Together with China, they are responsible for 35% of all state-sponsored cyberattacks.
So, there is little doubt that with the imposed and continuous sanctions and the current state of its economy we will be seeing the emergence of threat actors from the former Soviet country, both individual or state-sponsored.
Who is at risk?
According to the Cybersecurity and Infrastructure Security Agency’s (CISA’s) latest report, Russian state-sponsored threat actors are now expanding their targets in the United States and other Western nations to include: governments, election organizations, healthcare and pharmaceuticals, defense, energy, video gaming, commercial facilities, nuclear, water, aviation, and critical infrastructure.
The motivations will range from simply financial gain and political hacktivism, to much more serious, such as espionage and nation-state sponsored supply chain disruptions, intellectual property theft, and other war-driven attacks.
This plethora of motivations puts at risk a range of industries and businesses, as well as government organizations. Companies must consider and evaluate their network operations, making sure that appropriate security practices and measures are enacted and put in place. Companies have to think about their critical components, critical vendors they depend on, and how this can be impacted. Anything running on your network, or dependent on the Internet and cloud, is at risk of a cyberattack.
It is predicted that critical infrastructure, financial industries, and shipping and trucking companies are going to be prime targets for Russia-sponsored cyberattacks. A recent CISA alert also indicated an increase in cyberattacks against managed service providers (MSPs) across the globe.
How Can You Protect Your Organization Today?
There are lots of steps in the world of cybersecurity for helping to protect an organization’s IT environment, data, and confidential assets. The steps listed below focus on the higher-risk vulnerabilities that can expose your environment to malicious attacks.
Staff Security Awareness Training
Creating a security awareness training program reviewed on at least annual basis will help bring awareness to the employees of the company. It will limit the chances of having user credentials or data compromised. Include topics such as office etiquette while leaving a workstation, mobile device, or paperwork unattended.
Another topic should be identifying and reporting phishing emails and malware. You can add additional training by sending employees phishing emails on a regular basis. Employees should be tracked to see which employees report the phishing email, or make the mistake of opening the message and click the would-be malicious script if it weren’t a test.
One more important topic that shouldn’t be overlooked is password policies. Weak and re-used passwords should never be used. One way to avoid this issue is the use a password generator and a password manager.
Employee cybersecurity awareness training must be an integral part of any company’s security framework.
Enable Multi-Factor Authentication (MFA)
MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to the application they are using, they will be prompted for their username and password, as well as an authentication code from their MFA authentication.
MFA is set up using a third-party authenticator. From a company standpoint, it will be even more beneficial to add a force MFA policy that requires an active MFA, otherwise, services will be blocked.
User Entitlement Meetings
Meetings for user entitlements, which are user access permissions, should be held on a quarterly basis for cloud providers (such as AWS, GCP, and Azure) and other software in use. Review the list of users to make sure that former employees, contractors, demo users, and service accounts are not still active if they are no longer with the company. This also applies to access keys for command line interface (CLI) usage, that are no longer in use, or should not have been created at all.
Use Encrypted Email
Using encryption on email makes sure that data encryption is provided end-to-end, so that no third party will be able to read the data. Only the end-user will be able to read the encrypted data once it’s been decrypted. Encrypted email is important because most emails sent from an email within the organization contain confidential information.
Risk Assessment and Management
Another key element of any company’s cybersecurity framework must be risk management, based on assessed threats to the particular business operations. Most companies overlook the current geopolitical landscape and its potential impact on the operations worldwide. The following points need to be taken into account when performing the risk assessment:
- Company’s critical sources of business (such as clients, critical vendors).
- Company’s and critical vendors’ key operations locations and geopolitical impact on those locations.
- Financial risk management focus – potential impact on goods and services from affected areas.
- Technological risks – company’s reliance on software or hardware from the conflict zones.
- Impact on employees’ safety and reputation.
Most companies as a whole do not consider geopolitical risks. At VerSprite Security Consulting, we strongly believe in making the growing intersection of geopolitics and cybersecurity a part of discussion with boards and risk committees. There is little doubt that prolonged war in Ukraine, continuous sanctions imposed on Russia, and the country going into an economic default will reshape the geopolitical landscape for years to come, and will have a significant effect not only on the world economy, but consequently on cybersecurity.
Companies should analyze possible threats, sources of risks, and threat actors’ motives pertaining to their business operations. Having a comprehensive threat-based security program to reduce the risks of exploitation, as well as implement a strong incident response plan, is paramount.
VerSprite is here to help. If you have any questions on how to best secure your assets, or need assistance now, contact us.
Uddip Ranjan, SOC Analyst
Marian Reed, VP of GRC
Roger Neal, Security Consultant