Cyberwarfare is the use of cyber-attacks against an enemy state with intentions of causing comparable harm to actual warfare and disrupting vital computer systems. One of the notable names who practice this type of warfare is Russia. With the ongoing conflict in Ukraine, we are here to shed some light on the cyberattacks going on between Russia and Ukraine, how it is shaping the geopolitical landscapes, and the cybersecurity impact the war is having on organizations and businesses around the world.
“Ukrainian! Your private information has been downloaded to public networks, and all the data on this computer will be permanently destroyed…” starts a warning message, displayed in Ukrainian, Russian, and Polish languages, which members of the Ukrainian Foreign Ministry received on January 14th, 2022. Ukraine has been hit heavily by the Russian cyberattacks this year, which intensified as the war between the countries broke out on February 24th. However, the cyberwar between Russia and Ukraine goes back to the start of the conflict in 2013, when then president Yanukovich, backed by Russia, was ousted by protests across Ukraine.
Since 2013, Ukraine has become one of Russia’s biggest targets in terms of cyberattacks. One of the very first attacks, launched by the Russians, was on the information systems of private enterprises and state institutions of Ukraine in 2013. It was followed by an immensely powerful 8-minute Distributed Denial of Service (DDoS) attack against an unidentified computer network in Ukraine, which was notable for being 32 times larger than the DDoS attack on Georgia in 2008, also conducted by Russia.
This was just the beginning of the many attacks which Russia launched against the neighboring state. Russia later conducted cyberattacks against USA, France, Germany, Kyrgyzstan, Poland, Romania, South Korea, Venezuela, UK, and Estonia.
Not considering attacks on Ukraine, Russia has been one of the leading sources of the cyberwarfare for the past decade. Together with China, they are responsible for 35% of all state-sponsored cyberattacks.
So, there is little doubt that with the imposed and continuous sanctions and the current state of its economy we will be seeing the emergence of threat actors from the former Soviet country, both individual or state-sponsored.
According to the Cybersecurity and Infrastructure Security Agency’s (CISA’s) latest report, Russian state-sponsored threat actors are now expanding their targets in the United States and other Western nations to include: governments, election organizations, healthcare and pharmaceuticals, defense, energy, video gaming, commercial facilities, nuclear, water, aviation, and critical infrastructure.
The motivations will range from simply financial gain and political hacktivism, to much more serious, such as espionage and nation-state sponsored supply chain disruptions, intellectual property theft, and other war-driven attacks.
This plethora of motivations puts at risk a range of industries and businesses, as well as government organizations. Companies must consider and evaluate their network operations, making sure that appropriate security practices and measures are enacted and put in place. Companies have to think about their critical components, critical vendors they depend on, and how this can be impacted. Anything running on your network, or dependent on the Internet and cloud, is at risk of a cyberattack.
It is predicted that critical infrastructure, financial industries, and shipping and trucking companies are going to be prime targets for Russia-sponsored cyberattacks. A recent CISA alert also indicated an increase in cyberattacks against managed service providers (MSPs) across the globe.
There are lots of steps in the world of cybersecurity for helping to protect an organization’s IT environment, data, and confidential assets. The steps listed below focus on the higher-risk vulnerabilities that can expose your environment to malicious attacks.
Creating a security awareness training program reviewed on at least annual basis will help bring awareness to the employees of the company. It will limit the chances of having user credentials or data compromised. Include topics such as office etiquette while leaving a workstation, mobile device, or paperwork unattended.
Another topic should be identifying and reporting phishing emails and malware. You can add additional training by sending employees phishing emails on a regular basis. Employees should be tracked to see which employees report the phishing email, or make the mistake of opening the message and click the would-be malicious script if it weren’t a test.
One more important topic that shouldn’t be overlooked is password policies. Weak and re-used passwords should never be used. One way to avoid this issue is the use a password generator and a password manager.
Employee cybersecurity awareness training must be an integral part of any company’s security framework.
MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to the application they are using, they will be prompted for their username and password, as well as an authentication code from their MFA authentication.
MFA is set up using a third-party authenticator. From a company standpoint, it will be even more beneficial to add a force MFA policy that requires an active MFA, otherwise, services will be blocked.
Meetings for user entitlements, which are user access permissions, should be held on a quarterly basis for cloud providers (such as AWS, GCP, and Azure) and other software in use. Review the list of users to make sure that former employees, contractors, demo users, and service accounts are not still active if they are no longer with the company. This also applies to access keys for command line interface (CLI) usage, that are no longer in use, or should not have been created at all.
Using encryption on email makes sure that data encryption is provided end-to-end, so that no third party will be able to read the data. Only the end-user will be able to read the encrypted data once it’s been decrypted. Encrypted email is important because most emails sent from an email within the organization contain confidential information.
Another key element of any company’s cybersecurity framework must be risk management, based on assessed threats to the particular business operations. Most companies overlook the current geopolitical landscape and its potential impact on the operations worldwide. The following points need to be taken into account when performing the risk assessment:
Most companies as a whole do not consider geopolitical risks. At VerSprite Security Consulting, we strongly believe in making the growing intersection of geopolitics and cybersecurity a part of discussion with boards and risk committees. There is little doubt that prolonged war in Ukraine, continuous sanctions imposed on Russia, and the country going into an economic default will reshape the geopolitical landscape for years to come, and will have a significant effect not only on the world economy, but consequently on cybersecurity.
Companies should analyze possible threats, sources of risks, and threat actors’ motives pertaining to their business operations. Having a comprehensive threat-based security program to reduce the risks of exploitation, as well as implement a strong incident response plan, is paramount.
Uddip Ranjan, SOC Analyst
Marian Reed, VP of GRC
Roger Neal, Security Consultant