While the Russian invasion of Ukraine is a little over a week old, most of the initial news involves the physical aspects of this particular conflict—images of Russian army tanks and helicopters, and soldiers on both sides fighting in the streets of key cities. Left unseen, so far, is the impact that Russia’s offensive cyber-capabilities are having on invasion, which could, in turn, have the same far-reaching effects as any conventional warfare.
Since Russia first started positioning its armed forces to invade Ukraine, experts have warned about possible cyberattacks that could start in Ukraine but eventually involve infrastructure in other countries, including the U.S. On Feb. 26, the FBI and Cybersecurity and Infrastructure Security Agency issued a joint alert warning of two destructive wiper malware strains that threat actors used to carry out attacks inside Ukraine.
The first, called WhisperGate, was uncovered by Microsoft in January and the other, dubbed HermeticWiper, was identified by ESET and several other security firms on Feb. 23, according to the joint alert. And while the FBI and CISA did not specifically link the malicious code to Russia, the agencies note that attacks began during the lead-up to “Russia’s unprovoked attack against Ukraine,” and that U.S. government agencies and businesses should monitor these developments.
In a separate report, Symantec analysts found wiper malware that targeted Ukrainian financial, defense, aviation and IT services sectors was later discovered on IT systems in the nearby country of Lithuania.
And while the types of cyber threats emanating from Ukraine have been limited, U.S., European and other sanctions against Russia could elicit a much larger and more kinetic response, said Rick Holland, CISO and vice president of strategy at security firm Digital Shadows.
“If the sanctions are severe enough, it is reasonable to expect an escalated Russian cyber response. As we have seen for years, no matter what the new sanctions look like, Russian social media disinformation campaigns will continue, further dividing the partisan United States,” Holland, a former U.S. Army intelligence analyst, told Dice. “Western critical infrastructure would be targeted by DDoS attacks and potentially destructive wiper attacks. This type of destructive Russian response would be a significant escalation and could risk a severe Western counter escalation. Tensions could escalate quickly and end in a dark place like the Cuban Missile Crisis.”
With the invasion of Ukraine underway, analysts noted that now is the time for IT and security professionals to adopt what CISA Director Jen Easterly called a “shields up” mentality to defend against possible Russian-linked cyber threats.
Holland noted three specific areas that IT and security professionals should evaluate within their organization immediately:
- Evaluate DDoS mitigation capabilities: If your organization is a likely target of Russian cyber-aggression, the organization should assess DDoS mitigation services. Organizations should avoid onboarding a new provider while a DDoS attack occurs; prepare for it in advance.
- Evaluate your organization’s ability to detect and protect against destructive wiper malware: If your organization hasn’t done a tabletop exercise around this scenario, schedule one immediately. The results of that exercise can be used as the basis for a mitigation strategy.
- Evaluate the response strategy: Security leaders need to get ahead of the media headlines, control the narrative and communicate up the chain of command. This includes the ability to explain to leadership the risk, likelihood and strategy going forward.
Others also note that spillover from an attack on Ukraine could entangle organizations in the U.S. and elsewhere. Besides the joint alert from CISA and the FBI, American officials are also warning about increased activity from Sandworm, the destructive threat group associated with Russia's Main Intelligence Directorate of the General Staff of the Armed Forces (a.k.a. GRU). Specifically, analysts are warning about malware called Cyclops Blink, which can create a botnet from unprotected internet-connected devices.
“Because we live in a more globalized world, events in Ukraine will bleed over into other countries and businesses. However, just because one country invades another doesn’t mean a new call to action needs to be proclaimed. The threat was always there, whether it was a nation-state actor, hacktivists, insider threats, or other malicious actors,” Leo Pate, managing consultant with security firm nVisium, told Dice.
Pate notes that all organizations can take immediate steps to protect their networks from these types of cyber threats, including:
- Ensuring that the organization is following the principle of least privilege with network and identity and access management;
- Monitoring logs for nefarious activity and having appropriate actions in place when “badness” is detected;
- Ensuring that each specific section has its security implementations, including red team engagements, tabletop exercises, architecture reviews, threat modeling, etc.
Stan Golubchik, CEO and founder of security firm ContraForce, noted that financial institutions might face added threats, especially in the wake of sanctions targeting Russia’s economy. One of the most likely scenarios is a supply chain attack where the attackers use a compromised third party as a launching pad. Another possibility is through a cloud-based operation.
“Financial institutions that rely on cloud infrastructure must shore up potentially vulnerable infrastructure, databases, and networks that allow them to provide global service scale,” Golubchik told Dice. “We have seen the ramifications of unsecured cloud infrastructure due to haphazard policy management, and financial intuitions should look towards Cloud Security Posture Management—CSPM—solutions to ensure security policy and posture don't drift and paint a target on the organization.”
While critical infrastructure, such as U.S. financial organizations, electrical power plants and oil and gas pipelines, has been the main focus of possible disruption from Russian threat groups, not everyone is convinced that a direct or spillover attack will happen.
Mike Hamilton, a former vice chair of the Department of Homeland Security's State, Local, Tribal, and Territorial Government Coordinating Council, noted that Russian-based disinformation campaigns and fake news are the issues that are most likely to disrupt the U.S., and it’s another issue that IT and security professionals need to watch.
“What’s more likely is a continuation and acceleration of the disinformation that works so well against Americans. Disinfo gets all kinds of people to believe all kinds of nonsense that take right off and become ‘fact’ in the minds of the media illiterate,” Hamilton, now the CISO of Critical Insight, told Dice.
To emphasize that point, Facebook’s parent company Meta announced on Feb. 27 that it had removed a network controlled by a malicious group called Ghostwriter that targeted people in Ukraine and Russia with fakes posts and news items.
This type of threat has now become a standard part of the toolset that nation-states now use to disrupt their opponents, and Hamilton suspected that both Russia and the U.S. might use more of it as part of asymmetrical warfare.
“We are now fighting back against this—what’s in the press is that we continue to expose every fabrication,” Hamilton said. “What we don’t know is how we may be using that same tactic to foment dissent in the minds of Russians and make [Russian President Vladimir] Putin out to be weak. That has to be going on right now, but we don’t hear about that as it’s now a tool of ‘war.’”