A barrage of sanctions from the U.S. and E.U. continues to rain down on Russia following Vladimir Putin’s decision to invade Ukraine. The damage inflicted by these sanctions poses concerns about possible retaliation measures against Western nations.
Given Russia’s significant capabilities and history of cybercrime, it appears likely that Russian cyber attacks, particularly against critical public sector infrastructure, may be on the agenda. These attacks have already begun against Ukraine and very likely will turn to the Western nations next.
Let’s take a look at some plausible risks, scenarios, and targets if Russia decides to turn to cyber attacks against Western nations during the ongoing conflict, so you can stay protected.
Russian Cyber Attacks Preceding the Physical Invasion of Ukraine
Before the Russian military stepped over the physical borders of Ukraine, there was an escalation in cyber attacks carried out by the country’s extensive cyber units, as their banks and government websites were targeted with data-wiping malware and DDoS attacks. These actions confirmed that cybercrime is a central component of modern hybrid warfare.
According to the United States Congressional Research Service, Russia has a history of deploying cyber crime during wartime. During its 2008 war with Georgia, a large-scale DDoS attack crippled electronic communications at several government and financial institutions.
The escalation in cyber warfare is a continuation of attacks on Ukraine stretching back to Russia’s annexation of Crimea in 2014. A quick recap of some of these incidents serves as a reminder of what type of attacks Russia’s cyber units engage in during war times and the damage they can cause:
- In December 2015, a complex, multi-phase attack took down Ukraine’s power grid leaving over 230,000 consumers without power.
- A year later in December 2016, websites and payment systems belonging to the Ukrainian Ministry of Finance and State Treasury were taken offline by Russian malware.
- In June 2017, Russia targeted Ukraine with a variant of the Petya ransomware (NotPetya), which hit Ukrainian ministries and banks, and even took down a radiation monitoring system at the Chernobyl nuclear plant.
Russian Cyber Attacks on Western Nations
While the attacks against Ukraine are proof of Russia’s cyber power, what conclusions can we draw about Russian cyber attacks on Western nations? Pertinent examples from in recent years help us to predict who Russia might target in the West, possible tactics they may use, and what the consequences could be.
- Russian cyber unit Fancy Bear was implicated in the July 2016 hacking of the Democratic National Committee. Using tactics such as spear-phishing emails, keylogging software, and privilege escalation, the hack resulted in an email leak that stoked divisions in the Democratic party. The attack was seen as a Russian effort to weaponize information and interfere in the US Presidential election.
- The NotPetya malware that hit Ukraine in 2017 spread to organizations in several Western nations, including Great Britain, France, Germany, and the United States. Maersk, the world’s largest container ship operator, suffered $300 million in damages from NotPetya. FedEx suffered similar costs to Maersk as a result of its subsidiary TNT Express being impacted by the ransomware strain.
- The SolarWinds data breach is the most infamous recent example of Russian cybercrime against a Western nation. In this supply chain attack, Russian threat actors managed to modify software updates for Orion, a SolarWinds network monitoring software used by the U.S. federal government. Malicious Orion updates installed on federal IT systems gave Russian threat actors undetected access to those systems for up to nine months.
Federal Government Warnings and Advisories
The recent history of Russian cyber warfare clearly paints a worrying picture for Western nations. A diverse range of past attacks impacted critical public services and infrastructure, , especially and as new sanctions get imposed daily, Russian cybercriminals could easily look for new targets. The possibilities include:
- Russian threat actors deploying similar attacks on Western nations to those that hit Ukrainian banks and government websites.
- Cyber incidents spreading from Ukrainian businesses to organizations in other countries due to globally interconnected networks.
- Standalone attacks on carried out as a direct response to ongoing Western sanctions damaging the Russian economy.
The highest levels of Western government assess the cyber risk landscape as an increasingly dangerous one if recent advisories and publications are anything to go by. The UK’s National Cyber Security Centre called on organizations to bolster their cybersecurity defenses in light of heightened cyber threats following Russia’s invasion of Ukraine. Recommended actions include patching systems, verifying access controls, and ensuring proper incident detection and response.
In the US, CISA director Jen Easterly indicated the agency was, “working with our federal partners, our state and local partners, and our industry partners to make sure that they’re aware of the potential threats of a potential cybersecurity crisis.” The FBI Cyber Division’s David Ring reportedly echoed similar sentiments during a call when he asked state and local leaders and business executives to think about how the provision of critical services could be disrupted by ransomware.
Meanwhile, in an address to the nation on February 24, 2022, President Joe Biden claimed that “If Russia pursues cyberattacks against our companies, our critical infrastructure, we’re prepared to respond.”
These warnings, comments, and advisories show that there is a clear perception of increased cyber risk. The public sector and operators of critical infrastructure appear to be particularly vulnerable targets, so those operating in these sectors should continue to be on high alert.
Potential Upcoming Russian Cyber Attack Campaigns
It’s unclear how likely a Russian cyber attack on a Western nation is right now. The past actions of Russian cyber units indicate anything is possible. What is clear is that countries such as the United States and the United Kingdom are taking steps to prepare. Here are some potential upcoming Russian cybercrime campaigns to watch out for:
- Targeting critical infrastructure: Statements from government officials in recent weeks have persistently referred to critical infrastructure. Cyber attacks on industrial control systems or even healthcare organizations pose threats to health and safety in addition to the monetary costs involved.
- Data leaks: Russia has shown its willingness in the past to use information as a weapon. Threat actors lurking undetected in federal or other public sector networks may decide to leak confidential information in an attempt to sow discord. Spear phishing campaigns on public sector employees may provide new entry points into public sector IT networks.
- Supply chain attacks: Russian cyber units may use existing footholds in software supply chains to initiate an attack that mimics SolarWinds and leads to widespread data breaches of government data.
While the risk of attack in the current environment may be high, there are steps you can take to be better prepared and stay protected against potential threats. We recommended you prioritize the following (in this order):
- Patch / remediate any critical internet facing vulnerabilities that could be leveraged by an attacker to gain a foothold within the environment
- Make sure that all endpoints have up-to-date endpoint protection, preferably an up-to-date EDR agent installed on all systems
- Patch internal vulnerabilities that are commonly used by attackers to compromise an endpoint.
- Geo-block Russian IP address ranges on the NGFW if you do not do business with this region
If and when Russia decides to strike back against the West using its cyber attack arsenal, public and private sector organizations face the challenge of detecting potential cyber attacks quickly and responding before they spread and do serious damage. While proper cyber hygiene is a great start, you need around the clock monitoring to ensure you’re catching attacks before they cause damage.
Proficio’s managed detection and response service provides 24/7 investigation and incident remediation capabilities to help organizations manage threats and reduce businesses in this potentially dangerous new cybersecurity landscape. To better protect our clients in these uncertain times, Proficio is deploying additional, targeted monitoring solutions to detect and respond to these attacks. To learn more about how Proficio can help keep your organization secure, contact us.