Tag Archive for: Ukraine

Increased Cybersecurity Risks from Russian Cyber Attacks Resulting From the Russia Ukraine Conflict

A barrage of sanctions from the U.S. and E.U. continues to rain down on Russia following Vladimir Putin’s decision to invade Ukraine. The damage inflicted by these sanctions poses concerns about possible retaliation measures against Western nations.

Given Russia’s significant capabilities and history of cybercrime, it appears likely that Russian cyber attacks, particularly against critical public sector infrastructure, may be on the agenda. These attacks have already begun against Ukraine and very likely will turn to the Western nations next.

Let’s take a look at some plausible risks, scenarios, and targets if Russia decides to turn to cyber attacks against Western nations during the ongoing conflict, so you can stay protected.

Russian Cyber Attacks Preceding the Physical Invasion of Ukraine

Before the Russian military stepped over the physical borders of Ukraine, there was an escalation in cyber attacks carried out by the country’s extensive cyber units, as their banks and government websites were targeted with data-wiping malware and DDoS attacks. These actions confirmed that cybercrime is a central component of modern hybrid warfare.

According to the United States Congressional Research Service, Russia has a history of deploying cyber crime during wartime. During its 2008 war with Georgia, a large-scale DDoS attack crippled electronic communications at several government and financial institutions.

The escalation in cyber warfare is a continuation of attacks on Ukraine stretching back to Russia’s annexation of Crimea in 2014. A quick recap of some of these incidents serves as a reminder of what type of attacks Russia’s cyber units engage in during war times and the damage they can cause:

  • In December 2015, a complex, multi-phase attack took down Ukraine’s power grid leaving over 230,000 consumers without power.
  • A year later in December 2016, websites and payment systems belonging to the Ukrainian Ministry of Finance and State Treasury were taken offline by Russian malware.
  • In June 2017, Russia targeted Ukraine with a variant of the Petya ransomware (NotPetya), which hit Ukrainian ministries and banks, and even took down a radiation monitoring system at the Chernobyl nuclear plant.

Russian Cyber Attacks on Western Nations

While the attacks against Ukraine are proof of Russia’s cyber power, what conclusions can we draw about Russian cyber attacks on Western nations? Pertinent examples from in recent years help us to predict who Russia might target in the West, possible tactics they may use, and what the consequences could be.

  • Russian cyber unit Fancy Bear was implicated in the July 2016 hacking of the Democratic National Committee. Using tactics such as spear-phishing emails, keylogging software, and privilege escalation, the hack resulted in an email leak that stoked divisions in the Democratic party. The attack was seen as a Russian effort to weaponize information and interfere in the US Presidential election.
  • The NotPetya malware that hit Ukraine in 2017 spread to organizations in several Western nations, including Great Britain, France, Germany, and the United States. Maersk, the world’s largest container ship operator, suffered $300 million in damages from NotPetya. FedEx suffered similar costs to Maersk as a result of its subsidiary TNT Express being impacted by the ransomware strain.
  • The SolarWinds data breach is the most infamous recent example of Russian cybercrime against a Western nation. In this supply chain attack, Russian threat actors managed to modify software updates for Orion, a SolarWinds network monitoring software used by the U.S. federal government. Malicious Orion updates installed on federal IT systems gave Russian threat actors undetected access to those systems for up to nine months.

Federal Government Warnings and Advisories

The recent history of Russian cyber warfare clearly paints a worrying picture for Western nations. A diverse range of past attacks impacted critical public services and infrastructure, , especially and as new sanctions get imposed daily, Russian cybercriminals could easily look for new targets. The possibilities include:

  • Russian threat actors deploying similar attacks on Western nations to those that hit Ukrainian banks and government websites.
  • Cyber incidents spreading from Ukrainian businesses to organizations in other countries due to globally interconnected networks.
  • Standalone attacks on carried out as a direct response to ongoing Western sanctions damaging the Russian economy.

The highest levels of Western government assess the cyber risk landscape as an increasingly dangerous one if recent advisories and publications are anything to go by. The UK’s National Cyber Security Centre called on organizations to bolster their cybersecurity defenses in light of heightened cyber threats following Russia’s invasion of Ukraine. Recommended actions include patching systems, verifying access controls, and ensuring proper incident detection and response.

In the US, CISA director Jen Easterly indicated the agency was, “working with our federal partners, our state and local partners, and our industry partners to make sure that they’re aware of the potential threats of a potential cybersecurity crisis.” The FBI Cyber Division’s David Ring reportedly echoed similar sentiments during a call when he asked state and local leaders and business executives to think about how the provision of critical services could be disrupted by ransomware.

Meanwhile, in an address to the nation on February 24, 2022, President Joe Biden claimed that “If Russia pursues cyberattacks against our companies, our critical infrastructure, we’re prepared to respond.”

These warnings, comments, and advisories show that there is a clear perception of increased cyber risk. The public sector and operators of critical infrastructure appear to be particularly vulnerable targets, so those operating in these sectors should continue to be on high alert.

Potential Upcoming Russian Cyber Attack Campaigns

It’s unclear how likely a Russian cyber attack on a Western nation is right now. The past actions of Russian cyber units indicate anything is possible. What is clear is that countries such as the United States and the United Kingdom are taking steps to prepare. Here are some potential upcoming Russian cybercrime campaigns to watch out for:

  • Targeting critical infrastructure: Statements from government officials in recent weeks have persistently referred to critical infrastructure. Cyber attacks on industrial control systems or even healthcare organizations pose threats to health and safety in addition to the monetary costs involved.
  • Data leaks: Russia has shown its willingness in the past to use information as a weapon. Threat actors lurking undetected in federal or other public sector networks may decide to leak confidential information in an attempt to sow discord. Spear phishing campaigns on public sector employees may provide new entry points into public sector IT networks.
  • Supply chain attacks: Russian cyber units may use existing footholds in software supply chains to initiate an attack that mimics SolarWinds and leads to widespread data breaches of government data.

While the risk of attack in the current environment may be high, there are steps you can take to be better prepared and stay protected against potential threats. We recommended you prioritize the following (in this order):

  • Patch / remediate any critical internet facing vulnerabilities that could be leveraged by an attacker to gain a foothold within the environment
  • Make sure that all endpoints have up-to-date endpoint protection, preferably an up-to-date EDR agent installed on all systems
  • Patch internal vulnerabilities that are commonly used by attackers to compromise an endpoint.
  • Geo-block Russian IP address ranges on the NGFW if you do not do business with this region

Closing Thoughts

If and when Russia decides to strike back against the West using its cyber attack arsenal, public and private sector organizations face the challenge of detecting potential cyber attacks quickly and responding before they spread and do serious damage. While proper cyber hygiene is a great start, you need around the clock monitoring to ensure you’re catching attacks before they cause damage.

Proficio’s managed detection and response service provides 24/7 investigation and incident remediation capabilities to help organizations manage threats and reduce businesses in this potentially dangerous new cybersecurity landscape. To better protect our clients in these uncertain times, Proficio is deploying additional, targeted monitoring solutions to detect and respond to these attacks. To learn more about how Proficio can help keep your organization secure, contact us.

Latest Ransomware Attack Cripples Networks Worldwide

For the second time in as many months, hackers have unleashed a massive ransomware attack targeting thousands of computer networks across the world.

The latest attack, nicknamed the GoldenEye strain of Petya ransomware, began on Monday June 27 and continued to unfold into Tuesday June 28, officials said. Investigators suspect it originated in the Ukraine in an attempt to extort money from owners of affected systems into paying ransom money to release their crippled technology. The attack took advantage of a Windows PC’s ability to quickly spread corrupted files across a vast computer network, investigators said.

The latest ransomware attack comes just a month after another similar incident, nicknamed WannaCry, locked up more than 200,000 computers.

Petya Details

Petya is slightly different from the previous WannaCry attack in that it does not contain the kill switch functionality that helped prevent WannaCry from affecting more computer networks than it did, officials said. Instead, Petya uses the EternalBlue exploit to spread malware from system to system using compromised credentials from previous infections and administrative tools such as psexec and WMI. Therefore, a single unpatched system can cause multiple systems inside the same network to become compromised.

Petya works by encrypting the master boot record of affected machines, instead of encrypting the files on a computer and leaving the operating system intact, rendering affected machines unusable. In some cases, investigators said even paying the ransom to the cyber criminals does not allow victims to recover files from compromised machines. For this reason, officials urge those affected not to make ransom payments in this or any ransomware attack.

Facing the Realities

Brad Taylor, Proficio CEO, said the recent ransomware attacks force companies and organizations to face the fact that they are under the constant threat of attack from anonymous cyber criminals.

“Attacks like Petya and WannaCry are making organizations face the realities of today’s cyber threat landscape,” Taylor said. “Hackers are constantly seeking and exploiting vulnerabilities across all enterprise resources; your people, processes and technology are all targets to advanced cyber criminals.”

Employing monitoring and alerting as part of a fully managed security operations center as a service to detect and respond quickly to an emerging threat like GoldenEye is the key to preventing widespread damage, Taylor continued.

“Accurate monitoring can allow your organization to proactively identify the early stages of an attack and more efficiently halt suspicious or high risk behavior,” Taylor said. “Most breaches only take 30 minutes to compromise an entire system, so while prevention is paramount, attackers will continue to find the cracks and stopping attacks earlier in the ‘kill chain’ can minimize the impact of a hack once a network is infected.”

Tips for Avoiding Ransomware

John Humphreys, Proficio Senior VP of Business Development and Alliances, said organizations must use a multi-pronged approach to stay secure in today’s fast-changing cybersecurity space. The latest ransomware attack proves that “not everyone learned the lesson from WannaCry,” Humphreys said.

“First, patch vulnerabilities,” Humphreys said. “Second, monitor for indicators of attack or compromise and rapidly respond. Third, protect your endpoints with next-generation security that can identify ransomware and stop it. Lastly, back up.”