In the early stages of the conflict, Russian military commanders targeted Ukrainian banks and defense networks with destructive cyberattacks. Meanwhile, in the US, military officials increased their vigilance of Russian based cyber activity to detect, respond, and prevent cyberattacks against critical infrastructure, controlling utilities, electric facilities, and water plants.
Other recent cyber events, such as SolarWinds, Hafnium, and Log4j, showcase the effectiveness of low-effort attacks. These incidents remind us of the importance of reliable countermeasures to protect our organizations as part of day-to-day operations. Organizations should expect events like this will occur and be prepared to respond.
For example, consider that because Russia has previously and recently been linked to sophisticated cyberattacks, it is likely that cyber-related actions will continue to be exercised in conjunction with military efforts. Although most of the attacks are expected to be directed at Ukraine, collateral damage should be considered, as we have already experienced. Many cybersecurity and geopolitical experts believe cyberattacks against countries imposing sanctions are soon to follow. Organizations should be on high alert for the following cyberattacks recently used in this conflict.
- DOS Attacks. Distributed Denial of Service attacks directed towards military, government, financial, telco, and other critical service providers have already been perpetrated against Ukraine. Most notably, this attack was executed against the websites of the Ministry of Defense and the Armed Forces of Ukraine, as well as the web services of Privatbank and Oschadbank, on February 15th, 2022.
- Wiper Attacks. Wiper attacks are destructive in nature and often do not involve a ransom, but they could also be used as a covert tactic to cover the tracks of a separate exploit, such as data theft. We’ve witnessed WhisperGate on January 13th and the Hermetic wiper on February 22nd, 2022, cause damage, and more variants are expected. As of the end of February, ESET telemetry showed that this malware was installed on hundreds of machines in Ukraine.
- Cyberespionage. Espionage being carried out as part of this conflict entails the use of computer networks to gain unapproved or illicit access to confidential information. Ukraine’s Computer Emergency Response Team (CERT-UA) has reported that cyberespionage groups have targeted Ukraine’s military personnel with phishing attempts. These attacks are usually targeted at the government or other organizations that house sensitive information that could prove damaging or be used for blackmail if disseminated publicly.
- Mult-Factor Authentication Attacks. In addition, opportunistic cybercriminals are leveraging the Russia-Ukraine conflict to push bogus scams and tap into legitimate support efforts. On March 15th, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) issued alert AA22-074A regarding elevated risk with Multi-factor Authentication (MFA) set to a “fail-open” configuration state, specifically with the DUO product. CISA stated that this could allow attackers to bypass multi-factor protection mechanisms, gain a beachhead into an organization’s network, and mount other cyber offensives based on unpatched vulnerabilities.
- Website Defacement Attacks. Website defacement is another type of attack being used in this conflict. Kitsoft, carried out as recently as January of 2022, showcases how easily attackers can act to execute this attack, which involves hackers compromising a website and replacing content on the site with their own messages. The messages are intended to cause harm and usually display a message promoting the hacker group defacing the site.
- Supply Chain Attacks. Based on their recent effectiveness and prevalence, supply chain attacks also pose a significant risk, most recently Log4J and SolarWinds. More than 2,100 US-based firms and 1,200 European firms have at least one direct (tier-1) supplier in Russia, and more than 450 firms in the US and 200 in Europe have tier-1 suppliers in Ukraine. Software and IT services account for 13% of supplier relationships between US and Russian/Ukrainian companies.
- Disinformation Attacks. Lastly, disinformation attacks have proved to be easier to execute for these perpetrators. This attack involves disseminating false information via social networks or other communication mechanisms with a wide reach, such as email and SMS, to mislead, confuse, or manipulate a large audience. US tech companies like Google, Facebook, and Twitter are attempting to stop the spread of disinformation and have started demonetizing ads that run on Russian state media accounts.
Mitigate Your Organization’s Risk
Knowing which tactics, techniques, and procedures (TTP) to expect from this conflict should equip you with information on how to mount a successful defense. The following recommendations based on these TTPs will raise an organization’s level of confidence during this conflict:
- Improve Network Monitoring at your Perimeter. Ensure you have visibility for incoming and outgoing traffic with appropriate safeguards. Monitor and consider blocking high risk outbound network traffic, review your WAF configuration and set it to blocking mode to mitigate zero-day attacks. Log, correlate and review events. Focus on threat intelligence, lower alerting thresholds if possible, and be aware of risk patterns associated with Russian actor TTPs.
- Create Contingency Plans to Disconnect High Risk External Connections. Preparedness, control, and proactiveness are essential for a successful defense. Inventory any unfiltered VPNs and other vendor or contractor connections. Limit traffic destinations for high-risk protocols wherever possible. Watch for collateral damage and propagation via automation. Perform tabletop exercises to ensure readiness during any disruptive event and at least annually. Validate your backup and recovery processes.
- Use this Event to Bolster your Security Awareness Program. Educating end users will lower your risk from malware and social attack vectors. Implement or execute a simulated phishing campaign, reassess your password standard, and implement MFA on any external ingress points. Also encourage timely and effective communication regarding how your organization is responding to the conflict.
- Improve your Rigor around Patching and Updating Consistently. Poorly monitored, unpatched assets create additional risk. Confirm default configurations have been updated and learn from recent misconfigurations such as the ‘fail open’ MFA setting. Ensure your endpoint detection and response agents are active, receiving threat intelligence feeds, and set to protect/block risks. You should also look for behavioral evidence or network and host-based artifacts from known Russian state-sponsored TTPs.
On top of all of this, it is best to stay informed. Subscribe to reputable advisories and newsletters on this topic to receive timely alerts and be able to take any necessary actions efficiently. Organizations such as CISA, the Canadian Centre for Cyber Security (CCCS), the SANS Institute, local government cyber security resources, and reputable research and advisory firms will provide you with timely updates and actions to take to protect your organization.
Carlos Rivera is a Principal Research Advisor in Security, Privacy, Risk, and Compliance. Carlos has 25 years of experience in IT and cybersecurity, primarily within the fintech industry. Prior to joining Info-Tech Research Group, Carlos spent 21 years as an information security officer for multi-billion-dollar business units dedicated to money movement in the P2P, B2C, and B2B space. Most recently, throughout his 21-year career with this Fortune 500 fintech, Carlos led global teams of security and network engineers, enterprise architects, risk managers and analysts that provided cybersecurity services to many global financial industry clients, and was responsible for information security governance, cyber risk management, vulnerability management, application security methodology and adoption focusing on shift-left fundamentals such as Static Analysis Security Testing (SAST), Dynamic Analysis Security Testing (DAST), Open Source Security Testing (OSST), and Manual Application Security Testing (MAST).
His expertise covers all aspects of security architecture, cryptography, application security, cyber risk management as well as communication and transmission cybersecurity: SMTP, DNS, and file transmission mechanisms. In addition, Carlos has conducted presentations delivered in various symposiums, such as the Nevada IT Symposium focused on fintech cybersecurity.
Carlos holds numerous security certifications including Certified Information Systems Security Professional (CISSP), Certified CheckPoint Systems Administrator (CCSA), Payment Card Industry Professional (PCIP), Payment Card Industry Internal Security Assessor (PCI ISA), and Microsoft Certified Systems Engineer + Internet (MCSE+I).