Cybersecurity News Flash: Concerns with geopolitical turmoil and warfare in Russia and Ukraine

Mar 02, 2022

The Russian government and agencies are frequently tied to professional hacker syndicates such as the now defunct or rebranded REvil ransomware-as-a-service gang. With the ongoing Russian military campaign in Ukraine, there has already been numerous attacks associated with Russian forces – from scare tactics to new malware and Distributed Denial of Service (DDOS) attacks. These cyberwarfare actions should have everyone on high alert.

What does this mean to businesses here in America and elsewhere not in Russia or Ukraine?

With the number of governments responding in opposition to the ongoing events, there is an increased risk for cyberattacks as a response to international sanctions. Beyond direct threats to critical infrastructure in Ukraine, there is a notable increase threat from collateral damage. The NotPetya outbreak is an example of the attacks going beyond the primary and even secondary targets. So most companies should be on alert, but calm and ware.

What about Retaliation?

While retaliatory action is expected, Russia and those acting on their behalf are going to avoid crossing some lines at this stage. There is a “five-point test” you should think about when reflecting on the current risk – a series of five questions to ask yourself:

  • Are we publicly aiding in support for harm to Russia and their objectives? (If Yes, add one point.)
  • Is an attack on us likely to be viewed as an act of war by our government? (If No, add one point.)
  • Does the attack risk exposing their tools allowing them to be quickly identified and prevent reuse? (If No, add one point.)
  • Will it negatively impact future intelligence efforts by Russia? (If No, add one point.)
  • Are we an overvalued target at this stage of escalation – would Russia rather impact our business later? (If No, add one point.)

If you tally up 4–5 points, then you may actually be at risk, especially if you are in Financial Services, Education, Retail, State and local government, or a smaller federal agency. If you are in any critical infrastructure like Energy, Healthcare, Public Utilities, or the Defense Supply Chain, you are not likely to be targeted at this point – as doing so may be viewed as an act of war and would warrant a major response under Article 5 of the NATO treaty – the “You attack one, you attack us all” clause.

What are we seeing?

Not too surprising is the increased activity of known threat groups like Fancy Bear and Dancing Bear (APT 28 & 29, known to have ties with Russian GRU/FSB/SVR) and others known as Sandworm, UNC 1151, and Gamaredon. These groups seem exclusively focused on Ukrainian entities.

Pro-Russian hackivism activity has increased, with the organization “Free Civilian” publishing a trove of data on Ukrainian citizens – however, due to the volume and speed of the availability, it is likely much of this may be from prior incidents.

Within Ukraine, new malware to wipe systems have been seen known as WhisperGate and HermeticWiper. These are sophisticated attacks that involve installing digitally signed drivers as part of the exploit. These are drivers signed with previously compromised private keys of trusted companies in efforts to bypass protection defaults from Microsoft. This malware has also been improved quickly so it may be difficult for traditional signature-based antivirus software to detect.

Also within Ukraine and Russia, there has been an uptick in newly published URLs used in phishing and malware distribution campaigns. This allows for increased success in distributing the malware. Most of these domains use .ru, .online, and .xyz as the domain suffixes.

No unusual spike in this activity has been noticed outside of the involved nations.

What about collateral damage?

This is probably the biggest concern for people and businesses outside of Ukraine and Russia. As we saw with Petya and NotPetya, the automated nature of many attacks could reach the U.S. and other nations. Like with NotPetya, if you utilize Business-to-Business VPN tunnels, you should review the firewall configurations. A simple rule of thumb being “if it doesn’t need to pass the firewall and travel through the tunnel, don’t let it.”

Besides firewall configurations, if you are worried about collateral impacts, stay calm and focus on the basics of how these attacks work: Phishing for access, use of compromised passwords, and poorly patched systems.

What about Critical Infrastructure?

As mentioned previously, outside of Ukraine, there is not much need for concern at this time, but that could change quickly. If you haven’t already taken steps to secure Operational Technology – systems that control or directly impact something in the real world (think Colonial Pipeline or the Oldsmar Water Reclamation Plant) – then it is time to address it immediately.

In Ukraine, there have been cyberattacks over the last seven years that show Russia and the cybercrime elements working on their behalf, can manipulate these systems. Russia has proven to have the capability to manipulate the power and gas systems, and possibly abuse safety systems. The goal of these attacks thus far has been to shake confidence in the government, impair the ability to respond, and prevent essential services from reaching key areas.

If the situation continues to escalate, Critical Infrastructure is likely to become a target by these advanced and coordinated cyberattacks with real consequences in the physical world. There is still time to test and shore up your defensive security systems, test your backup and response plans, and even make improvements where needed – if not for a direct threat, then for a future or collateral impact.

What Can Cyzen Do For You?

Contact Us

Message Us 212.842.7005

Sign up for Our Blog!

* All fields are required

By choosing to submit data, you are agreeing to the storage and usage of your contact information to deliver the requested services.