The situation in Ukraine continues to fluctuate, and US intelligence sources are advising that Russia is preparing for an imminent invasion.
By Lior Div, CEO and founder of Cybereason
Cyberattacks have already been observed in the conflict, and I expect diversions, distractions, and false flags as tensions escalate. There is also the potential risk of other threat actors being opportunistic under the cover of Russian aggression.
Cyberattacks are certain to play a central role in combination with any traditional military action on the ground. So if never-before-seen exploits start causing issues for organisations, it could be an indication that Russia is digging into its stockpile of zero-day delivery mechanisms, payloads, and compromised assets.
Cyber is critical here. Russia needs to default to asymmetric options because they are clearly struggling with other means of achieving their nationalistic aims. This is brinkmanship at a level that is unprecedented, and the cyber factor means that just a few keystrokes could significantly raise the stakes.
The risk from cyberattacks in the Russia-Ukraine conflict
The threat is fluid, and will depend on the situation on the ground. In the earliest stages of the conflict, Ukraine obviously has the most to worry about, as well as those doing business in and with Ukraine given possible collateral damage from stray cyber munitions.
There is also risk for any allied nations in the G7, NATO, and other largely non-involved countries. As the conflict evolves, any nations impacted by cyberattacks could construe the activity as an act of war, and then things could get much more serious.
While cyberwarfare operations are expected to be leveraged in order to distract, disrupt, and destroy systems critical to Ukraine’s defence capabilities locally, there is a high probability that Russian operatives might also target a wide range of organisations beyond the region, including:
* Financial services organisations;
* Energy producers and utilities;
* Telecommunication and internet infrastructure organisations;
* Public-facing entities that may be symbolic or host ‘messaging material’ (like marketing, newspapers, etc); and
* Government agencies and related organisations.
Cyberattacks could take many forms, some where the threat actors are clearly connected to Russia, and some more covert actions where obfuscation is employed to make direct attribution difficult if not impossible.
For example, over the last few months there has been a new wave of cyber-attacks targeting Ukrainian entities involving attacks on the Ukrainian Defence Ministry website and regional banks, website defacements, DDOS attacks, and a sophisticated multi-stage attack that delivered a highly destructive wiper dubbed WhisperGate (click for video demo) disguised as ransomware that paralyzed numerous Ukrainian organisations.
Ransomware is typically a tool of cybercriminals. Designing an attack that mimics a cybercrime operation obfuscates the underlying motive and works to the advantage of the attacker, especially in a situation where geopolitical conflicts on this level are concerned.
What to expect in Russia-Ukraine conflict
If Russia does follow through with threats to invade Ukraine, we most likely will see an influx of cyberattacks focused primarily in and around the region, with the potential for additional cyberattacks spreading to the European Union, NATO member nations, and the US specifically.
If an invasion does not occur, we can still expect that cyberattacks against Ukraine and allied nations will likely persist. There is also the additional risk that other state-sponsored threat actors like China and North Korea could take advantage of the situation to conduct cyberattacks to further their own geopolitical objectives.
The side that can maintain logistics, command structure and data flows faster and with less disruption has a huge advantage over their opponent. It is equivalent to having extra divisions and fleets of traditional units. If an adversary can disrupt physical command systems or get inside an opponent’s decision loop through information warfare tactics, then their advantage improves significantly.
How to prepare for the Russia-Ukraine conflict
As the US and European allies continue to seek a diplomatic resolution to the situation, organisations that are at risk of getting caught up in a wider conflict need to be prepared.
The Cybereason team is providing specific guidance to our partner organisations on how to address the heightened risk.
Cybereason customers are already protected against the most common, publicly known TTPs employed by Russian state-sponsored APT actors, and Cybereason recommends all organisations to follow the guidance issued from CISA, the FBI, and NSA. Organisations should maintain a heightened state of awareness, and conduct proactive threat hunting-especially those organisations related to critical infrastructure.
Nonetheless, there’s a larger issue at play that exposes a deep contradiction in our approach to security. To be truly resilient means eliminating single points of failure and ensuring you have options, but organisations often sacrifice security for cost or efficiency. The challenge is to find the balance between resilience and efficiency.
The question for everyone to ponder as we make our way in these uncertain times, is whether we are really ready for this new iteration of conflict. If the answer is no, then we will collectively have a lot of adapting to do and new doctrines to generate. If the answer is yes, then we have even more work to do because we have been lulled into a false sense of security.