Russia-Ukraine War: Cybersecurity Lessons for Tech Pros
On Feb. 24, 2022, Russia invaded Ukraine, shattering decades of stability in Europe. After 12 months of fighting, the war has killed hundreds of thousands of civilians and soldiers, sent millions more into exile and threatened to upend the geopolitical order established at the end of the Cold War.
As the war enters its second year, the two countries continue to fight in the physical realm as well as the cyber one. Russia maintains some of the most advanced offensive cyber capabilities in the world, and a senior official in Ukraine’s main cybersecurity agency recently told the British government that the country has seen a three-fold increase in attacks over the last 12 months. Many of these hacking attempts coincide with physical missile strikes against targets.
The Ukrainian cyber agency report also finds that Russian operations have targeted critical infrastructure, including the country’s energy sector, and many of these attacks are coordinated with misinformation and disinformation campaigns designed to create confusion and doubt both among civilians and the government.
At the same time, Ukraine has proven more cyber-resilient than many originally believed. A recent public report published by Estonian intelligence agencies noted that, while Russia has deployed various strains of destructive malicious code against Ukraine (including wiper malware that renders networks and computers inoperable by destroying all data), the Russian government “underestimated the resilience of Ukraine’s cyberspace and the help it receives from Western countries and cybersecurity companies.”
That assessment was echoed by security firm Intel 471, which recently shared some of its Threat Research Team’s assessments of the cyber aspects of the Russia-Ukraine war with Dice.
“What this year has demonstrated is that although Russia remained a very capable and persistent adversary, Ukraine’s cyber defensive and counter-offensive capabilities have improved dramatically, rendering many attack attempts ineffective,” according to the Intel 471 assessment. “A big differentiator in Ukraine’s increased resilience in 2022 was due to the significant assistance of Western governments and the private sector, who shared intelligence, knowledge and tools, which allowed Ukraine to more effectively counter Russian cyber capabilities.”
While Russia might not have dealt a decisive blow to Ukraine using cyber, several recent reports suggest that Russia, its military and threat groups associated with the country’s government are preparing to step up campaigns in 2023, which will directly affect Ukraine and could cause problems worldwide that tech pros need to prepare for now.
“There has been fallout outside the theater of operations resulting from unintended spread, or deliberate efforts to engage with Ukraine’s allies abroad. The takeaway being that warfare doesn’t always stay in-theater, especially when the whole world is reachable from the internet,” Mike Parkin, senior technical engineer at security firm Vulcan Cyber, told Dice. “‘We’ are not immune, and we need to be prepared to deal with attacks that are deliberate or just collateral to the main conflict.”
Keeping One Eye Open
With Russia appearing ready to deploy more of its cyber capabilities as the war drags on into its second year, experts warn tech and cyber pros to remain vigilant. As part of its “Shields Up” alert, the U.S. Cybersecurity and Infrastructure Security Agency continues to remind private enterprises to maintain a heightened security posture.
Experts noted that a major concern is a direct attack by Russia or one of its proxy groups against NATO countries; Poland seems to have already been targeted. There are additional worries that computer networks or physical infrastructure not directly connected to Ukraine or the conflict could sustain a kinetic attack. Russia and affiliated groups have stepped up deploying wiper malware, and analysts have found at least seven or more wipe variants that have been used already. IT and security teams need to remain vigilant to avoid becoming collateral damage.
“We are seeing wiper malware used as the objectives are not commercial, they are indeed destruction and disruption. It’s no surprise that this approach is one of the primary tactics being used,” Mike Heredia, vice president for EMEA and APAC at XM Cyber, a Tel Aviv-based security firm, told Dice. “Critical infrastructure organizations across NATO countries need to ensure that the right conditions don’t exist within their own infrastructure for malware to be successfully executed against critical national systems.”
Under these circumstances, Heredia noted that annual or semi-annual penetration testing and other security precautions will not prepare an organization for a possible breach or attack.
“Compliance standards and national security frameworks need to evolve fast—organizations need to be mandated to have a continuous attack simulation that shows how the internal attack surface can be traversed by attackers given the latest attack techniques that can be used,” Heredia added. “Defenders of dynamic, large and complex critical infrastructure need to have constant visibility of exactly how an attacker can create the exploitable attack paths that will ultimately lead towards and then a compromise of critical systems.”
Since at least 2015, Russia has targeted Ukraine with various cyber threats, including wiper malware, DDoS and other attacks that have targeted critical infrastructure, noted Phil Neray, vice president of cyber defense strategy at CardinalOps. Since then, Ukraine has been able to bolster its cyber defenses, offering valuable lessons for other governments and private enterprises.
“Ukraine has significantly boosted its continuous security monitoring capabilities in the past few years, with the technical assistance of western allies, so they can quickly detect these attacks and respond to them before they can have a major impact,” Neray told Dice. “They also moved their critical data from on-premises servers to the cloud, where it could be better protected. Gaining more high-fidelity detections at all security layers—endpoint, network, email, identity and access management, cloud, etc.—and moving to the cloud are the key lessons we can take from the past year.”
The surprising cyber resiliency of Ukraine also holds lessons for IT and security pros who are thinking about their security. This includes getting “left of boom” when it comes to nation-state cyberattacks, said John Messinger, principal security architect at RSA.
“In cybersecurity, an ounce of prevention really is worth a pound of cure, and any steps that organizations can take to get ‘left of boom’ and maintain a stronger security posture will make them a harder target. As we have learned throughout the years, threat actors will always go after the softest targets first,” Messinger, who served in Army Intelligence and also worked for the U.S. National Security Agency, told Dice.
There are also lessons concerning how to best manage risk. “The second lesson is that, for organizations, cyber risk is like any other risk: If it’s not an immediate problem, then your leaders probably aren’t thinking about it,” Messinger added. “We have to change that—organizations need to keep these risks top of mind and proactively invest in solving them even if a risk has not been realized.”
Misinformation and Disinformation
Besides malware, DDoS and other malicious techniques, security experts note that Russia has also ramped out disinformation and misinformation campaigns as part of its war effort. While these techniques are used to sow doubt or confusion, advanced persistent threat groups also use these techniques to target various organizations.
In an assessment developed by Proofpoint’s Threat Research Team, analysts found the Russian-linked group TA421 (a.k.a. Cozy Bear) and other groups are involved in impersonations or hijackings of “known” or “safe” entities and files to add credibility to their campaigns.
“The lesson here is that everyday users need to be aware of their colleagues’ true contact information and be wary of links sent that require verification or a program to be installed,” according to the Proofpoint assessment shared with Dice. “Two-factor authentication is very prevalent as a safeguard from targeted credential harvesting and using a service such as Proofpoint to protect against malicious links delivered via email can be crucial against some clusters of Russia-aligned activity, most notably TA421.”
Russia’s disinformation and information campaigns remain a point of concern even if the country has not dominated cyber in Ukraine as many originally believed, Messinger added: “They [Russia] are very good at information warfare, so I suspect we’ll be hearing about Russia’s dominance in cyber and how it will be used in conjunction with kinetic strikes. However, I am skeptical we will see anything as impressive as our assessment of their capabilities from before the war.”
Whether malware, disinformation or another form of attack, experts note that the cyber part of this war will likely only accelerate, with consequences for nearly all tech and cybersecurity pros charged with securing networks and infrastructure.
“Russia’s cyberwarfare engagement with Ukraine is what we would expect to see on a modern battlefield. Controlling the battlespace is paramount, and that includes cyberspace. We were bound to see attacks on their communications, networking, and computing infrastructure along with the more conventional strikes on the power grid and transportation networks,” Parkin of Vulcan Cyber added. “Ukraine has been surprisingly resilient against the attacks, showing skill and dedication from the defenders that the Russian attackers certainly didn’t expect. Russia has some extraordinarily skilled threat actors at their disposal, which makes Ukraine’s defense even more impressive.”