Will Russian Oil Ban Spur Increased Cyber-Attacks
On March 8, President Biden signed an Executive Order to ban the sale of Russian oil, liquefied natural gas and coal to the United States. With bipartisan support, the decision was made to deprive the Putin regime of the economic resources needed to wage war in Ukraine. However, marking as it does an escalation in punitive actions directed at the Russian state, it may also put US companies more directly in the firing line of cyber-attacks from the east. Director of National Intelligence Avril Haines said on Tuesday that analysts indeed expect Vladimir Putin to double down in response to the sanctions.
The good news is that best practice cybersecurity advice does not need to change. If the security and intelligence community come together to share what information we have on offensive Russian cyber activity, and customers have the right detection and response tools in place, organizations can maintain a strong defensive posture.
Waiting for the tipping point
To date, the scale of Russian state-sponsored and proxy cyber-attacks has not been as expected. Yes, we’ve seen continuous DDoS attacks, a campaign of web defacements and various iterations of wiper malware. But these efforts have been mainly targeted at Ukrainian organizations. It is possible that Russia has yet to fully engage its offensive capability, or that Ukrainian counterattacks and disruptions have hit home. Reports suggest tens of thousands of cybersecurity professionals there have enlisted as volunteers to help the country’s efforts. Hacking collective Anonymous has also claimed responsibility for multiple hacktivist attacks in Russia.
As kinetic attacks in the region escalate, it’s likely that cyber-operations will do the same, although these should be confined to Ukraine. However, following the Presidential EO this week, we could well see Russian APT groups or their proxies directly target US entities. Oil and gas, banking and defense sectors are most likely to top of the list of targets.
What we can expect
If this kind of escalation were to take place, it may begin through deployment of known destructive malware like IsaacWiper, HermeticWiper and WhisperKill onto already compromised targets or systems known to be vulnerable. Follow-on phases would see the use of DDoS or other volumetric, availability-based attacks against systems that couldn’t be compromised in the first round of attacks. Zero-day vulnerabilities held in reserve could be exploited during this phase.
Alongside the threat from Russian state hackers, Putin may call upon the “patriotic” reserves of the numerous cybercrime groups operating from within the country. Already the Conti and Lockbit ransomware collectives have stated their support. However, Conti was forced to equivocate its language after a Ukrainian researcher doxxed the group with a devastating leak of source code and other internal information. Although they may not have a choice if called upon to support the Kremlin, this incident will certainly give many Russian ransomware actors a reason to think twice about joining the war effort.
Fighting back
If the worst-case scenario does unfold and US organizations are attacked en masse, normal rules of best practice cybersecurity apply. First comes continuous risk-based patching, multi-factor authentication, network monitoring, least privilege access, data encryption, phishing awareness training, and other cyber-hygiene steps. But on top of that, organizations must have the detection and response tooling, ideally XDR, to correlate, prioritize and act on high fidelity alerts with speed and precision.
The security community, including government agencies, should be quick to share any intelligence that could be useful for defenders in this scenario in order to improve their threat detection efforts. Security operations leaders may also want to expand telemetry from sources not traditionally aligned with cyber. It’s also important that employees and customers recognize that heightened levels of defensive activity may also lead to some false alarms. Transparency about these possible outcomes will increase acceptance and ensure we’re all pulling in the same direction.