A Year In, Russia-Ukraine War Prompts New Battlefield for Cybersecurity
Cybercrime activities are now mirroring what's happening on the physical battleground.
Europol said the ransomware attack was “criminally minded”; others have suggested that it may have originated in Russia. The largest number of attacks occurred in Russia and the Ukraine. As security expert Ian Trump told Penton Technology's T.C. Doyle: “Let’s be clear, the Russians have an absolute history of using their own people with a cavalier consideration to their own health and welfare,” he says. “So testing your own national infrastructure in this kind of heinous attack, to me, totally goes to the Russian mentality. They want to be ready for when the NSA launches something on them.”
Mike Parkin is senior technical engineer at Vulcan Cyber. He said Russia’s cyberwarfare engagement with Ukraine is “what we would expect to see on a modern battlefield.”
“Controlling the battlespace is paramount, and that includes cyberspace,” he said. “We were bound to see attacks on their communications, networking and computing infrastructure, along with the more conventional strikes on the power grid and transportation networks.”
Ukraine has been surprisingly resilient against the attacks, showing a skill and dedication from the defenders that the Russian attackers certainly didn’t expect, Parkin said.
“Russia has some extraordinarily skilled threat actors at their disposal, which makes Ukraine’s defense even more impressive,” he said. “Honestly, given Russian operatives’ reputation for cyberwarfare and their suspected support of multiple advanced cybercriminal groups, I was pleasantly surprised that Ukraine’s defense has been as successful as it has.”
While they may be more subtle about it so the public hears less, there is no doubt Russia will continue to engage Ukraine in cyberwarfare, Parkin said.
“They may alter the tools and tactics they use to try and get past Ukraine’s defenses, but they won’t stop,” he said. “There has been fallout outside the theater of operations resulting from unintended spread, or deliberate efforts to engage with Ukraine’s allies abroad, the takeaway being that warfare doesn’t always stay in-theater, especially when the whole world is reachable from the internet. We are not immune, and we need to be prepared to deal with attacks that are deliberate or just collateral to the main conflict.”
Zac Warren is EMEA chief security advisor at Tanium. He said we need to understand that, moving forward, “we’re going to be seeing more cyber activity as preemptive activity to physical war.”
“There were plenty of cyberattacks coming from Russia to Ukraine and other countries, including NATO,” he said. “We’re now seeing cyberwarfare being used as a tool to weaken a target before moving in. This shift makes it critical that we look at critical infrastructure on a global scale, where many countries are when it comes to their cyber hygiene. There is a great deal of critical infrastructure that could be easily taken out or slowed down by a cyberattack. The conflict in Ukraine demonstrated that cyber is now the starting point for modern warfare and it’s high time we prepare for the realities of future conflict.”
The only positive thing Warren sees coming from this war so far is that people are taking cyber more seriously.
“Individuals and organizations are getting more experience in cyber and real defense because there’s a lot of talk about cybersecurity, but there aren’t a whole lot of people actually in the trenches fighting cyberwarfare,” he said. “You’ll run into them in the reserves and different cyber teams –– for instance, in the United States military and Israelis in the IDF. After this is over, you’re going to see a lot of cyber talent coming out of Ukraine with real, live experience. This is why Israel is so far ahead of other countries, because they do it every day, all day long in the IDF.”
Phil Neray is vice president of cyber defense strategy at CardinalOps. He said adversary groups like Sandworm, a unit of Russian GRU military intelligence, have been using wiper malware in Ukraine since at least 2015.
“KillDisk malware was first used to target and sabotage industrial control systems/supervisory control and data acquisition (ICS/SCADA) networks in Ukraine in December 2015, and later used to attack Ukrainian banks in 2016,” he said. “In February 2022, an updated version was used in destructive attacks against Ukrainian networks just as Russia moved its troops into Ukraine. However, the reason recent attacks haven’t caused more widespread damage is that Ukraine has significantly boosted its continuous security monitoring capabilities in the past few years, with the technical assistance of Western allies, so they can quickly detect these attacks and respond to them before they can have a major impact. They also moved their critical data from on-premises servers to the cloud, where it could be better protected. Gaining more high-fidelity detections at all security layers – endpoint, network, email, identity and access management (IAM), cloud – and moving to the cloud are the key lessons we can take from the past year.”
Darren Guccione is CEO and co-founder of Keeper Security. He said in the digital age, it’s clear that cyber and traditional warfare tactics will continue to converge as threat actors use cyberattacks to both support and supplement physical attacks.
“Wiper and other forms of destructive malware can destroy and render critical computer systems inoperable, which makes them an obvious tool of choice for many threat actors, including nation-states,” he said. “When used for political purposes, wiper malware may be part of a larger effort to threaten operations, destabilize a government or disrupt critical infrastructure such as power grids, transportation networks and financial institutions. Furthermore, wiper malware can be used to destroy evidence of network infiltration for other purposes such as espionage.”
Cybersecurity is national security and must be prioritized as such, Guccione said.
“Protecting critical infrastructure and the services that people rely on from cyberattacks is as important as protecting it from physical attacks, because the consequences have the potential to be equally devastating,” he said. “The use of wiper malware in the context of cyber and traditional warfare underscores the need for continued cybersecurity investment and international cooperation to combat the threat of cyberattacks.”
Mike Heredia is XM Cyber’s vice president of EMEA and APAC. He said Russia has shown that with enough motivation, it can find a way to compromise critical infrastructure either directly or via third-party state-tolerated/sponsored organizations.
“The seeming ease of Russia’s cyber aggression shows that even organizations who are obvious targets struggle to understand what steps can be taken to close exploitable attack vectors,” he said. “Coordinated attacks aimed to disrupt national infrastructure cause panic and fear, weaken Ukraine’s ability to successfully defend and increase the chances of traditional war tactics being successful. The ease at which cyberattacks can be coordinated in this way indicates that Russia has an ongoing foothold within Ukraine critical infrastructure networks and can simply pick and choose when and what to disrupt.”
With all of this in mind, it’s important to think differently about cybersecurity, Heredia said.
“The traditional model of building long-siloed lists of exposures and technical weaknesses, prioritizing based on [vulnerability scoring] and then trying to plug these gaps is not scalable, nor is it efficient,” he said. “Annual or half-yearly penetration tests are not fit for purpose. Organizations need a continuous view of how critical infrastructure can be attacked and what are the most efficient steps that can be taken to eradicate this risk on a day-to-day and week-to-week basis. Compliance standards and national security frameworks need to evolve fast. Organizations need to be mandated to have a continuous attack simulation that shows how the internal attack surface can be traversed by attackers given the latest attack techniques that can be used. Defenders of dynamic, large and complex critical infrastructure need to have constant visibility of exactly how an attacker can create the exploitable attack paths that will ultimately lead towards and then compromise critical systems.”
The past year has demonstrated that while Russia remained a very capable and persistent adversary, Ukraine’s cyber-defensive and counter-offensive capabilities have improved dramatically, rendering many attack attempts ineffective. That’s according to the Intel 471 Threat Research Team.
“A big differentiator in Ukraine’s increased resilience in 2022 was due to the significant assistance of Western governments and the private sector, who shared intelligence, knowledge and tools, which allowed Ukraine to more effectively counter Russian cyber capabilities,” it said.
Just like on the actual front line, Russian cyber capabilities were possibly somewhat overestimated, while Ukraine’s resilience was significantly underestimated.
“This was indeed unexpected by many in the international community,” the team said. “Ukraine’s close cooperation with Western allies in the preceding years in many aspects matured the country’s all-around defensive capabilities, to include on the cyber front line. Creative steps undertaken by Ukraine’s government, which included moving many government systems to foreign data centers and resorting to volunteer groups’ aid rather than the government’s own resources in developing tools and capabilities, coupled with support and technology provided by foreign governments and the private sector, led to Ukraine establishing reactively successful cyber defenses.”
The past year has demonstrated that while Russia remained a very capable and persistent adversary, Ukraine’s cyber-defensive and counter-offensive capabilities have improved dramatically, rendering many attack attempts ineffective. That’s according to the Intel 471 Threat Research Team.
“A big differentiator in Ukraine’s increased resilience in 2022 was due to the significant assistance of Western governments and the private sector, who shared intelligence, knowledge and tools, which allowed Ukraine to more effectively counter Russian cyber capabilities,” it said.
Just like on the actual front line, Russian cyber capabilities were possibly somewhat overestimated, while Ukraine’s resilience was significantly underestimated.
“This was indeed unexpected by many in the international community,” the team said. “Ukraine’s close cooperation with Western allies in the preceding years in many aspects matured the country’s all-around defensive capabilities, to include on the cyber front line. Creative steps undertaken by Ukraine’s government, which included moving many government systems to foreign data centers and resorting to volunteer groups’ aid rather than the government’s own resources in developing tools and capabilities, coupled with support and technology provided by foreign governments and the private sector, led to Ukraine establishing reactively successful cyber defenses.”
Friday marks one year since the start of the Russia-Ukraine war, a conflict fought on numerous fronts, including cybersecurity. The experts who spoke to Channel Futures said the war has moved decision makers to take cybersecurity even more seriously, as cyberattacks have increased tenfold since the conflict began.
Cybersixgill, a dark web threat intelligence company based in Israel, has published several reports on cybersecurity activity on the dark web and with heavy emphasis on Russian threat actors. The organization studied these actors right before the start of the war.
Cybersixgill’s Christopher Strand
Christopher Strand is Cybersixgill’s chief risk and compliance officer.
“A number of subsequent reports that we’ve put out since the beginning of the conflict have enabled us to study and understand the changing tactics of those threat groups and cybercrime in general,” Strand said. “The effect on us has been positive for helping the rest of the cybersecurity community understand the changing tactics and the changing of that threat state since the conflict began.”
Threat actors are now trying to acquire graphics cards or processors, phones, drones and other tools not only for cybercrime but for cyber espionage and war tactics. Cybercrime activities are now mirroring what’s happening on the physical battleground, Strand said. Cybercrime groups can shift gears from targeting financial institutions, for example, partly because the Russian cybercrime network is so well established.
New Mandates
When it comes to large companies that operate in the channel, Strand said they should have a strong cybersecurity posture.
“Companies like Microsoft have written the book on what cybersecurity is,” he said. “However, many large organizations responded in a frenzied way to the amount of [U.S.] cybersecurity mandates that were coincidently announced in the first year of the conflict.”
One such mandate was from the FDIC and other federal agencies. In 2022, they changed when a banking organization could report a cybersecurity attack to them, from 72 hours down to 36 hours. And for good reason, experts say.
The global banking industry has been under assault since the start of the war. For instance, distributed-denial-of-service (DDoS) attacks on European banks by Russian hacktivists have significantly increased. DDoS attacks are often the main method cybercriminals use for cyberwarfare.
Funding Cybercrime for War Efforts
Cybercriminals finance their operations in multiple ways, including through ransomware or through the sale of stolen information. However, the ways in which Russia-backed threat actors get money to support their cybercriminal activities have changed during the war.
“Rather than going just to cryptocurrency markets, they’re coordinating with money laundering organizations,” Strand said.
This is to basically get real funds, he added. There’s also a transition toward the trade of certain assets or even commodities in some situations.
See the slideshow above to learn more from experts about the role cybersecurity is playing in the Russia-Ukraine war.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Claudia Adrien or connect with her on LinkedIn. |
About the Author(s)
You May Also Like