Russian cyberattacks on Ukraine raise IT security concerns
The past week has seen a flood of notifications regarding Russia’s overt and covert efforts to set “their” stage to provide it with a pretext to invade Ukraine again. The realpolitik of Russian efforts and media attention is about the likelihood that Russia will take this course.
These preparatory actions include a generalized cyber component. CISOs from defense, intelligence or critical infrastructure entities should monitor what is happening in Ukraine and heed advisories issued by the US Cybersecurity and Infrastructure Security Agency (CISA), Microsoft and others.
Cyberattacks against Ukraine
On January 14 around 02:00, the cyberattacks began. Within an hour, reports of the hacks began to appear in Russian media. About 70 Ukrainian government websites had their web presence forward-facing and a static message posted in Russian, Ukrainian and Polish basically told Ukrainians that their personal information was compromised and they should “have fear and expect the worst”.
Later in the day, Oleksiy Danilov, secretary of the National Security and Defense Council of Ukraine, told Sky News: “We can clearly follow their signature. These actions are carried out by Russian specialists. I am 99.9% sure.” Russia was behind these attacks.
Subsequently, Serhiy Demedyuk, Deputy Secretary of the Defense Council, was more specific in attributing the attribution to UNC1151, which he identified as “…a cyber-espionage group affiliated with the Special Services of the Republic of Belarus”. He explained how UNC1151 had in the past attacked targets in Lithuania, Latvia, Poland and Ukraine.
Demedyuk went on to say that the defacing activities were a smokescreen: “The defacing of the sites was just a cover for more destructive actions that were happening behind the scenes and the consequences of which we will feel in the near future. ” He went on to describe these efforts to encrypt some government servers, with malware with similar characteristics used by the ATP-29 group.
“The group specializes in cyber espionage, which is associated with the Russian special services (Foreign Intelligence Service of the Russian Federation) and which, for its attacks, resorts to the recruitment or infiltration work of its insiders in the right company” , said Demedyuk.
CISOs Heed State-Sponsored Attack Warnings
On January 15, Microsoft hit the industry horn hard in a blog post titled “Malware Attacks Targeting Ukrainian Government,” by Tom Burt, vice president of security and customer trust. He discussed “destructive malware in systems belonging to several Ukrainian government agencies and organizations that work closely with the Ukrainian government.”
Burt explained how the malware is disguised as ransomware, but “if activated by the attacker, it renders the infected computer system inoperable”. Targeted entities, according to Burt, include “…government agencies that provide essential executive branch or emergency response functions and an IT company that maintains websites for public and private sector clients, including government agencies whose websites were recently defaced”.
The Microsoft Threat Intelligence Center simultaneously published a tech blog post titled “Destructive Malware Targeting Ukrainian Organizations.” It highlighted how the malware was first detected on January 14 (time zone differences between Ukraine and the United States) and contained the following call to action: “We strongly encourage all organizations to immediately conduct a thorough investigation and implement defenses using the information provided. in this post.
Microsoft’s advisory was preceded by the CISA, FBI and NSA noting that Russia poses a cyber threat to US critical infrastructure in a Jan. 11 memo to industry, in which they urged “the cybersecurity – especially critical infrastructure network advocates – to embrace a hardened state.” outreach, conduct proactive threat research, and implement mitigation measures identified in Joint Alert CSA – AA22-011A “Understanding and Mitigating Russian State-sponsored Cyber Threats to U.S. Critical Infrastructure.”
The joint alert contained three actions which, if taken, can “reduce the risk of compromise or serious business impairment”.
- Be ready : Confirm reporting processes and minimize staff gaps in IT/OT security coverage. Create, maintain and exercise a cyber incident response plan, resiliency plan and business continuity plan so that critical functions and operations can continue to function if technology systems are disrupted or need to be taken offline.
- Improve your organization’s cyber posture: Follow best practices for identity and access management, controls and protection architecture, as well as vulnerability and configuration management.
- Increase organizational vigilance: Keep up to date with reports of this threat.
A Russian cyberattack sets the table
The White House said the US intelligence community had detected Russian efforts to deploy individual assets in eastern Ukraine to carry out sabotage operations. The White House warning was explicit: “Agents are trained in urban warfare and the use of explosives to commit acts of sabotage against Russia’s own forces.”
Coupled with the cyberattack allegedly launched from Belarus, shows the world the Kremlin’s desire for plausible deniability, as they put their offensive puzzle pieces in place in support of a potential Russian invasion of Ukrainian actions taking place in Ukraine.
The appeal by Ukraine and the United States serves to pull back that fig leaf and lays Russian efforts bare both to the international community and perhaps more importantly, to the Russian public. At a press briefing, National Security Adviser Jake Sullivan reiterated the United States’ position should Russia invade Ukraine: “The United States and our allies and partners are prepared for any eventuality, any eventuality. We are ready to continue to move forward on the diplomatic path in good faith, and we are ready to react if Russia acts.
Copyright © 2022 IDG Communications, Inc.