Amid the escalation of the Ukraine crisis, industry experts suggest we could expect an increase in cyber threats. In this article, we spoke to industry experts about the type of threats to expect, the threat actors, and possible ways to contain such threats

The ongoing stand-off between Russia and Ukraine has rattled global political and business leaders, who fear that an invasion could inflict damage the world over. Earlier this year, multiple Ukrainian websites were hit by a cyber strike that left a warning to “be afraid and expect the worst”, as Russia had amassed troops near Ukraine’s borders.

Now, according to Reuters, “the European Central Bank is preparing banks for a possible Russian-sponsored cyber attack as tensions with Ukraine mount, as the region braces for the financial fallout of any conflict.” While the regulator had been focused on ordinary scams that boomed during the pandemic, the Ukraine crisis has diverted its attention to cyber attacks launched from Russia, with the ECB questioning banks about their defenses.

In addition, according to Thomson Reuters’ Regulatory Intelligence, the New York Department of Financial Services had issued an alert to financial institutions in late January, warning of retaliatory cyberattacks should Russia invade Ukraine and trigger U.S. sanctions.

Cyber Threats Expected

Morey Haber, the Chief Security Officer at BeyondTrust

While we are now coming to terms with the idea of a new conflict in a sensitive region of the world, tanks, troops, planes, bullets, and bombs are not the only weapons of war. Cyber attacks are more than just an annoyance. “When weaponized, cyber-attacks can cost lives as well, and maybe uncontrollable when unleashed in mass during an armed conflict. They can devastate a target and allies, but have the unfortunate consequence of affecting civilians as well, even if they are not within the theater of conflict,” explains Morey Haber, the Chief Security Officer at BeyondTrust.

“An escalation in attacks on critical infrastructure providers and government agencies and suppliers are likely to increase. Expect an increase in RansomOps, where the execution of the ransomware itself is just the initial piece of a much longer attack chain,” says Sam Curry, the Chief Security Officer at Cybereason. “RansomOps take a low and slow approach, infiltrating the network and spending time moving laterally and conducting reconnaissance to identify and exfiltrate valuable data. Threat actors might be in a network for days or even weeks.”

In addition, says Curry, supply chain attacks will be leveraged and adopted by more cybercriminal groups in the months ahead. “Companies that act as suppliers or providers need to be more vigilant and overall organizations need to be aware of the potential risk posed throughout the supply chain,” he adds.

According to Kiran Zachariah – VP -Digital Security at Sectrio, his company has seen a significant rise in the number of cyberattacks logged by their global honeypot network in the past few weeks. “Further, we have also seen a 77 percent rise in attacks on manufacturing and oil and gas. We have also seen an increase in the activity levels of certain state-backed hacker groups in Eastern Europe. The quality of phishing kits that we are intercepting now has improved remarkably in 2022 indicating a significant R&D push from the hackers. Even if these trends are not linked to the Ukraine crisis, there is still a significant deterioration in the global threat environment and that is a clear cause of concern,” adds Zachariah.

Kiran Zachariah – VP -Digital Security, Sectrio

John Hultquist, VP of Intelligence Analysis at Mandiant, is of the opinion that information operations are a regular feature of Russian and Belarusian cyber activity. “Such actors leverage a variety of tactics to achieve their aims, including but not limited to the use of social media campaigns involving coordinated and inauthentic activity, as well as the compromise of entities in hack-and-leak operations or for use in disseminating fabricated content to promote desired narratives,” adds Hultquist. “Disruptive and destructive cyberattacks take many forms, from distributed denial-of-service attacks to complex attacks on critical infrastructure. Like its peers, Russia leverages this capability in times of crisis.”

Regional Impact
Cybersecurity experts say the attacks could be a precursor to more serious cyber assaults on Ukraine and its allies. Russia is determined to prevent Ukraine from joining the NATO security alliance. Russia has amassed about 100,000 troops on Ukraine’s border, raising concerns Moscow may be preparing for an invasion of its neighbor. Russia annexed a portion of Ukraine in 2014.

“The crisis in Ukraine has already proven to be a catalyst for the additional aggressive cyber activity that will likely increase as the situation deteriorates. At Mandiant, we have been anticipating this activity, and we are concerned that, unlike the recent defacements and destructive attacks, future activity will not be restricted to Ukrainian targets or the public sector,” says Hultquist.

“Time will tell on how far the threats expand beyond Ukraine, but we can assume that Russian, Chinese, North Korean, and Iranian state-sponsored hackers are regularly testing the resiliency of their enemies and that includes the U.S., countries in the Middle East and the Asia Pacific,” adds Curry. “Overall, there is always a trade-off in hacking other nations — certainly some benefits, but some drawbacks as well, and a whole lot of risk.”

Zachariah adds, “In the Middle East, we have traditionally seen sectors such as oil and gas, manufacturing and utilities bear the brunt of cyberattacks from sophisticated hackers. Some of the attacks on these sectors were copycat attacks wherein hackers imitated the tactics and breach methods used by hackers in Eastern Europe.”

Sam Curry, CSO, Cybereason

He further says, whether you are an ally of Ukraine or not, you will still face cyber threats from a range of actors who have various objectives to achieve such as ransom, customer data, or simply revenge. “Even if a spillover of attacks is likely or otherwise, there are enough groups targeting the region. So we have enough reasons to be vigilant and stand guard. From the global trends we are analyzing, it is clear that hackers are continuing to use the widespread disruption caused by the pandemic to exploit weakness and gaps in the overall cybersecurity posture of businesses here as well,” Zachariah explains.

According to Curry, looking back to last year and the Colonial Pipeline attack in the United States, what had probably seemed logical to DarkSide became a nasty surprise. “Waking the lion is not a good idea. This is, however, the game of nations; and it now has a cyber component to go along with diplomacy, intelligence, military, and economic measures,” he explains.

Identifying the Attackers
According to Zachariah, the groups have already been exposed. “But what is interesting is the level of obfuscation that is at play which is again a part of their much-used playbook. At least one APT group, in this case, managed to use the infrastructure of another country to target a third country,” he says.

“Early indications suggest that both sides are ramping up their attack strategies for some form of cyber warfare during this conflict,” explains Haber. “The question becomes, based on modern commercial attacks, what do weaponized versions really look like and how much potential damage could they really do versus just holding a computer hostage with ransomware. From this author’s perspective, the damage could be just as bad as physical bombs, all initiated based on a piece of malicious software. Now that is one prediction I hope doesn’t come true.”

John Hultquist, VP of Intelligence Analysis at Mandiant

Meanwhile, Hultquist says that Russian cyber espionage actors such as UNC2452, Turla, and APT28, which are tied to the Russian intelligence services, have almost certainly already received tasking to provide intelligence around the crisis. “These actors already frequently target government, military, diplomatic, and related targets worldwide for intelligence that benefits Russia’s foreign policy decision making,” he says. Ultimately, cyber capabilities are a means for states to compete for political, economic, and military advantage without the violence and irreversible damage that is likely to escalate to open conflict. While information operations and cyberattacks such as the 2016 US election operations and the NotPetya incident can have serious political and economic consequences, Russia may favour them because they can reasonably expect that these operations will not lead to a major escalation in the conflict.”

Keeping Threats at Bay
To reduce risk and improve its resiliency against cyber threats, every organization should regularly test its infrastructure for weak points by conducting threat assessments and deploying appropriate incident response plans. “In addition, follow security hygiene best practices that include timely patch management, offsite data backups, and security awareness training,” adds Curry.

Companies should investigate and verify remote and on-site access modes, mechanisms and confirm that passwords are not shared (within or outside the organization) and that all passwords used are unique. In addition, they also need to ensure that all systems are patched and updated. “Furthermore, examine your infrastructure for inherent or acquired vulnerabilities. Conduct a deep vulnerability scan. Gather visibility into the footprint of your operations and supply chain and request all stakeholders to conduct self-assessment checks as per the NIST CSF to ensure that all systems are hardened and secure,” says Zachariah.

“Organisations should also deploy multi-layer prevention capabilities on all enterprise endpoints across their networks. Organisations should also implement extended detection and remediation solutions across their environments, for visibility, to end advanced attacks before they can gain a footing in their networks,” explains Curry.

“In addition, you need to ensure that all perimeter and non-perimeter-based defenses are working well. Stress-test your incident response plan and reexamine your roles and responsibilities matrix to ensure all roles and individuals are well aligned. Communicate the need for heightened security across the organization,” asserts Zachariah.

“We would recommend practical and scalable methods that can help protect organizations from not only destructive attacks, but potential incidents where a threat actor is attempting to perform reconnaissance, escalate privileges, laterally move, maintain access, and achieve their mission,” says Hultquist.

According to Haber, companies, and users should also ensure that only approved applications are allowed to execute in their environments and any program that does not meet minimum security requirements is explicitly denied. “All access outside of trusted network zones should be monitored, proxied, regulated, and controlled to prevent a presence by threat actors,” says Haber.

“Any business, government, or individual that has an interest in this potential conflict — and candidly it should be everyone — there are a few things we should all do to protect against these cyber weapons of war,” says Haber. “Assess all of your assets, cloud, and on-premise, and prioritize remediation of all critical findings that can be exploited without user intervention during a cyber attack. Once vulnerabilities have been prioritized, remediate (patch) them in a timely fashion. Remove all unnecessary privileged accounts and ensure that credentials, passwords, and secrets are not shared and are unique across all assets.”