On 24 February 2022, Russia invaded Ukraine, leading to a large-scale ongoing conflict across the country. Tensions had grown in the region since December 2021, when Russia started amassing its troops near the Ukrainian border. Roughly a month later, several governments and private sources reported on cyber attacks targeting the Ukrainian government and private entities. The Ukrainian government attributed these attacks to Russian nation-state actors. This isn’t the first time we’ve seen this combination of increased military aggression by Russia accompanied by cyber attacks.
The last major Russian activity against Ukraine resulted in the annexation of Crimea in 2014. The annexation was followed by cyber attacks on Ukraine: one of them an unprecedented attack in 2015 against Ukraine’s power grid, and the infamous NotPetya malware attack in 2017, which resulted in financial losses for the Ukrainian government and private sector organizations. NotPetya caused significant damage to companies outside Ukraine that were caught in the crossfire.
The Ukraine invasion
Prior to the current conflict, threat actors targeted 70 Ukrainian government websites. They managed to bring down 10 of them and changed the content of the other websites to include intimidating and threatening language. According to a report from the Ukrainian Computer Emergency Response Team (CERT), these threat actors gained access by compromising a third-party company responsible for managing the websites.
In January 2022, Microsoft observed a malware campaign inside the networks of Ukrainian organizations. The malware is disguised as ransomware but has no mechanism for recovering data and is often referred to as a wiper or wiperware. The malware overwrites the Master Boot Record, which makes it impossible to restore and use information from the affected computer. Microsoft has yet to officially attribute this activity to Russia. In February 2022, another wiperware attack (dubbed HermeticWiper due to the signing certificate used) preceded the military invasion. As with the January campaign, this malware left targeted systems unable to boot.
Reports on Russia’s use of cyber tools for political and military purposes are numerous. Russia has three intelligence agencies, each with their own advanced cyber capabilities ranging from information operations and digital surveillance to espionage. State-sponsored Russian cyber operators often stay under the radar for extended periods of time, carefully planning activities in areas that are hard to detect using traditional cyber security practices. For example, the discovery of the 2020 SolarWinds compromise, a supply chain attack, came almost a year after the malware started its active targeting. In 2021, months after the discovery of the compromise, Microsoft reported ongoing activity from the Russia-based nation-state threat group NOBELIUM.
Concerns about Russia expanding cyber operations
Russian cyber activity is currently focused on Ukraine, however, the ongoing conflict presents an increased cyber security risk and concern for many organizations worldwide. Significant international pressure, including financial sanctions, has been applied to Russia in response to the conflict and it is possible that Russia may begin to target organizations within any country that participated in these sanctions as retaliation.
Field Effect continues to monitor the situation and maintain contact with industry and national government partners to ensure the critical information needed to protect organizations is integrated into Covalence. Leveraging the advice from Covalence and practicing good security hygiene are the best ways to minimize the chances of becoming a victim of any malicious activity.
Our recommendations
Organizations can take the following proactive steps to reduce their risk and decrease the potential impact if Russia begins retaliatory targeting:
- Malicious documents delivered via email are a commonly seen infection vector and have been reportedly used in the recent Russian attacks. We recommend organizations advise employees to exercise additional caution when opening documents emailed from unknown sources or received unexpectedly. Organizations should have a mechanism in place, such as the Suspicious Email Analysis Service (SEAS) included with Covalence, for users to flag emails of concern for analysis.
- Ensure your cyber security solutions are deployed as broadly as possible and functioning correctly. Covalence clients can review the status of their monitoring through our portal. We recommend ensuring endpoint agents are installed where possible and monitoring of available cloud services is enabled.
- We recommend organizations review existing alerts and reports from their cyber security solutions and take appropriate steps to reduce risks that may exist. For Covalence clients, review any open AROs for mitigation steps that can be taken to reduce these risks. This will include updating vulnerable software and unpatched systems. Review systems and services accessible directly from the internet and reduce or remove access where there is no business need.
- We also recommend that organizations review their internal backup strategy to ensure backups are operating as expected and are appropriately protected. Backup systems are often also impacted during a cyber security incident when they are accessible via domain or shared local credentials.
If you have questions or concerns about the potential for increased cyber security risk within your organization, please contact our team.