It's been quite an interesting couple of weeks. What started off with rising tensions as Russia amassed troops at the Ukraine border evolved into a full invasion of the country. Our newsfeeds are filled with stories and images of ace fighter pilots, brave soldiers making their final stands, and farmers stealing Russian tanks by hooking them up to farm equipment – but another battle has been taking place behind the scenes for many years.
Since at least 2014, Russia-affiliated threat actors have developed a mature, evolved offensive cyberattack capability. This capability was first leveraged during the 2014 invasion and annexation of the Crimea region of Ukraine, during which an alleged Russian cybermilitary unit known as Sandworm began conducting cyberattacks against Ukrainian utility companies, ultimately taking down parts of the power grid a year later. Of course, we say "alleged" because there is no concrete evidence linking Sandworm to the Russian government, and they could just as easily be a highly skilled group of Russian loyalists who just happen to time their cyberattacks in association with Russia's military operations.
The Cyberattack Cycle
Cyberattacks often occur in cycles – reconnaissance, deployment, execution. Well-planned attacks will take months or even years of carefully navigating a target's network, learning how things work and what's vulnerable. Unfortunately, without a modern cybersecurity program, many organizations are completely unaware that their systems have been breached until it's too late. One technique commonly used by organized crime groups is to use one attack to distract their target, such as a distributed denial of service (DDoS) attack, to mask a more damaging attack, such as infecting systems with malware through a publicly-facing remote code execution vulnerability or scraping data from databases through SQL injection.
After the cycle is completed, the attack executed, and relevant payloads delivered, the cycle begins again, often utilizing the compromised organization to launch similar attacks against other organizations, especially trusted partners. These attacks can be even more rapidly successful in their infiltration efforts because network traffic from trusted partner organizations is not always subject to the strict security standards applied to traffic processed from the public internet.
How Your Organization is Affected
Why does this all matter if your organization isn't located in Ukraine or Russia, and doesn't have ties to either country?
Organized cyber-criminals will never attack directly from their own base of operations. First, they will compromise third-party organizations, preferably organizations completely unrelated to the attack origin or target, to obfuscate the source of the attack. That means your organization might unwittingly find themselves on the frontlines of a cyber war. While many organizations put a lot of effort into marketing efforts to be featured in the news, seeing a news headline that your organization’s servers were used to bring down the Ukraine power grid is probably not the type of publicity your organization wants.
A secondary threat related to the current events in Ukraine should also concern your organization. Malicious actors commonly take advantage of current events, preying on people's curiosity and desire to stay informed. These actors will often utilize "clickbait" websites, emails, or social media posts to launch phishing or ransomware attacks. Even if your organization's email filters prevent incoming phishing and malware infection attempts, you can be sure that your employees are reading current events stories on the internet and social media. While most of the stories about Ukraine's defense efforts have been mostly harmless on the surface, there's nothing to prevent malicious actors from taking advantage of these stories for their own purposes. Undoubtedly, you can expect emails such as "Ukraine Farmer Tows Away Russian Tank" or "Russians Surrender to Unarmed Teenager" containing links to "videos" that are, in fact, malware downloads.
In the cybersecurity realm, we often say that if someone wants access to your systems bad enough, they'll drive a tank through the wall to get to them. While this is currently a very real threat for organizations located in Ukraine, most organizations outside of the current conflict won't need to take extreme physical defensive measures – but this doesn't mean your organization shouldn't take additional steps to protect itself.
One of the most important steps to help protect your organization is to promote awareness of possible increased phishing or malware campaigns. Share with your employees, and even IT vendors, that the Ukraine conflict poses a heightened cyber-risk for everyone, not just directly affected organizations. Secondly, it's probably time to review your current security plan and cybersecurity program. Are there any gaps or deficiencies in your organization's protection? Finally, review and test your organization's disaster recovery plan. By planning for the worst-case scenario, your organization will be better prepared if it becomes collateral damage during this ongoing conflict.
The global internet has brought the world closer together than ever before possible, but with those connections come risks that must be mitigated. By working together and doing our own part to secure our organizations, we can all experience a safer global networked community.