View by Author

Most Recent Articles

Ukraine flag flying behind the shell of a building

Preparing For Cyber Fallout In The Wake Of Russia-Ukraine Crisis

By Published On: 24 February 2022Categories: Critical Infrastructure, Defence, Security

Australia and the West are on high alert to cyber attacks after Russian and Ukrainian diplomacy has broken down. This article helps Australian businesses make sense of the situation, understand how it may impact their operations, and learn how to prepare for the inevitable ‘cyber fallout’ from the Russia-Ukraine conflict.

Share This Article:

Co-authored by Jordan Plotnek

After recent escalating events in Ukraine, the world is left staring down the barrel of the biggest threat to European stability since World War 2. Ongoing tensions between Russia and Ukraine have reached the point of diplomatic breakdown and military intervention is now widely considered inevitable.

Although it may feel like a great time to live in our distant island nation of Australia, we are far from being unscathed by the conflict. The forces of technology, globalisation, and politics have made the world much smaller than it may seem and we are already witnessing the beginnings of what’s to come.

In fact, just today the Prime Minister himself has publicly stated that “Cyber attacks are a real threat, they’re a present threat, and they are the most likely response from Russia” in response to Australia’s stance on the Russian military escalations.

We are writing this article to help you and your organisation make sense of the situation, how it may impact your operations, and how you can prepare for the inevitable ‘cyber fallout’ from the Russia-Ukraine conflict. We will explore some historical cyber case studies from similar Russia-oriented events and provide general guidance that is grounded in real-world threat emulation and foreign interference testing tactics.

What is going on in the Ukraine?

Ukraine is currently surrounded by over 150,000 Russian troops who are gathered on their northern, eastern and southern borders. The Russian President, Vladimir Putin, has already moved military units into Ukraine’s separatist eastern regions, Donetsk and Luhansk, and declared them as independent republics. He further warned other countries that any attempt to interfere with Russian military operations would lead to “consequences they have never seen”.

These recent escalations come after decades of tension between the two former Soviet countries, especially in the wake of Russia’s 2014 invasion of Ukraine. Ever since the 2014 Russo-Ukrainian war, Ukraine has developed closer ties with Western European nations and organisations such as NATO and the European Union. In addition to a long and complex history between the two peoples, this ‘Westernisation’ of Ukraine is what Vladimir Putin is using as the pretext for recent escalations.

In response to Russia’s accusations against the West, a number of Western countries, including Australia, have implemented sanctions against important Russian figures, companies, banks, and institutions, and have issued threats of further action if peace is not made. Russia’s response has been further military escalation, cyber attacks, and now a decree of what many acknowledge as a declaration of war against the Ukraine.

Russia’s history of global cyber attacks

Offensive cyber operations form a key part of Russian military strategy. So much so that cyber security analysts around the world have been able to predict Russian military escalations based on increased Russian cyber activity in the days prior.

There is a sleuth of well-researched papers and articles discussing Russian cyber warfare tactics. If you are interested in this topic then we’d recommend reading the following:

On top of this, Russia is considered one of the most advanced cyber actors in the world with command over highly trained cyber warriors and access to some of the most advanced offensive cyber technologies on earth. So, this is no toothless bear that we’re dealing with here.

As far as recent historical examples go, there is also a plethora to choose from. Some well-known Russia-sponsored attacks include:

  • Solarwinds breach, which left 18,000 companies around the world vulnerable and actively compromised over 100 companies and a dozen US Government agencies in 2020. This hack went undetected for months and will take years for critical infrastructure providers to recover. It is known as one of the most significant cyber security breaches in history.
  • NotPetya logic bomb malware, the worst known cyber attack of its kind, crippled countless companies, critical infrastructure providers and government agencies in Australia and globally. This malware, created by a Russian group called Sandworm, coincided with increasing Russia-Ukraine tensions in 2017, causing in excess of $10bn worth of damage as well as endangering lives due to the sudden encryption of safety-critical systems.
  • Large-scale 2021 cyber campaign affecting over 250 US companies and agencies, undetected for over 9 months.
  • Another Russian attack driven by Russia-Ukraine tensions in 2018 compromised over 500,000 routers, turning them all into a Russia-controlled ‘botnet’.
  • Russian military cyber attacks of the 2018 Winter Olympics in South Korea, reportedly aiming to “punish” Russia’s perceived enemies.

In history as recent as this week, Russian intelligence group Sandworm (the group behind NotPetya) have developed a new malware known as ‘Cyclops Blink’. Although large-scale Distributed Denial of Service (DDOS) attacks have already been attributed to this cyber weapon, it is likely that the full impacts are yet to be felt world-wide. The malware is known to target Watchguard firewalls and has the ability to evade the usual countermeasures, meaning that potentially a large number of firewall devices worldwide are now vulnerable to foreign interference by Russia.

There are many, many more examples. A quick Google search will quickly overwhelm you with countless major cyber security events delivered at the hands of Russia, whether through their military, intelligence agencies, or Russian-backed groups.

Given this history and the recent re-escalations in Ukraine, the West is left on high alert with fears of cyberwar and other malicious cyber fallout from the conflict.

Australian cyber security experts are pushing the same message, urging Australian companies and agencies to tighten their cyber security posture and run regular cyber health checks on their key systems.

Usual targets of Russian cyber warfare

Russian cyber warfare activities are broad. Very broad.

As noted above, previous Russia-Ukraine conflicts have not just been devastating to Ukrainians, but have impacted millions around the world – even those that seemingly have nothing to do with either Russia or Ukraine, or even the government.

Business both large and small are just as targeted as federal government agencies. Past Russian attacks have crippled banks, hospitals, critical infrastructures, schools, organisations supplying products or services to governments, sport agencies, even a chocolate factory in Tasmania fell victim to one of the previous Russian attacks.

The problem with cyber weapons is that once they’re deployed out there in the wild, they can become very difficult to control. Sometimes they are even repurposed by an entirely different threat group and relaunched against the attackers themselves.

This is why the Australian Government is urging Australian businesses to double-down on their cyber security efforts, regardless of sector or business function.

What can you do to prepare?

These days most managers and executives know that cyber security is simply a cost of doing business. However, we all inevitably end up in the position where we come up against the age-old problem of limited resources and have to make some tough decisions.

This is normal. In fact, this is okay. Risk management processes help us prioritise where resources are spent and inform us where our vulnerabilities lie so that we can monitor them.

However, an integral part of that risk management process is the ‘Likelihood’ piece, which is informed not only by vulnerability, but also by threat. Extreme events such as the recent Russia-Ukraine conflict cause these threat levels to surge and so may also cause our risk levels to shift.

Anchoram’s Lead Partner for our Integrated Security Services, Craig Petrie, has first-hand experience being caught out by an Advanced Persistent Threat (APT) during his time as a Security Officer for an organisation that will remain unnamed.

In his words, “I was contacted by the Australian Cyber Security Centre (ACSC) and was told we were being targeted by an APT actor. To say that it gives you a chill is an understatement. Whilst I initially thought what do I tell my bosses, my mind quickly focused on: How are our cyber security settings? Are we penetrated? Would we know? What are they after? What should we do?”.

Whilst Craig and his organisation at the time were lucky to have their hand held by the ACSC, they might not always be there given other events and priorities. Especially in a crisis situation like the one we are now facing.

Thankfully there are a few tools at your disposal in times like this to get one step ahead and prepare your organisation for the worst. Even better, these tools and processes can be scaled from ‘quick and dirty’ for an inexpensive gauge on your cyber defence posture, to complex and detailed analyses and testing to truly ensure you are prepared for whatever lies ahead.

On the simpler and cheaper end of the scale, a threat-driven Cyber Health Assessment can be rapidly conducted to ‘kick the tyres’ of your organisation’s security posture in light of specific event like this one. Such an assessment can be performed within days or weeks and gives management a basic understanding of how your organisation may stand up against the commonly known tactics of the threat actor in mind (Russia, in this instance). The assessment should also consider general security mitigations that can be implemented to cover any glaring vulnerabilities identified.

The other end of the scale is suited to organisations looking for a more detailed and assured measurement of security posture and involves some level of Adversary Emulation. During this assessment, assessors replicate a specific foreign interference threat scenario. For example, assessors may assume the role of a Russian foreign agent who wants to exfiltrate customer data out of the organisation. Another emulated scenario could involve assessors testing whether the organisation’s software product(s) can be infected or mimicking a supply chain attack.

These more advanced exercises are performed by ‘red teams’, with the defenders being labelled the ‘blue team’. Usually, a threat-driven attack methodology is created or followed to conduct these exercises in a way that effectively emulates known threat actor methods and tactics. This can be in form of a process, such Red Team Operations Attack Lifecycle, or well-defined attack plans, such as MITRE Adversary Emulation Plans.

Cyber threat intelligence sources play a key role in both the simple and complex assessment options and often serve as a starting point for most exercises.

In either case (or somewhere in between), the aim of any threat-driven security check is to see how your organisation’s defences will fare in the event of a real foreign agent cyber attack. Such exercises are helpful in identifying vulnerabilities missed during other assessments, such as audits or penetration testing, due to the differing scope, testing approach, and assessed attack surfaces.

Large companies such as Facebook are known to leverage adversary emulation to protect their infrastructure from sophisticated attacks. But you don’t have to be a large company to afford these assurances.

Whether your organisation is considering simple cyber health checks or advanced red team testing, there are various tailored options that can be applied depending on budget and organisational complexity. The key piece that makes all the difference in times like these is the threat-driven approach.

If you are left with more questions or looking to get a cyber health check, foreign interference test, or a red team assessment please reach out. Anchoram has the teams, tools, and experience to help your organisation be better prepared for what’s to come.

Australia and the West are on high alert to cyber attacks after Russian and Ukrainian diplomacy has broken down. This article helps Australian businesses make sense of the situation, understand how it may impact their operations, and learn how to prepare for the inevitable ‘cyber fallout’ from the Russia-Ukraine conflict.

Paul Leitao
By Published On: 24 February 2022Categories: Critical Infrastructure, Defence, Security

Share This Article:

Categories

Subscribe

Subscribe to our newsletter and get the latest news and information from Anchoram.

View by Author

Most Recent Articles

Author Profiles