On March 8, President Biden signed an Executive Order to ban the sale of Russian oil, liquefied natural gas and coal to the United States. With bipartisan support, the decision was made to deprive the Putin regime of the economic resources needed to wage war in Ukraine. However, marking as it does an escalation in punitive actions directed at the Russian state, it may also put US companies more directly in the firing line of cyber-attacks from the east. Leaders of the U.S. intelligence community expressed this same concern in their annual appearance on capitol hill on Tuesday. The Director of National Intelligence Avril Haines said “Nevertheless, our analysts assess that Putin is unlikely to be deterred by such setbacks and instead may escalate, essentially doubling down.”
The good news is that best practice cybersecurity advice does not need to change. If the security and intelligence community continues to come together to share what information we have on offensive Russian cyber activity, and customers have the right detection and response tools in place, organizations can maintain a strong defensive posture.
Waiting for the tipping point
To date, the scale of Russian state-sponsored and proxy cyber-attacks has not been as expected. Yes, we’ve seen continuous DDoS attacks, a campaign of web defacements and various iterations of wiper malware. But these efforts have been mainly targeted at Ukrainian organizations. It is possible that Russia has yet to fully engage its offensive capability, or that Ukrainian counterattacks and disruptions have hit home. Reports suggest tens of thousands of cybersecurity professionals there have enlisted as volunteers to help the country’s efforts. Hacking collective Anonymous has also claimed responsibility for multiple hacktivist attacks in Russia.
As kinetic attacks in the region escalate, it’s likely that cyber-operations will do the same, although these should be confined to Ukraine. However, following the Presidential EO this week, we could well see Russian APT groups or their proxies expand their targeting of U.S. critical infrastructure. Oil and gas, banking and defense sectors are most likely to top of the list of targets.
What we can expect
If this kind of escalation were to take place, it may begin through deployment of known destructive malware like IsaacWiper, HermeticWiper and WhisperKill onto already compromised targets or systems known to be vulnerable. Follow-on phases would see the use of DDoS or other volumetric, availability-based attacks against systems that couldn’t be compromised in the first round of attacks. Zero-day vulnerabilities held in reserve could be exploited during this phase.
Alongside the threat from Russian state hackers, Putin may call upon the “patriotic” reserves of the numerous cybercrime groups operating from within the country. Already the Conti and Lockbit ransomware collectives have stated their support. However, Conti was forced to equivocate its language after a Ukrainian researcher doxxed the group with a devastating leak of source code and other internal information. Although they may not have a choice if called upon to support the Kremlin, this incident will certainly give many Russian ransomware actors a reason to think twice about joining the war effort.
Fighting back
If the worst-case scenario does unfold and US organizations are attacked en masse, normal rules of best practice cybersecurity apply. First comes continuous risk-based patching, multi-factor authentication, network monitoring, least privilege access, data encryption, phishing awareness training, and other cyber-hygiene steps. But on top of that, organizations must have the detection and response tooling, ideally XDR, to correlate, prioritize and act on high fidelity alerts with speed and precision.
The security community, including government agencies, should quicken their pace in sharing actionable intelligence, in order to improve public and private organizations’ threat hunting and detection efforts. Security operations (SecOPs) leaders may also want to:
- Expand training and awareness for their users and partners;
- Collect telemetry from sources not traditionally aligned with cyber such as supply chain vendor management.
- Increase attack surface enumeration across IoT, Industrial IoT, mobile and cloud;
- Expand or deploy a zero trust architecture framework and;
- Fortify your backups.