Opinion piece by Adam Meyers, SVP Intelligence at CrowdStrikel
Note: the comments made here do not engage the editorial staff of GNT, but constitute an informed opinion from an expert in his field that we have deemed appropriate to share with you. This is not a promotional item, there is no financial or other link between this company and GNT, the only interest being to bring you interesting insight into a particular area.
This threat is not new. Russia has a long history of cyber operations against its neighbor, mainly since the pro-European Euromaidan protests of November 2013. The group VOODOO BEARanother name for unit 74455 of the Russian intelligence services, is one of the main perpetrators of these attacks, the aim of which appears to be to weaken or undermine public confidence in state institutions and the industrial sector of Ukraine.
VOODOO BEAR was responsible for the disruptions that affected various Ukrainian critical infrastructures and caused power outages in December 2015 and again in December 2016. In June 2017, the group’s operations caused great concern around the world, when a supply chain attack targeting Ukraine led to the large-scale deployment of NotPetya. This malware, whose damage has been estimated at 10 billion dollars, has impacted companies and public services around the world. Other Russian bands, such as PRIMITIVE BEARtook part in this large-scale asymmetric campaign against Ukraine.
Birth of a cyberwar
Last February, several Ukrainian banking and government sites were targeted by Russian military intelligence in a large-scale Distributed Denial of Service (DDoS) attack. This offensive notably targeted the sites of the Ukrainian Ministry of Defense and Armed Forces, the Ukrainian national savings bank Oschadbank and the mobile application of PrivatBank, the country’s main commercial bank. At the same time, customers received a text message telling them – incorrectly – that the ATMs of these establishments were out of service, while bomb threats targeted several branches.
On February 23, 2022, a second “eraser” attack was identified. Called DriveSlayer and technically more sophisticated than the WhisperGate offensive launched in January by EMBER BEAR, this attack had characteristics close to those of VOODOO BEAR. The next day, several Ukrainian government sites posted a disfiguring message before stopping to respond to requests from Internet users. The text was close to that which had targeted similar interests on January 14.
Shortly after the DriveSlayer attack and the defacement of these various sites, Russian troops attacked Ukraine. In the weeks that followed, numerous other incidents were recorded, including eraser attacks, as well as disinformation and espionage attempts against Ukrainian targets. Finally, two other forms of activity should be noted in the context of this conflict: destructive attacks targeting Ukraine’s satellite communications means, but also psychological or disinformation activities probably including the amplification of information by attackers and their spread on social networks.
Cybercriminals, the Kremlin’s new asset
The conflict in Ukraine has also been marked by the involvement of the cybercrime ecosystem. This is an important fact, as Russia has a long history of harboring a network of cybercriminals that it can exploit for political gain. These adversaries now have the ability to act in support of Kremlin objectives, for example by acting as an unofficial component that launches disruptive offensives around the world, including in the United States.
In the immediate aftermath of the invasion of Ukraine, groups of cybercriminals, usually responsible for malicious activity and driven by financial gain, began to respond to the conflict. It turned out that some actors directly supported the interests of the Russian state. For example, the WIZARD SPIDER group, which first appeared in 2016 with its Trickbot malware and, more recently, in association with ransomware groups such as Ryuk or Conti, announced its full support for the Russian government, as well than his willingness to retaliate against the enemies of the Kremlin. Other cybercriminal groups have also launched DDoS attacks against Ukrainian targets, which is inconsistent with their previous methods.
Maximum alert
Even with a sufficiently high level of awareness, new resources and increased support, operators of critical infrastructures must apply good cybersecurity practices:
- Build relationships with law enforcement or homeland security services that can provide assistance in the event of an incident;
- Develop or maintain access to the know-how of qualified collaborators or support personnel, which includes the establishment of an incident response plan and, in many cases, the signing of a contract with an incident response (IR) service provider, expert in this type of service;
- For U.S. businesses, take advantage of the measures identified in Executive Order 14028 to improve the nation’s cybersecurity (Improving the Nations’ Cybersecurity): use of next-generation enterprise IT security tools and concepts: multi-factor authentication (MFA), or detection and intervention on workstations and application servers (EDR); efficient logging; migration, if possible, to applications hosted directly in the cloud as a SaaS service; implementing a Zero Trust architecture; and proactive threat hunting within the adversary network;
- Use, where appropriate, the special tools and means required by operational technology (OT) security.
For companies that employ less than 6 or 8 dedicated cybersecurity employees, the increasing adoption of managed security service providers (MSSPs) and/or managed detection and response (MDRs) is one of the driving factors. which has probably contributed the most to improving their security postures. This trend should be encouraged, given the current and future threat level.
Outside of Ukraine, Moscow’s orchestrated cyber activity in this conflict so far has been modest compared to initial fears. However, the situation could change at any time, with some signs suggesting that Russia could be more aggressive in retaliation for the support given by several countries to Ukraine and the heavy sanctions imposed on Russian individuals and entities. Operators of critical infrastructures must therefore remain on high alert. Thanks to the extensive media coverage, government initiatives and warnings described above, private companies seem to have gotten the message.
.
The post professionals on alert appeared first on Gamingsym.