As the military conflict continues between Ukraine and Russia, so do the fears of prolonged cyberwar. Governments and industry experts are monitoring both countries closely, fearing a volatile response involving one of the world’s leading ‘hacking superpowers’ could lead to a huge conflict playing out online that could outlast the physical battles. In fact, Russia started cyber operations long before the ground invasion.
Advanced Persistent Threats (APT)
We saw in 2015, APT Russia hacking group Sandworm (aka Voodoo Bear) attack Ukraine power companies using tools dubbed ‘Black Energy’, this started with a spear phishing attack with a malicious payload. Once detonated, lateral movement continued until control of the SCADA was established and systems were remotely controlled.
In 2016, similar attacks happened, this time using tools dubbed ‘Industroyer’ (aka CrashOverride). The difference this time was the maturity and targeted nature, four payload components targeting industrial communication protocols before a data wiper was used to make SCADA systems unbootable. OT focused and not just attacking the Windows SCADA Stack.
Throughout 2017 and beyond, a series of cyberattacks using the Petya targeted Ukrainian organisations including banks, ministries, newspapers, electricity firms and even including radiation monitoring system at Chernobyl.
State Cyber Attacks Continue
As I write this post, Ukraine's national telecoms operator Ukrtelecom is restoring internet services after defending a major cyber-attack. Ukraine’s telecom companies are also battling to keep the internet up in the face of ongoing rocket strikes, having to replacing and fix equipment as best they can.
With many western businesses ceasing trading in Russia, some continuing, and others assisting in the humanity effort within Ukraine, is there a risk that western businesses will be a targeted?
The simple answer is yes, and it is a lot more complicated than was ever imagined because it's not just nation states we now must fear.
Welcome to Battlefield 2022
It is no secret that governments have offensive cyber capability, we only have to look at the leaked NSA tool ‘Eternal Blue’ that caused the WannaCry incident in 2017. Tools like this will be part of the ‘war chests’ of nation states but they are dwarfed by those that are being created outside of governments.
While many still view cyber warfare as nation on nation, this is not strictly true. If you can damage the public perception, the supply chain, or cut or monitor communications the nefarious individuals or companies stand to benefit from undertaking cyber operations. Moreover, businesses often do not have the resources behind them that governments have and therefore can be much softer targets. And even multi-billion-pound global companies are susceptible to attack using simple guerrilla style methods which are difficult or impossible to protect against.
Activists and Hacktivists Take Up Arms
In February 2022, Anonymous declared that they had launched 'cyber operations' against the Russian Federation, in retaliation for the invasion of Ukraine. To date, they have reported several successful attacks including targeting banks, government and those that support the Kremlin. The truth is that these attacks go much deeper and will continue to do so.
On March 20th they launched a warning to businesses to #pulloutofrussia, thanking those that did and taking actions against those who did not comply with some big named manufacturers being targeted.
There are several viewpoints much wider than this post can cover on the approach of Anonymous, their ethics, legitimacy to operate and so on. It is clear though, that their actions are creating effects that have changed the cyber landscape in ways that we never imagined. Those who watched Mr. Robot on Amazon Prime will have seen this play out through ‘fsociety,’ but perhaps never dreamed that hacking groups could have this impact in real life.
Businesses are listening to public opinion and activists alike, changing their opinion and acting on what they view is morally correct rather than what is financially rewarding. These businesses accept the need to play the long game and not punish their employees who have been caught in the crossfire by paying them to stay at home and closing shops and offices.
Deep Pockets, Yet Weak Defences?
It is not clear how these cyber-attacks against large companies are taking place, global brands with extensive budgets and highly skilled security teams are being breached by groups and people operating from their bedrooms and kitchen tables.
If this can happen to global brands without state sponsorship, has the battlefield changed shape forever?
Guerrilla Warfare in Cyber Space
Moving the focus from Nation States and Hacktivists to hacking groups, still in March 2022, we have seen Lapsus$ breach Microsoft and Okta, a leader in identity management as well as other leading brands such as NVIDIA, Samsung, Ubisoft, and Vodafone.
Investigations are ongoing and London Police are investigating members of the Lapsus$ hacking group. Detective Inspector Michael O’Sullivan in a statement said “Seven people between the ages of 16 and 21 have been arrested in connection with this investigation and have all been released under investigation. Our enquiries remain ongoing.”
Brian Krebs in a recent post on Twitter posted:
And Krebs really has a valid point, how do you defend against smash and grab theft, it works in the real world with motorcycle scooters and hammers right?
Human Greed and Threats from Within
The insider threat is often considered to be the disgruntled employee; however, this generalised statement is no longer relevant today. If you can pay your way into gaining credentials at negligible risk to yourself, could this be the new norm?
Think about it, since the pandemic, we have all been working remotely so the road has been made for a different yet more basic approach to access… we all now have it!
If someone is offering you £20k - that’s perhaps a year’s salary - for someone to share their details, lose their laptop or act out of character. And with remorse or calculation you can tell the IT department on Monday that you lost your laptop on the train, it was stolen from your car while in the supermarket and appear the very next day to be a simple accident. Who is to know?
And yes, Lapsus$ are recruiting:
Happy Employees and Ongoing Checks
Security standards, ISO 27001, IEC 62443-2-1 all have reference to personnel security, ongoing checks, segregation of duties, mandated holidays, job rotation, least privilege, all for good reason.
These are the basis of controls that a well-run organisation should have to help identify insider threats. Just to be clear, this is not your employer not trusting you, this is your employer running a well-established business with integrity so that you all keep your jobs for years to come.
But honestly, when was the last time HR checked to see if you had any money issues, have been caught up in trouble, struggling at home or have recognised that you are not as focused as you could or should be. It is a lot more difficult now we are working remotely.
Managers, have you just though these were just effects of covid or post pandemic blues?
Happy employees are loyal and will have the interest of their employer front and centre, be sure to keep it that way!
There is more to do by employers on employee engagement and awareness which extends greater than ‘that annual phishing training.’ Get your staff into a social environment, away days, event days, get the walls down and get to know them. They are greatest assets, your weakest link, they are humans not robots. Understand their strengths, weaknesses, aspirations, and dreams. Coach and mentor, allow them to grow and be the best they can be.
What is Next?
Well, who really knows, at the start of 2022 we had just started to recover from the worst pandemic in over 100 years. Now we are facing global unrest that has not been present since the 1980’s.
We can conclude that it is not just governments that are fighting each other, the person on the street can change the course of a billion-pound company through social media pressure and activism. Has the power of the union of old become reborn in a different guise?
We are certainly in different times with different threats and risks. Working with a company like SolutionsPT includes having access to experts who not only understand the technology but have excellent situational awareness of the world they operate in and how these threats may affect our customers. See how we deduced the Oldsmar water hack in February 2021 by understanding the threat landscape, knowledge of the industry and associated risks.
When you engage with us, we apply all this experience to everything we do, value that is not tangible for a centralised purchasing department looking for the cheapest quote but essential if you want to work with industry professionals and not enthusiastic amateurs.
You Can See Some of the Solutions and Services We Are Providing To Our Customers Below: