UPDATED February 24: We spoke to many interviewees here 24 hours prior to Russian invasion. This is a fast-moving situation. Guidance from cybersecurity authorities will no-doubt be updated shortly.
Warnings from security vendors as well as public authorities about Russian cyber-activity are not uncommon. As both a go-to bogeyman for cybersecurity marketing teams and a genuinely advanced and persistent threat, the risk of hostile nation state cyber activity is “priced in” at most competent and well-resourced organisations. Without credible intelligence about a particular campaign or fresh specific tools, tactics and procedures, the latest warning about cyber threats attributed to Russia can often fall on ears that have heard the chorus before.
Yet as Russia began shelling Ukraine during an extraordinary, troubling week, this time it’s different. As Mick Douglas, an experienced information security professional who runs security firm InfoSec Innovations and also serves as an instructor at cybersecurity training company the SANS Institute, puts it: “Things are going to get spicy. It sucks. But it is what it is… Have a frank talk with your cyber insurance provider. It might get *real* bad.”
Fear levels vary, but security professionals at managed service providers, as well as CISOs, say phones are ringing off-the-hook as customers and business leaders fear conflict between Russia and Ukraine — and the western response to it — could cause a wider conflagration that plays out across not just Ukraine’s plains, but via network packets. Many are genuinely concerned about becoming explicit targets as well as collateral damage in the conflict after Russia began bombarding Ukraine in what appeared to be a full-scale invasion late February 23.
Cybersecurity teams are on high alert. One CSO at a major managed security services provider (MSSP) told The Stack that they were fielding calls “constantly” from clients, saying “there’s a lot of concern and uncertainty” — adding that for now there was little to add beyond ensuring usual best practice other than “stay alert”.
The CISO of another multi-billion revenue software provider added, speaking to us via Signal on condition of anonymity, that there was a “lot of fear” among their peers in industry right now about the consequences of the conflict. They told us: “There are concerns around the availability of cyber forensic teams if you’re breached; companies like Mandiant and CrowdStrike are stretched thin. Cyber insurance is mostly useless except where it can put you to the front of the queue to access these firms. Most experienced CISOs understand that the government will be of little help — especially with Ukraine heating up. In fact [in the US] USG becomes a hindrance after reporting a breach to CISA; you are truly on your own. Most small companies or privately owned critical infrastructure operators still don’t understand this and haven’t planned properly…”
They added: “Remember too, true wide-scale cyber warfare has never happened. The inadvertant spread of collateral damage is also unknown and theoretically worse than its kinetic counterpart.”
They spoke as the US warned that 100% of Russian troops were now in “invasion-ready” position. [Updated 08:45 February 24: Russia fired missiles at several cities in Ukraine and landed troops on its coast after President Puting authorised a military operation. Explosions could be heard in the capital Kyiv, Reuters reported.)
Later on March 24 NBC News reported that US President Joe Biden has been presented with a menu of options for the US to carry out “massive cyberattacks designed to disrupt Russia’s ability to sustain its military operations in Ukraine” including “shutting off electric power, and tampering with railroad switches to hamper Russia’s ability to resupply its forces” with tense debates said to be taking place over the potential measurs.
(Denis Volkov, director of the Levada Center, a Russian independent pollster, meanwhile told the AP that more than half of Russians supported recent moves by Moscow to recognise and send troops into Ukraine’s separatist regions Donesk and Luhansk, saying: “The situation, as it is understood by the majority, is that the west is pressuring Ukraine” to make a move against the rebel-held areas, “and Russia needs to somehow help”.)
Suffering cyber-tensions? No time like the present…
Another CISO emphasised to us that “several countries’ authorities have reached out to specific industry CISOs with warnings. Not just traditional critical infrastructure but also banking, finance and healthcare agencies”, adding in a series of direct messages that “I wouldn’t say CISOs are anxious, but they are vigilant.”
Jen Easterly, Director of DHS’s Cybersecurity and Infrastructure Security Agency (CISA) told attendees at one US forum that “our critical infrastructure is integrated into a larger global cyber ecosystem, which means that we all need to be ready, or as I like to say, shields up. So given the rising tensions and the potential invasion of Ukraine by Russia, we’ve actually been leaning forward to inform our industry partners of potential threats.”
Cyber attacks already happening in Ukraine go beyond the widely reported DDoS attacks on ministries and banks, with ESET for example saying it had identified a new data wiper malware used in Ukraine (Wednesday March 23). The security firm added: “ESET telemetry shows that it was installed on hundreds of machines in the country… it abuses legitimate drivers from the EaseUS Partition Master software in order to corrupt data. As a final step the wiper reboots [the] computer. In one of the targeted organizations, the wiper was dropped via the default (domain policy) GPO meaning that attackers had likely taken control of the Active Directory server.”
Others are spelling out the need to take specific actions, even if it is late in the day.
As Mick Douglas put it — saying he was fielding multiple calls about defending against potential Russian cyber-ops — “Watch your egress. Firewalls work both ways. Carefully monitor outbound traffic. DMZ servers RESPOND to external requests. Look for DMZ systems initiating outbound. This is what ‘phoning home’ (aka C2) looks like. Note: you will have a handful of DMZ servers initiating outbound. File XFER systems, any mail server (you likely shouldn’t be running your own). Some web services may also initiate outbound. But it’s rare. [For most organisations] your exception list will fit on a single sheet of paper” he noted on Twitter, adding: “Don’t get too hung up on IP address blocks. Geo-blocking has some advantages, but the only time Russian groups come from Russian IP space is when they want to rub it in. Start treating the entire internet as hostile… because it is.”
Douglas emphasised: “Many orgs over-rely on EDR and SIEM now, LOL [Living off the Land] attacks are highly successful. Attackers blend in. They are using core parts of the OS against you. None of your tools will stop these. You likely already have exclusions for the ports and protocols these tools use. Do NOT believe your heuristics or ML/AI based tool will save you either”, adding that Incident Response (IR) plans should include rapid (host and network level) isolation workflows that IT teams need to be drilling comprehensively.
The UK’s NCSC said it “advises organisations to act following Russia’s further violation of Ukraine’s territorial integrity…Organisations should follow NCSC advice and act on improving their resilience with the cyber threat heightened” — its updated guidance “encourages organisations to follow actionable steps that reduce the risk of falling victim to an attack.” These include many often overlooked “basics” like:
- Patching systems;
- Improving access controls and enabling multi-factor authentication;
- Implementing an effective incident response plan;
- Checking that backups and restore mechanisms are working;
- Ensuring that online defences are working as expected, and;
- Keeping up to date with the latest threat and mitigation information.
The NCSC added on February 23 in a new advisory that alongside other Five Eyes agencies it had identified “a large-scale modular malware framework which is affecting network devices”. Dubbing it Cyclops Blink the agencies said that the malware has been seen deployed to Firewall devices from security firm WatchGuard. Attributing the malware to “Sandworm”, a group previously asssociated with Russia’s GRU, they said that “the actor has so far primarily deployed Cyclops Blink to WatchGuard devices, but it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware” (Cyclops Blink is generally deployed as part of a firmware ‘update’, allowing it to achieve persistence when the device is rebooted and makes remediation harder.)
A detailed NCSC analysis is here with Yara rules and IOCs.