Analysis Russia’s invasion of Ukraine has cleared the way for a new battlefront with the West in cyberspace, with experts warning of an escalation in cyberwarfare.
The initial targets were in Ukraine, though Russia will tee off on Western targets as deeper sanctions are imposed by the US, UK, and the European Union, experts said.
“We expect to see that probably beyond just Ukraine, disinformation to target Western audiences, cyberespionage against key NATO members, as Russia tries to understand the next moves when it comes to sanctions or other steps that Western governments will play,” Luke McNamara, principal analyst at cybersecurity consulting firm Mandiant, told The Register.
The US on Thursday issued new sanctions targeting Russia’s banking and financial sectors, and also implemented “unprecedented export control measures” to cut “off more than half of Russia’s high-tech imports,” the White House said.
This round of sanctions will restrict Russia’s access to vital technology, hurt the industrial base, and undercut “Russia’s strategic ambitions to exert influence on the world stage,” the White House said. Specific details on the tech export control measures weren’t available, though the US President Joe Biden is willing to cut chip exports to Vladimir Putin’s nation.
“While there are not any specific, credible, cyber threats to the US, we encourage all organizations – regardless of size – to take steps now to improve their cybersecurity and safeguard their critical assets,” a US Department of Homeland Security spokesperson told The Register.
Over in the UK, Prime Minister Boris Johnson said major Russian banks will be excluded from Britain’s financial system and oligarchs will face fresh sanctions as a result of the invasion.
Military malware
The US and UK governments this week warned [PDF] of Russia-linked malware called Cyclops Blink, which can infect network equipment to attack downstream devices in key targets. This software nasty appears to be a replacement for espionage-ware dubbed VPNFilter, which for one thing could detect and point out industrial SCADA equipment to its handlers.
Uncle Sam also today issued an advisory of Iranian government-sponsored actors, known as MuddyWater, “conducting cyber espionage and other malicious cyber operations targeting a range of government and private-sector organizations across sectors in Asia, Africa, Europe, and North America.”
“We have seen government warnings about Western banks being targets, in retaliation for sanctions on major Russian banks, but at this point one certainly couldn’t rule out a broader range of targets,” Emily Kilcrease, senior fellow and director for energy, economics and security program at the Center for New American Security, told The Register.
Credit-ratings agency S&P Global Ratings also issued a heightened alert on possible cyberattacks on key institutions and infrastructure, which could have wider financial and credit implications across sectors and geographies.
“Cyberattacks are becoming a more prevalent means of achieving foreign policy objectives, given their lower deployment costs relative to conventional military tactics and uncertain scope for retaliation,” said the S&P Ratings research note, which was shared with The Register.
S&P gave the example of NotPetya, which in 2017 hit Ukraine and ultimately disrupted 7,000 companies across 65 countries globally, with estimated economic losses of around $10bn. The US Department of Justice in 2020 charged six officers in Russian Main Intelligence Directorate (GRU) for distributing NotPetya, among other things.
“We believe that the economic impact from such an attack for entities could be more severe now, given increased interconnectedness and digitalization.” said S&P credit analyst Zahabia Gupta, in the research note.
Computers in Ukraine this week were hit by Windows malware that wipes out data, and the country’s government and banking websites have been whacked offline by cyberattacks over the past few weeks.
Netblocks, which tracks internet disruptions, reported network disruptions in Kharkiv, which has been taken over by Russian forces. The Kremlin’s website is offline for at least us here in America. Russia’s military website mil.ru is returning the joke HTTP 418 error for those connecting from outside the nation.
An eye for an eye turns the whole world blind
The US president Joe Biden has been presented with retaliatory cyber-assault options, NBC News reported. But the White House disputed the report.
“It’s going to be a bit of an escalation cycle, unfortunately,” Kilcrease said.
Mandiant’s McNamara is keeping a close watch on a possible cyber threat from Russia-linked cyber-spy gang Temp.Isotope, which also been referred to as Berserk Bear, or Energetic Bear. They’re known for using Server Message Block call-outs, a transport protocol used by Windows for activities like file or printer sharing.
One possible sanction by the West could block Russia from the SWIFT banking communications system, and that could raise the risk of online attacks on the finance sector in response. “To disconnect Russia from SWIFT, that would certainly be a pretty significant step. Historically we’ve seen when you have a state adversary that has a capability and is disconnected from SWIFT, what they’re willing to do. We’ve seen that in the case of North Korea,” McNamara said.
Companies should bulk up their security posture by putting themselves in the shoes of the adversary, McNamara said. He gave the example of Colonial Pipeline, which was ransacked by a Russian ransomware group Darkside and had to shut down its oil pipelines amid gas shortages. That is to say, one should imagine the kind of public-facing chaos and disruption an attacker might wish to create, and then take steps to prevent or mitigate that scenario.
“Even just some sort of panic and people running to the pump for gas, that’s something I think you have to think about how the adversary might approach this,” McNamara said.
Mandiant in 2013 outed China’s military as having siphoned hundreds of terabytes of data from computers from US corporations.
Some customers have asked Akamai for help on responding to network security related to the situation in Ukraine. The inquiries focus mainly on the mitigation of malicious traffic and complying with regulations or sanctions via geoblocking, a company spokesperson told The Register.
Akamai gears up
Akamai is working on mechanisms to help customers block such traffic, especially from breakaway Ukrainian regions invaded by Russia. For example, custom rules can be applied to traffic on company’s edge network to match certain geographical IP attributes based on data gathered.
“As of this publication, Akamai only has tools to apply such regional blocking for Crimea, but is working to expand capabilities quickly to encompass the Donetsk and Luhansk regions,” the spokesperson said.
The data used for such services could vary in accuracy when applied at the state or city level within a country, and “such blocking rules should not be exclusively relied on where blocking is mandated by law,” the spokesperson said.
Akamai’s customers are also concerned about mitigating potential cyberattacks related to the Russia/Ukraine crisis. Such attacks may be identified not necessarily as being related to Russia or Ukraine, but by utilizing familiar attack methods and vectors that the company regularly sees.
“Therefore, we are advising to enact operational readiness for DDoS attacks and follow regular security best practices like patching and keeping software up to date, limiting attack surface, embracing a Zero Trust security strategy, and the like,” the spokesperson said.
Distributed denial-of-service (DDoS) attacks have hurt Ukraine in recent days, and whether it’ll work on Western targets is an open question, Mandiant’s McNamara said.
DDoS floods on Western financial institutions in 2012 in response to US sanctions against Iran’s financial system was successful as it brought down bank operations. Russia may launch DDoS attacks in some instances, but the security has got a lot better around the prevention of those.
“So it may be that the preference for disruptive or destructive attacks is something more akin to wiper malware,” McNamara said.
Security biz Kaspersky, which is based in Moscow, declined to provide specifics on how it was serving customers amid the sanctions and worsening situation between Russia and the West.
The company remains focused on delivering its security expertise, and will continue to protect businesses, critical infrastructure, governments and consumers around the globe, it told The Register in an email.
“Kaspersky’s business operations remain stable. The company guarantees the fulfillment of its obligations to partners and customers – including product delivery and support and financial transaction continuity. The global management team is monitoring the situation carefully and is ready to act very quickly if needed,” it said. ®