This weekend marks the one-year anniversary of the ransomware attack against Colonial Pipeline. That attack was soon followed by the ransomware attack against JBS. One thing both of those attacks have in common is that they are attributed to cybercrime gangs operating within Russia. Groups like Darkside and REvil, along with threat actors from APTs associated with Russian intelligence agencies pose a serious threat to organizations around the world.
As the people of Ukraine heroically defend their country from destruction by Russian military forces, there remains a very real risk—expectation, actually—that Russia or threat actors aligned with Russia could launch devastating cyberattacks.
There was an expectation that Russia would launch coordinated cyberattacks against Ukraine and its allies prior to, or in conjunction with the military invasion. For the most part, that has not happened, although there have been reports that customers of Ukraine telecommunications company Ukrtelecom experienced a disruption in internet service after a reported cyberattack.
This begs the question—is Russia continuing to test the waters in attempt to carry out a widespread attack?
I spoke with Udi Mokady, founder, Chairman, and CEO of CyberArk, about the threat from Russia. He stressed, “I will leave discussion of the ground war to experts in foreign relations and military strategy and focus on my area of expertise in cybersecurity and understanding cyber risk. While I don’t think we should inflate Russian cyber capabilities, it would be a mistake to underestimate or dismiss them. Russia has a history of sophisticated cyberattacks.”
State of Cybersecurity and Nation-State Adversaries
Geopolitical tension is closely correlated with an increase in cyber attacks and cyber espionage. We’ve seen evidence from targeted ransomware and supply chain attacks, to threats against critical infrastructure. Attacker innovation is an omnipresent threat.
“Russian Intelligence and Russian cybercrime gangs are typically some of the most prolific threat actors, and Ukraine has historically been a “sandbox” for testing out innovative tactics and exploits. One example is NotPetya that was engineered to look like a ransomware attack utilizing the leaked NSA tool EternalBlue,” explained Mokady. “Analysis shows that it was initially targeted at Ukraine entities. That threat wreaked havoc and caused more than $10 billion in damage worldwide wreaked havoc. It shut down the National Health Service in the United Kingdom, as well as global organizations like Maersk and Merck.”
Prior to the invasion of Ukraine, attackers defaced a number of websites of Ukrainian government agencies, as well as the embassies of key allies. Two malicious wiper files were also discovered planted on servers in Ukraine. On the day Russia began its invasion of Ukraine, Viasat—a US satellite communications provider—was attacked – and recent reports indicate that threat actors are still active and continue deliberate attempts to cripple the network.
Global Organizations at Risk
The threat landscape is active 24/7. Being prepared for cyber attacks should be standard operating procedure. President Biden issued a statement urging vigilance and the need to harden cyber defenses immediately. Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology, noted that US Intelligence agencies have seen evidence of preparatory work connected with nation-state actors—increased scanning and poking in search of vulnerabilities.
Mokady told me that Russia and Russian cyber criminals are not the only threats. Major cyber threats have also been attributed to other well-known nation-state actors. There are also multiple cybercrime gangs including Lapsus$ that made headlines recently with high-profile attacks against Okta, Microsoft, Nvidia, Samsung and others.
Be Prepared for Cyber Attacks
“Organizations need to be ready. There has been a spike in phishing campaigns targeting Ukraine and NATO countries,” cautioned Mokady. “I believe countries that have levied sanctions against Russia are at risk. It’s possible that Russia is laying the foundation for the next stage of attacks—likely leveraging compromised identities to establish an initial foothold in networks and enabling lateral movement across systems while leaving little trace of malicious activity.”
Mokady added, “Identity is a common, but often unaddressed thread that underlies recent breaches and exploits. Only by assuming that any user, application or bot can gain privileged access to sensitive data or systems and that attackers will target it, can security leaders plan, predict and expand their defensive approaches effectively.”
He also shared that every business needs to be vigilant and prepared. It’s important for organizations to ensure operating systems and applications are patched and updated, and revisit contingency plans and backup procedures to verify readiness. Mokady also emphasized that organizations can minimize the impact of potential attacks by enforcing identity-centric security best practices.
Mokady summed up with, “Cybersecurity in the digital age—especially during heightened tension between nation-states—is a tale of two cities. There are organizations that have a culture of security and prioritize protection and reducing risks, and there are organizations with a culture of compliance that do the bare minimum to check the right boxes. A culture of compliance does not lead to effective security, and leadership plays a key role. Choose which city you want to live in wisely.”
As we mark the one-year milestone of the Colonial Pipeline attack, and continue to anticipate broader or more damaging attacks from Russia as Putin continues his invasion of Ukraine, organizations around the world—regardless of size or industry—need to be prepared and remain vigilant.