This weekend marks one year since the ransomware attack on Colonial Pipeline. That attack was soon followed by the ransomware attack on JBS. One thing both attacks have in common is that they are attributed to cybercriminal gangs operating inside Russia. Groups like Darkside and REvil, along with APT threat actors associated with Russian intelligence agencies, pose a serious threat to organizations around the world.
As the people of Ukraine heroically defend their country from destruction by Russian military forces, there remains a very real risk (indeed, an expectation) that Russia or Russian-aligned threat actors could launch devastating cyberattacks. .
Russia was expected to launch coordinated cyberattacks against Ukraine and its allies before or alongside the military invasion. For the most part, that has not happened, although there have been reports that customers of the Ukrainian telecommunications company Ukrtelecom experienced an interruption in Internet service after a reported cyber attack.
This begs the question: is Russia continuing to test the waters in an attempt to carry out a widespread attack?
I spoke with Udi Mokady, founder, president and CEO of CyberArk, about the threat from Russia. He emphasized: “I will leave the discussion of ground warfare to foreign affairs and military strategy experts and concentrate on my area of expertise in cyber security and understanding cyber risk. While I don’t think we should inflate Russian cyber capabilities, it would be a mistake to underestimate or dismiss them. Russia has a history of sophisticated cyberattacks.”
State of Cybersecurity and Nation-State Adversaries
Geopolitical tension is closely related to an increase in cyber attacks and cyber espionage. We’ve seen evidence of everything from targeted ransomware and supply chain attacks to threats against critical infrastructure. Attacker innovation is a pervasive threat.
“Russian intelligence and Russian cybercrime gangs are often some of the most prolific threat actors, and Ukraine has historically been a “sandbox” for testing innovative exploits and tactics. One example is NotPetya, which was designed to look like a ransomware attack using the leaked NSA tool, EternalBlue,” Mokady explained. “Analysis shows that it was initially targeted at Ukrainian entities. That threat wreaked havoc, causing more than $10 billion in damage worldwide. It closed the NHS in the UK, as well as global organizations like Maersk and Merck.”
Prior to the invasion of Ukraine, attackers defaced several websites of Ukrainian government agencies, as well as the embassies of key allies. Two malicious cleanup files planted on servers in Ukraine were also discovered. The day Russia began its invasion of Ukraine, Viasat, a US satellite communications provider, came under attack, and recent reports indicate that threat actors are still active and continuing deliberate attempts to cripple the network. .
Global organizations at risk
The threat landscape is active 24/7. Being prepared for cyber attacks should be standard operating procedure. President Biden issued a statement urging vigilance and the need to strengthen cyber defenses immediately. Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology, noted that US intelligence agencies have seen evidence of preparatory work involving nation-state actors: increased scanning and scanning for vulnerabilities.
Mokady told me that Russia and Russian cybercriminals are not the only threats. Major cyber threats have also been attributed to other well-known nation-state actors. There are also several cybercrime gangs, including Lapsus$, which made headlines recently with high-profile attacks against Okta, Microsoft, Nvidia, Samsung and others.
Be prepared for cyber attacks
“Organizations must be prepared. There has been an increase in phishing campaigns targeting Ukraine and NATO countries,” Mokady warned. “I think that the countries that have imposed sanctions against Russia are at risk. Russia may be laying the groundwork for the next stage of attacks, likely leveraging compromised identities to establish an initial foothold in networks and allow lateral movement through systems leaving little trace of malicious activity.”
Mokady added: “Identity is a common but often unaddressed thread underlying recent breaches and vulnerabilities. Only by assuming that any user, application, or bot can gain privileged access to sensitive data or systems, and that attackers will attack it, can security leaders effectively plan, predict, and expand their defensive approaches.”
He also shared that all businesses must be vigilant and prepared. It is important for organizations to ensure that operating systems and applications are patched and up-to-date, and review contingency plans and backup procedures to verify that they are ready. Mokady also emphasized that organizations can minimize the impact of potential attacks by applying identity-centric security best practices.
Mokady summarized: “Cybersecurity in the digital age, especially during heightened tensions between nation-states, is a tale of two cities. There are organizations that have a culture of security and prioritize protection and risk reduction, and there are organizations with a culture of compliance that do the bare minimum to tick the right boxes. A culture of compliance is not conducive to effective security and leadership plays a key role. Choose wisely which city you want to live in.”
As we mark the one-year milestone of the attack on the Colonial Pipeline, and continue to anticipate broader or more damaging attacks from Russia as Putin continues his invasion of Ukraine, organizations around the world, regardless of size or industry, must Be prepared and stay vigilant.