The second front: The Ukraine cyber war

Ukrain Cyber War

Some of today’s most destructive battles are fought not on the ground but in cyberspace. The Ukraine cyber war arguably began before the ground mission did, in a series of cyber attacks on Ukraine targets, and it will continue long after it ends, directly affecting thousands of organisations worldwide.

Russia is long recognised as one of the main perpetrators of the cyber war. Russian state actors, state supported actors and non-state actors have been behind recent attacks including the SolarWinds attack in December 2020 which infiltrated US government agencies and the Colonial Pipeline attack in May 2021 which forced the main oil pipeline in the US to suspend operations for several days and almost brought the US Eastern Seaboard to a standstill.

More recently, ahead of the ground attack by Russian forces, the Ukraine cyber war ramped up. Russian cyber-forces attacked online systems in Ukraine, shutting down government departments, banks and other businesses. As the Ukraine cyber war grew, cybersecurity agencies around the world, including the UK’s National Cyber Security Centre began to urge organisations to improve their cyber resilience to avoid getting caught in the fallout.

Why does the Ukraine cyber war matter?

Hacker groups on both sides of the conflict have mobilised in the Ukraine cyber war. The Anonymous hacking group stated their aim to attack the Russian government. On the other side, the Conti ransomware gang began to launch attacks in support of the Russian government. This in turn upset pro-Ukrainian cyber gangs, sparking a spate of retaliatory attacks.

For businesses worldwide, the Ukraine cyber war may pose the following threats:

An attack on a Ukrainian target goes viral

Cyber attacks are difficult to contain. If an attack is carried out on a supplier, or piece of code, it can reach thousands of organisations anywhere in the world. For example, the NotPetya virus in 2017, which was initially designed to target a Ukrainian software company. Once that target was compromised, it was used to deploy the malware as a software update spreading around the world, causing billions of dollars worth of damage. Given the connected nature of Ukrainian businesses, this tactic could easily be used again.

Retaliation attacks against western targets

As western governments apply economic sanctions to Russia, Russia may well encourage their cyber gang allies to attack western targets in retaliation. While the main targets may be critical infrastructure, government agencies, and major companies (many of whom have acted against Russia), smaller organisations may be attacked as collateral damage, diversions, or simply the victims of opportunistic attacks.

Opportunist scams and phishing attacks

As people around the world look for ways to help, including donating money to causes supporting people displaced by the war on the ground, cyber criminals get busy crafting phishing attacks designed to lure innocent charitable people into giving up precious information. These scams could include malware, ransomware, or providing information a hacker needs to gain access to an organisation.

Ukraine cyber war attack techniques to look out for

Cyber criminals have any number of attack techniques at their disposal and expect all of these to be used as the Ukraine cyber war unfolds. Just some of the attacks to protect against include:

  • Ransomware – viruses that lock data and systems until a ransom is paid
  • Wiper malware – viruses that overwrite or corrupt data on infected systems
  • Zero-day vulnerabilities attacks – attacks that use unknown weaknesses in supplier software to attack organisations
  • Denial of service attacks – flooding of websites and applications to crash them and prevent them serving customers
  • Network attacks – direct attacks on an organisation’s network
  • Privilege escalation – gaining access to a legitimate account and using it to gain extra privileges and enter the network

Also remember that some attacks may combine several of the above.

What should you do to avoid being hacked?

Effective cybersecurity initiatives take time and money to implement. While some protections are too late for this particular Ukraine cyber war, they certainly add value to the effort against the greater cybersecurity war.

Cybersecurity initiatives can be split into quick wins that will make a difference immediately, and longer-term efforts that should be implemented to fully protect the organisation.

Quick wins:

  1. Keep on top of the news – tap into professional and interest networks, share information with different teams in your organisation and gather intelligence from vendors, government and more. Know when vulnerabilities appear and then take action to see if these vulnerabilities affect your organisation.
  2. Improve reporting and triggering systems to enable employees to report suspicious activity.
  3. Ensure and enforce multi factor authentication on all systems that support it.
  4. Require employees to update passwords to strong/complex passwords on all accounts.
  5. Remind employees how they can keep the organisation safe, including how to identify harmful links, spam messages, and phishing attempts, and how they can report them.
  6. Control the applications in use within the network and remove any that are currently not in use.
  7. Apply vendor patches as soon as possible to user devices, applications and operating systems. Ensure that all software in use is running on the latest versions as they will have fixes for any known weaknesses.
  8. Restrict admin privileges, and generally apply the principle of least privilege. Review access rights to ensure that there are no surprises. Remove old unused accounts.
  9. Double check that defences are configured correctly and are working – ensure antivirus and endpoint protections are installed and up to date on every system and check firewall rules are as expected.

Longer term actions:

  1. Invest in encryption for data at rest and in transfer, including encryption on user computers.
  2. Review business continuity plans and incident management and response plans to ensure that the organisation is prepared in the event of a cybersecurity incident.
  3. Back up information regularly to a secure separate location that can’t be reached from the main network (air gapped). Test those backups regularly to ensure that they can be used.
  4. Implement email security tools to reduce the risk.
  5. Monitor the network 24/7.
  6. Examine the supply chain – ensure that attackers cannot reach you through this attack vector.

Implementing a long-term cybersecurity programme takes work. Discover how we can help you protect your organisation now and in the future.

More To Explore

Do you want to Boost your Business?

Drop us a line and keep in touch