Russia and Ukraine have had a particularly tense relationship since Russia’s annexation of Crimea in 2014. In the past weeks, we’ve observed Ukraine being at the centre of escalating rhetoric and military activity between Russia and Western powers. Currently, more than 100,000 Russian troops are reportedly amassed along the Ukrainian border and are prompting concerns of a potential invasion in the short-term.

Several bilateral and multilateral meetings have been held in the past weeks to avert any military escalation, with little lasting progress. Political leaders on both sides are lamenting the difficulties in reaching a peaceful agreement with the opposite parties, causing this tense situation to remain stalled for the moment. 

Beyond military pressure, Ukraine also stands vulnerable to the constant risk of cyber attacks threatening to paralyze its critical national infrastructure and delegitimize its current government. For this reason, this blog will dive into this complex geopolitical scenario and the potential cyber threats to organizations.

Preliminary cyber operations targeting Ukraine

Cyber operations are often used by state-sponsored threat actors in the initial phases of a conflict to achieve a series of short- and medium-term gains over their adversaries. In the context of hybrid warfare, states have developed an impressive toolkit of operations in the digital sphere that can severely endanger their opponent’s security. These operations can range from disinformation campaigns aimed at sowing discord and unrest, to destructive malware attacks aimed at causing significant damages to a country’s supply chain. 

Since the beginning of 2022, Ukraine has been impacted by several high-profile cyber attacks. Although no firm attribution has been provided yet on these attacks, we assess that the attacker’s goal was to destabilize Ukraine and make its government look fragile. Here’s a brief recap of what’s happened in the past weeks:

  • Between 13 and 14 January 2022, a threat actor defaced the websites of more than 70 government agencies in Ukraine, impacting the Ukrainian Foreign Ministry, the Ministry of Education and Science, and other state services. These attacks rendered several of these websites inaccessible, and left threatening messages for Ukrainian citizens, stating that they should “be afraid and expect the worst”. 
  • On 15 January 2022, Microsoft announced that it detected a destructive wiper malware “WhisperGate” being installed onto computer systems hosting the defaced government websites mentioned above. The WhisperGate malware was designed to initially look like ransomware, although its true purpose was to destroy or render Ukrainian government systems inoperable.
  • On 31 January 2022, Symantec researchers published details about an ongoing cyberespionage campaign targeting Ukrainian entities, that has been attributed to Russian state-associated threat group “Gamaredon”.

Russia has denied any involvement in the WhisperGate campaign, but the Ukrainian Digital Transformation Ministry and independent security researchers have stated that all evidence points to an attack likely linked to or backed by the Russian government. Either way, it is undoubted that these campaigns affected Ukraine way beyond the cybersphere. Additionally, it is essential to consider the potential impact of such operations against third party entities via collateral damage. 

So, who should be concerned by these attacks? The short answer is: check your threat model. If Russian advanced persistent threats (APTs) are in your threat model and you operate in the field of critical national infrastructure, you may be at high risk of cyber attacks if the Russia-Ukraine situation escalates. For this reason, the next section will cover the tactics, techniques, and procedures (TTPs) typically used by Russian state-linked threat actors.

The TTPs of Russian state-associated APTs

Monitoring Russia-associated threat actors is a daunting task for every security team. Russia is one of few countries with proven offensive cyber capabilities whose state-linked APT groups are technically sophisticated and well-resourced. These groups typically act at the direction of the Russian state, focusing on strategic intellectual property that may be advantageous to Russia, and have conducted several high-profile attacks in the past, including the DNC hack, and the supply-chain attack leveraging SolarWinds’ Orion platform

Politically-motivated threat groups linked to the Russian Federation have demonstrated sophisticated technical skills and intrusion capabilities over the years. Possible activity may include the offensive deployment of information-stealers and destructive malware.

Targets of Russia-linked APT groups vary and often depend on the strategic interests of Russia, but tend to include organizations that possess highly profitable proprietary data and sensitive economic information. Governments are a common target, but private-sector organizations that maintain valuable data are equally vulnerable. In the context of this tense situation with Ukraine, Western organizations operating in the critical infrastructure sectors may realistically be targeted as well in order to thwart Ukrainian allies’ efforts.

Russia-linked threat actors are likely to conduct cyber operations in the early stages of a conflict in two main ways: by deploying destructive malware and using psychological warfare techniques to control narratives. Notable examples of the first approach include the 2015 cyberattack on Ukraine’s power grid attributed to the Russia-backed APT group “Sandworm” and the 2017 deployment of the “NotPetya” malware. Additionally, Russia’s playbook includes proven disinformation strategies to spread inflammatory, false, and misleading narratives both domestically and internationally. As such, it is likely that Russia would use both these techniques in conjunction with preliminary military offenses as part of its hybrid warfare capabilities.

Although it seems likely that Ukraine would feel the brunt of Russia’s cyberattacks, activity could potentially spill out globally – affecting Europe, the US, and NATO countries – as the NotPetya campaign did in 2017, causing a total of USD 10 billion in damage. The NotPetya attack serves as a reminder that a widespread cyber attack can inflict damage on multiple business sectors globally, disrupting economic activity and interconnected supply chains.

Russia’s regular use of cyber-warfare in its military and political planning indicates that Ukraine’s allies operating in any sector related to critical national infrastructure are subjected to higher levels of risk from Russian-backed threat actors. 

What’s the word in dark web cybercriminal forums?

To gain a more comprehensive picture of how cybercriminals are reacting to the possibility of a conflict in Ukraine, we have been monitoring Russian-language cybercriminal forums for chatter on this topic. Interestingly enough, forum users seemingly avoid talking about the current situation as much as possible. 

This happens for two main reasons. First, most people in these forums live in areas directly or indirectly linked to this potential conflict and are treating the potential invasion as a sort of elephant in the room. It’s important to remember in this instance that since the Russian annexation of Crimea in 2014, this situation has been ever present in these two countries and never far from the headlines. Secondly, most users on the forum are currently more concerned about what’s happened with REvil and the risk of being targeted by Russian law enforcement authorities. As we’ve seen with the latest takedown of credit card theft forum, SKY-FRAUD, Russia-based cyber criminals may not feel comfortable anymore and are increasingly afraid of further seizures in their market.

Finally, it will be interesting to see how Russia-based cyber criminals react to a potential war with Ukraine. With both countries’ focus directed on the conflict, cybercriminals may have less eyes on them and could feel freer to operate undisturbed. Additionally, targeting Ukraine by Russian-language cybercriminals is currently not allowed on forums. Would the situation change in the event of a potential invasion? No firm answer can be given yet and, hopefully, we will never be in the situation to find out. 

How to detect and remediate potential attacks

In situations like this one, raising the alert for cyber attacks can support organizations in prioritizing staffing and proactive defensive measures, thus increasing the chances to prevent an attack or recover quickly from it. Ultimately, any organization needs to make a thorough assessment of the current risk, the cost of implementing a comprehensive defensive strategy, and the potential costs stemming from a successful intrusion by an adversary. 

Organizations can rarely influence the contextual threat level and should thus focus on significantly reducing the attack surface available to their adversaries. Although sophisticated, state-sponsored threat actors often have an enormous toolkit to try to compromise a target, and they often recur to simple techniques to target the most vulnerable organizations. As such, companies should prioritize the following actionable strategies to prevent being compromised:

  • Patch the vulnerabilities that are most likely to impact your organization and whose exploitation would cause the most damage;
  • Review privilege controls and enabling multi-factor authentication (MFA);
  • Update incident response playbooks in case of a successful exploitation;
  • Exercise a resilience plan to ensure continuity of operations;
  • Keep up to date with the latest threat and mitigation guidance issued by trusted institutions.

Given the current state of affairs, the FBI, CISA, and NSA have issued a joint advisory encouraging security professionals – in particular those working for critical infrastructure companies – to “adopt a heightened state of awareness and conduct proactive threat hunting”. Additionally, the NCSC renewed warning to UK businesses to monitor for Russian cyberattacks during the present period of heightened tension. Finally, Mandiant has provided actionable recommendations to protect organizations from adversaries’ movement along the cyber kill chain. The document discusses hardening external facing assets, protecting critical assets and on-premise lateral movement, and avoiding credential exposure. Implementing the measures recommended in these sources can greatly enhance the resilience of any organization concerned about the latest developments in this conflict.

Monitor this evolving risk with ShadowSearch™

Even if the situation between Russia and Ukraine doesn’t escalate in the coming weeks, applying the security measures described above can go a long way in preventing and quickly remediating cyber attacks stemming from a variety of threat actors with varying motivations and capabilities. 

Threat intelligence isn’t always about IOCs and attributing attacks to a specific actor. Understanding geopolitical developments goes a long way in contextualizing the activities occurring in the digital space. Here at Digital Shadows (now ReliaQuest), the Photon Research Team assesses the risks and cyber threats that come with high-profile global events and looks at the wider cyber-security concerns. This includes understanding the operational risks associated with a country and better dealing with or mitigating some of these exposure. Take a customized demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) with us, and let us show you how to better equip yourselves against cyber threats out there. 

If you are a Digital Shadows (now ReliaQuest) client  with access to ShadowSearch, we’ve prepared a list of queries that you can use to stay on top of details as they emerge:

  • (type=[Intelligence] OR type=[Actor] OR type=[TTP]) AND tag=[Ukraine] AND date=[now-7d TO now]
  • type=[Intelligence updates] AND tag=[Russia (Russian Fed.)] OR tag=[Ukraine]
  • type=[Intelligence updates] AND tag=[Malware] AND tag=[Ukraine]
  • type=[Intelligence updates] AND tag=[Russia (Russian Fed.)] AND tag=[Disruption of Service / Operations]