At the end of last week, Digital Shadow’s CISO, Rick Holland, released his blog Russian Cyber Threats: Practical Advice For Security Leaders. In that blog, Rick emphasized the importance of developing intelligence requirements to help understand the Russian threat to your organization. As the war between Russia and Ukraine continues, we in the Photon Intelligence team thought it would be helpful to share a public-facing version of our Priority Intelligence Requirements (PIRs). In doing so, we hope they inspire you to create your own, or adopt ours, to better prepare for the cyber threats arising from Russia’s invasion of Ukraine.
A quick recap on why we need intelligence requirements
While the PIRs we use at Digital Shadows (now ReliaQuest) could be helpful to you, the reality is that you will need PIRs that adequately capture the potential threat from offensive Russian cyber activity unique to your business. As such, it would always be best to create and adapt your own PIRs if you can. We published a blog last year titled Let’s Talk About Intel Requirements that will be a good read for anyone new to this concept. Simply put, intelligence requirements translate to questions that need answering regarding the threat landscape. These overarching requirements could come from your CISO, the Security Operations Center (SOC), or you might be working on a proactive project. But the questions are designed to help you gather the information you need to answer the original request. In this case, your CISO might say, “tell me everything you know about Russian cyber attacks.” Using intelligence requirements can help you cover every conceivable angle of that wide-reaching question. You don’t have to be MI6 or CIA to see the practical value of intelligence requirements.
PIRs are essential to any good response plan. They provide direction for an intelligence analyst to collect information. They also help plan resources and identify gaps in your current capabilities – both so important at a time like this. Research can become disjointed without the focus that PIRs bring, meaning you miss potential threats.
Below are our shareable PIRs that we’re using at Digital Shadows (now ReliaQuest) to drive our intelligence collection on the Russia-Ukraine war, along with a short explanation about why we’re interested in this information. For context, after some careful consideration, we’ve assessed some geographies and sectors to be at greater risk from Russia-linked cyber attacks – I’ll refer to these throughout this blog as “at-risk entities.” We assess these entities to be at greater risk because they are most likely to be affected by retaliation to the imposed sanctions. Clearly, Ukraine is most at risk, but so too are NATO and EU member states, and other countries that have imposed sanctions against Russia. The sectors we consider to be most at risk from Russia-linked attacks – where an attack would be most appealing to Russia and would cause the most impact – during the current crisis are below:
- Financial services
- Critical infrastructure
- Oil and gas
We can also drill down on these PIRs with some sub-IRs. Sub-IRs help focus collection further, ensuring you get the specific detail you need in each scenario. Some appropriate sub-IRs could be:
- Which threat actors or groups are conducting these campaigns?
- What is the motive behind the attack campaign?
- Has a supply chain been targeted?
Now, let’s dive in.
- What is the threat from Russia-linked offensive cyber activity targeting at-risk entities?
Offensive cyber activity targeted towards an at-risk entity could come in any form; destructive malware, DDoS attack, or perhaps extortion attempt. Any offensive cyber activity conducted during the current conflict will likely be difficult to attribute, although suspicions will point towards the Russian state. Learning from previous attacks is one of the best ways to defend against a future attack. And just because an attack hasn’t been attributed to a particular threat actor or group doesn’t mean there aren’t learning points.
Here are some things you could glean from an unattributed attack;
- The tactics, techniques, and procedures (TTPs) used
- Any IoCs connected with an intrusion
- MITRE ATT&CK techniques and the cyber kill chain used
You can pool all this information into planning for a tabletop exercise that Rick suggested was essential to defense and planning in his blog. Not only that, network defenders would do well to collate the TTPs, IoCs, and targeting preferences of prominent Russian APT groups like “APT28”, “APT29”, “Gamaredon”, and “Sandworm.” Use this information to protect against a Russia-linked cyber attack, rather than respond to one.
- What is the threat to Russia from offensive cyber activity?
While the focus is on cyber and kinetic attacks emanating from Russia, let’s not forget that Russia is also likely to be targeted. As the world condemns Russia’s actions, that condemnation could result in an offensive cyber attack directed at Russian infrastructure. An offensive attack on Russia by anyone, particularly governments in at-risk geographies, is interesting in its own right. But, what will be more interesting is what comes next.
While nothing suggests that Western states plan an imminent cyber attack on Russia, it is realistically possible, particularly if the war escalates further. Any such cyber attack would likely be disruptive and conducted to hamper Russia’s internal communications, causing their progress through Ukraine to slow. Such an attack would highly likely spark retaliatory action from Russia directed at the aggressor and potentially the aggressor’s allies. Any cyber attack on Russia should put us all on high alert and adopt the strategies considered in PIR1.
- What new malware campaigns have been observed targeting at-risk entities?
We’ve already seen two new types of malware, WhisperGate and HermeticWiper, being used in attacks against Ukraine. Both are designed to be destructive and mimic ransomware to throw security teams off the scent. Although only observed targeting Ukraine for now, it is realistically possible that these, or other, destructive malware could be used against any entity deemed a threat by the Russian state. With that in mind, it’s crucial to stay up to date with new malware campaigns so that new TTPs or IoCs can be incorporated into playbooks as soon as possible.
While campaigns to date have been for disruption purposes, it is realistically possible that Russian threat actors could deploy new malware for intelligence gathering purposes as the conflict continues. They may also consider attacking the supply chain in at-risk geographies to cause maximum impact and damage. Collecting information on these threats improves preparedness for these situations.
- What is the threat to at-risk entities from large-scale ransomware attacks?
The threat from ransomware attacks is unlikely to wane for any business during this troubled time. On top of that, the ransomware group “Conti” has stated that even though they do not support the ongoing conflict, they are supportive of Russia. The group claims they are willing to “use our full capacity to deliver retaliatory measures” against Western entities that target Russian Critical National Infrastructure (CNI), or the CNI in Russian-speaking countries. We also know that the cybercriminal group “Evil Corp” is linked to the Russian state, and they frequently dabble in ransomware. Therefore, it is realistically possible that Russia will direct Russia-associated ransomware groups to conduct a cyber attack against an at-risk entity during this time. Any such direction will likely remain a well-kept secret between the Kremlin and the ransomware operators. Regardless, keeping watch on ransomware developments, and gathering TTPs and IoCs, will improve your organization’s chances of responding successfully to an attack should it come.
The most active ransomware group in Q4 2021, “LockBit”, also released a statement over the weekend claiming they are apolitical and are just in it for the money. While that’s not entirely bad news for organizations concerned about threats arising from the Russia-Ukraine war, I suppose it’s not really good news either. LockBit’s activity levels have been very high for at least the past six months, and I’m guessing they won’t let geopolitical events stand in the way of maintaining that record.
- What is the threat to CNI in at-risk geographies from Russia-linked cyber attacks?
Clearly, all attacks on CNI are a big deal for any nation. Targeting CNI sends a direct message from the perpetrators – they are there to cause the most significant impact on the targeted country. In 2016, the Russian government conducted a cyber attack on the Ukrainian power grid using the “KillDisk” malware. The malware overwrote critical system files on operator machines, causing them to crash and become inoperable, resulting in a power outage for over one hour. Russia is a heavyweight in oil and gas production. It stands to reason that Russia might target this sector in response to sanctions imposed against them – hit ‘em where it hurts, so to speak.
Any attack on CNI during this period of conflict will likely highlight Russia’s targeting interests and which nation is causing them the most concern. Being aware of any such attack will help other countries prepare for an attack in kind. Incorporate TTPs and IoCs into playbooks at the earliest opportunity and position security teams to be on high alert. Organizations that provide support to CNI should also be on high alert. With cyber threat actors often favoring supply-chain attacks, it’s realistically possible that Russia-linked threat actors will compromise third parties as a means to disrupt the critical processes of a nation opposing their regime.
- What are the most significant geopolitical changes to the Russia-Ukraine war?
While we don’t need to monitor every kinetic action that Russia or Ukraine take, keeping up to date with significant changes to the geopolitical situation is key to planning cyber defenses. Russia’s expulsion from SWIFT is a key example of a development likely to have a demonstrable impact on cyber risk. For a while, it wasn’t clear if the West would take this step, but now having done so, it’s realistically possible this could steer Russia towards conducting additional cyber attacks. Likewise, were Kyiv city to be taken or Ukrainian President Zelensky deposed or assassinated, it’s realistically possible that the developments could trigger a cyber response from Ukraine’s allies. Staying up to date with geopolitical developments will likely help predict if a cyber attack may come your way.
- How are cybercriminals reacting to the Russia-Ukraine war?
It’s always interesting to know what cybercriminals are talking about when it comes to current events. Usually, we’re looking for reactions to law enforcement takedowns and arrests, but their opinions on geopolitical events could also provide us with clues on how best to defend our networks. We’ve already started collecting cybercriminal reactions to the Russian invasion. Perhaps cybercriminals might discuss whether they plan to suspend or increase their activity. They might even discuss likely targets in the Western world that could fall victim to a Russia-linked attack. They might not. But tracking cybercriminal reactions typically provides insight into what comes next in the cybercrime threat landscape and, therefore, should not be forgotten when deciding PIRs.
- How are hacktivists reacting to the Russia-Ukraine war?
Hacktivist groups have already waded into the Russia-Ukraine war, launching attacks against several Russia-linked entities. At the time of writing, the hacktivist group “Anonymous” has claimed responsibility for DDoS attacks on Russian government websites and the state broadcaster Russia Today (RT). Anonymous says they plan to keep Russian IT systems and hackers busy, so they don’t have a chance to conduct a cyber attack on Ukraine or the West. However, pro-Russian hacktivists have also been active against Ukrainian websites, launching DDoS attacks in their spare time. While hacktivism is typically not directed by the states with which these groups affiliate themselves, it is an excellent indication of political feeling amongst the hacking community. Like cybercriminal reactions, tracking the reactions of hacktivist collectives could prove helpful when creating PIRs and planning responses.
Once you have developed your requirements or questions, you’re probably wondering how you go about answering them. After planning, the next stage in the intelligence cycle is collection. Creating an intelligence collection plan is ideal for structuring your collection efforts and identifying what resources and sources you’ll need to answer your PIRs. Look out for more Digital Shadows (now ReliaQuest) content on this in the next week.
Digital Shadows (now ReliaQuest) has been closely monitoring cyber threats associated with the Russia-Ukraine war. For more Digital Shadows (now ReliaQuest) intelligence on events in Ukraine and Russia, please visit: https://resources.digitalshadows.com/russian-news-and-updates. While this blog focuses on threats emanating from Russia, Rick’s final sentiment remains as important as ever; don’t hyperfocus on a single threat; build a program that protects against most threats.