With cyberattacks underway in Ukraine, both public and private sectors face new threats
Less than a week after the Russian invasion of Ukraine, top security firms are seeing cyberattacks levied against both countries. With the threat of a digital war looming, some businesses are already pulling data assets off of Ukrainian servers and adjusting their security stances. Experts share their advice for how organizations can protect their information.
Cyber war in Ukraine is no longer a theoretical possibility – it’s a reality
CrowdStrike – the Google-backed company responsible for identifying the Russian groups behind the 2015-2016 hacks of the DNC – is already seeing “indications of a broader information operation” under way in Ukraine, according to the company’s senior vice-president of intelligence Adam Meyers.
The firm has in recent weeks witnessed increased distributed denial-of-service (DDoS) activity in Ukraine. DDoS attacks are malicious efforts to overwhelm a targeted server and thereby disrupt normal traffic. One instance was found to be part of a larger operation to overwhelm Ukrainian government and financial institutions. At the same time, CrowdStrike – which has been publicizing Russian cyberattacks on Ukraine since 2014 – has seen recurring defacement of Ukrainian government sites, with messaging that indicates it could be related to what’s known as the ‘WhisperedDebate’ activity cluster and ‘WhisperGate’ wiper-related attacks against networks associated with the Ukrainian government.
Then on February 23 the firm detected what Meyers calls “a previously unidentified destructive ‘wiper’ malware” that was found on hundreds of Ukrainian hosts. It turns out Microsoft’s Threat Intelligence Center in Seattle detected the same malware – which appeared to be targeting Ukrainian government agencies – around the same time, per reporting by The New York Times. Microsoft was able to quickly notify Ukrainian authorities and block the virus on Ukrainian networks. Then came a flurry of activity as Microsoft moved to alert Poland, the Baltics and other European countries of the virus in the hopes of helping to mitigate its spread to Ukraine-allied networks.
Meanwhile, per reports on Tuesday by the Washington Post, a handful of independent pro-Ukraine hackers have taken on a mission of vigilante justice, levying various cyberattacks against Russia. These efforts have primarily focused on disabling or tampering with Kremlin-linked sites. Some ‘hacktivists’ have collaborated to form an ‘IT army’ to combat Russian propaganda (a mission that has even expanded to the advertising sector). Meanwhile, global hacking group Anonymous today said it will be waging a cyber war on Russia.
One thing is clear: cyber warfare in Ukraine and Russia is already under way.
The risks to businesses
It’s not only government agencies and ministries that are at risk; so too are the many Ukrainian businesses and global businesses with footprints in Ukraine who handle or store sensitive data. It’s worth noting that as Ukraine is not yet a member of the European Union – though it officially filed its application to join on February 28 – its citizens are not protected under the EU’s privacy- and consent-focused General Data Protection Regulation (GDPR).
“If you are a global company and do business with Ukraine or deal with any sort of supply chain component that has ties to Ukraine, there is a potential for collateral impact as a result of disruptive or destructive attacks that Russia-nexus adversaries may launch,” CrowdStrike’s Meyers tells The Drum.
Cloudflare, a US-based web infrastructure and security firm, was operating servers in Ukraine. Following Russia’s invasion of Ukraine, it decided to pull all customer cryptographic information off its Ukrainian servers. The company’s chief executive Matthew Prince posted a tweet explaining that the decision was made as a “precaution.”
A Cloudflare spokesperson tells The Drum that the company, like CrowdStrike, has been closely monitoring web activity in both Ukraine and Russia. It is seeing trends that could indicate movement on the horizon. Internet traffic in Kyiv and Kharkiv is down by about 20% of average levels. Over the weekend, Cloudflare witnessed a “marked increase” in layer 7 DDoS traffic – a type of DDoS cyberattack that deploys HTTP or HTTPS traffic to take up resources and impede a site’s ability to perform appropriately – originating in Ukraine. At the same time, bot traffic in the country is up. The spokesperson says the two phenomena could be linked.
Cloudflare has good reason for its caution. It isn’t the first time privately-held businesses have faced major cyber threats. A global cyberattack in the summer of 2017 associated with an encrypted piece of malware dubbed ‘NotPetya’ impacted companies in more than 60 countries, ultimately causing some $10bn worth of damages.
Meyers says that, right now, organizations should stay vigilant. “Companies should be implementing the best people, processes and technology available to build a strong foundation for a proactive defense against potential threats. We encourage all organizations to adopt a heightened security posture, especially when it comes to protecting their critical assets.” In particular, he says, companies should focus on monitoring and protecting their endpoints and cloud workloads as well as identity and data assets.
He suggests relying on what are known as ‘zero-trust’ security models, or frameworks that don’t rely on inherent trust of any user and require the continuous validation of users, whether they reside inside or outside of the organization. Zero-trust architectures have proven effective in mitigating identity-based attacks. Meyers also advises that organizations ensure they have access to strong threat intelligence, as it can be “crucial to understand[ing] the tactics, techniques and procedures that are most commonly used by Russian adversaries, along with related e-crime actors and hacktivists.”
The ripple effect
Outside of direct attacks, another key concern for companies with footprints in Ukraine may be the collateral effects of cyberattacks on public domains such as utilities. “Russian actors can target infrastructure and public utilities, creating a ripple effect that could impact any business,” says Tom Kelly, president and chief executive at IDX, a Portland, Oregon-based data breach response and privacy firm. “In the digital economy, company networks and enterprise security rely on a host of software applications and services. Any one of these could be compromised by Russian intelligence services.”
If the US or other players find themselves in a digital standoff with Russia, Kelly says, companies could start seeing outages and disruptions to key services. To mitigate these threats, he advises that organizations encrypt all their data, secure network devices, back up important information on company hard drives and increase diligence around patching and updates. He endorses employee security training to combat phishing and other approaches to malicious data harvesting, and suggests that organizations should have incident response teams “at the ready.”
Taking a measured approach
The notion of taking aggressive, forward-looking action isn’t endorsed by all players. Etay Maor, senior director of cybersecurity strategy at software company Cato Networks as well as an adjunct professor of cybersecurity at Boston College, cautions against trying to stand up a new security framework from scratch. “There’s not much you should – or probably are able to – do right now to change [your security posture] if you don’t have a security program in place already. Now is not really the time to try and implement new things,” he says.
Rather than making major, potentially rash changes, organizations with a presence in Ukraine should focus on raising awareness levels and monitoring activity more closely, says Maor. “What you should be doing to protect customer data or employees’ [data] is actually more of what you’ve done – and just be faster at it. Move from DEFCON 4 to DEFCON 3 and [act as] close to real-time as you can.”
A Department of Homeland Security spokesperson, speaking with The Drum, indicated that while the US is not concerned about immediate threats to the country, the government advises taking some extra precautions. “While there are not any specific, credible cyber threats to the US [at this time], we encourage all organizations – regardless of size – to take steps now to improve their cybersecurity and safeguard their critical assets,” said the spokesperson.