As War Wages in Ukraine, Russian Hackers Expand Targets Abroad in Cyber Attacks
Russian Hackers Continue to Target Businesses, Governments in Global Cyber Attacks
Carley Kimball, Media Specialist
6 Min Read
The war in Ukraine continues to dominate headlines as Russian forces attempt to overtake the nation. But physical attacks aren’t the only way that Russia attempts to exert its influence on a global scale.
In April, the cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom released a joint Cybersecurity Advisory (CSA) warning organizations that “Russia’s invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity. This activity may occur as a response to the unprecedented economic costs imposed on Russia as well as materiel support provided by the United States and U.S. allies and partners.”
The advisory warned of the following state-sponsored groups conducting malicious cyber operations against IT and/or OT networks:
- The Russian Federal Security Service (FSB), including FSB’s Center 16 and Center 18
- Russian Foreign Intelligence Service (SVR)
- Russian General Staff Main Intelligence Directorate (GRU), 85th Main Special Service Center (GTsSS)
- GRU’s Main Center for Special Technologies (GTsST)
- Russian Ministry of Defense, Central Scientific Institute of Chemistry and Mechanics (TsNIIKhM)
But it isn’t just state-sponsored groups that governments and businesses need to worry about. Just a few weeks ago, pro-Russian “Hactivist” group Killnet “declared war” against 10 nations in a video address on their Telegram channel:
“Greetings to all our enemies, today we officially declare cyber war on the government of ten countries. From now on, our attacks will include the United States, Great Britain, Germany, Italy, Latvia, Romania, Lithuania, Estonia, Poland and Ukraine,” the statement explained.
Attacks against websites in Germany, Italy, Romania, Norway, Lithuania, and the U.S. have increased recently, as Ukrainian allies show their support in sending money and supplies.
Governments and organizations across the globe are watching the virtual side of war closely as it unfolds.
“In recent years, both the U.S. and EU have intensified their collaboration with Ukraine on cybersecurity,” a recent study by GIS read. “This is because Ukraine has become a testing ground for Russia’s advanced cyberattacks on critical infrastructure, and the West can learn much from Russian cyber strikes against Ukraine.”
The study notes a troubling rise in cyber vulnerabilities – specifically reflecting last year’s U.S. Colonial Oil Pipeline DDoS attack by Eastern European Ransomware-as-a-Service Group Darkside that lead to shocks in the supply chain, nearly 100 gigabytes of stolen data and a ransom paid of $4.4 million.
Additionally, SolarWinds Orion business software was infected the prior year with malware from Russian hacking group APT29, aka “Cozy Bear” that impacted thousands of organizations in the U.S. and abroad.
In response to such attacks, the U.S. Government passed the Strengthening American Cybersecurity Act (SACA) in March that requires federal agencies as well as owners and operators of critical infrastructure to report cyberattacks within 72 hours and ransomware payments within 24 hours.
But, despite the legislation, unease permeates throughout businesses in the U.S., with the Wall Street Journal reporting executives’ concern in warding off cyber threats. This year, ransomware has continued its upward trend with an almost 13% rise – an increase as big as the last five years combined, Verizon noted in its 2022 Data Breach Investigative Report.
With the average cost of a ransomware breach totaling a whopping $4.62m, according to IBM’s Cost of a Data Breach Report, it’s no wonder that business leaders are concerned.
U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities are urging critical infrastructure network defenders to prepare for and mitigate potential cyber threats as the war in Ukraine wages on—including destructive malware, ransomware, DDoS attacks, and cyber espionage—by hardening their cyber defenses and performing due diligence in identifying indicators of malicious activity.
Microsoft, through observing the war unfold and working directly with clients affected by Russian actors, has released a report of their observations and recommendations thus far.
“As the conflict persists and countries provide more military assistance to Ukraine or take more punitive measures against the Russian government, Russian nation state threat actors may be tasked to expand their destructive actions in retaliation against targets outside of Ukraine,” Microsoft warns.
Taking into consideration the methods of hacking groups, Microsoft recommends IT security teams to take the following precautions to protect against data loss, DDoS and other cyberthreats:
- Minimize credential theft and account abuse: Protecting the identities of users is a key requirement to securing networks and resources from attackers. Enable multi-factor authentication and identity detection tools. Additionally, customers are urged to apply least privilege access and secure the most sensitive and privileged accounts and systems.
- Secure internet-facing systems and remote access solutions: Internet facing systems should be secured against external attacks by ensuring they are updated to the most secure levels, regularly evaluated for vulnerability, and audited for changes to the integrity of the system. Anti-malware solutions and endpoint protection should be enabled for detection and prevention of attackers. Legacy systems should be isolated to prevent them from being an entry point for persistent threat actors. Remote access solutions should require two-factor authentication and be patched to the most secure configuration.
- Leverage anti-malware, endpoint detection, and identity protection solutions: A combination of defense-in-depth security solutions, paired with trained and capable personnel, can empower an organization to identify, detect, and prevent intrusions impacting business. Enabling cloud-protections allows identification and mitigation of known and novel threats to your network at scale.
- Enable investigations and recovery: If a threat is detected in the environment, it is critical to have auditing of key resources to enable investigations. Customers are urged to have and exercise an incident response plan to prevent any delays or decrease dwell time for destructive threat actors. Customers are urged to have a backup strategy that accounts for the risk of destructive actions and prepare to exercise recovery plans.
- Defend against destructive attacks: Destructive attacks observed in Ukraine have similar characteristics and mitigations to Ransomware scenarios that Microsoft has identified worldwide in recent years. Microsoft offers guidance to help safeguard organizations against destructive attacks by leveraging features within Defender such as Attack Surface Reduction (ASR) and Controlled Folder Access (CFA). These features have been successful in defeating destructive attacks in Ukraine and elsewhere.
- Review and implement “best practices” for defense in depth: Microsoft has developed extensive resources and best practices that provide clear actionable guidance for security-related decisions. These are designed to help improve security posture and reduce risk whether the environment is cloud-only, or a hybrid enterprise spanning cloud(s) and on-premises data centers. Microsoft’s Security Best Practices covers topics such as governance, risk, compliance, security operations, identity and access management, network security and containment, information protection and storage, applications, and services.
As tensions remain high in the U.S. and abroad, it remains unclear just how many businesses could be affected by malicious actors aiming to steal information and sew instability in the global economy. As a Microsoft Gold Partner with nearly 30 years of experience, GDC’s Security Threat Management experts can help businesses, educational institutions, and public entities navigate the nuances of cyberthreats and provide guidance in patching vulnerabilities. When it comes to threats like ransomware, proactive measures are essential in preventing data loss and ensuring sensitive employee and client information remains secure.