This past week has seen an inundation of notifications concerning Russia’s overt and covert efforts to set “their” stage to provide it with a pretext to invade Ukraine once again. The realpolitik of the Russian efforts and the media focus is on the likelihood of Russia taking this course of action.
These preparatory actions include a widespread cyber component. CISOs of entities in defense, intelligence, or critical infrastructure should be monitoring what is taking place in Ukraine and heeding the advisories being issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Microsoft and others.
Cyberattacks on Ukraine
On January 14 at approximately 0200 hours the cyberattacks began. Within the hour news of the hacks began appearing within the Russian media. Approximately 70 Ukrainian government websites saw their forward-facing web presence defaced, and a static message posted in Russian, Ukrainian, and Polish in essence told Ukrainians their personal information was compromised and that they should “be afraid and expect the worst.”
Later that day, Oleksiy Danilov, secretary of the National Security and Defence Council of Ukraine, told Sky News, “We can clearly track their signature. These are the Russian specialists who perform these actions. I am 99.9% sure” Russia was behind these attacks.
Subsequently, Serhiy Demedyuk, deputy secretary of the Defence Council, was more precise in assigning attribution to UNC1151, which he identified as “… a cyber-espionage group affiliated with the special services of the Republic of Belarus.” He continued how UNC1151 has in the past attacked targets in Lithuania, Latvia, Poland and Ukraine.
Demedyuk continued how the defacement activities were a smokescreen: “The defacement of the sites was just a cover for more destructive actions that were taking place behind the scenes and the consequences of which we will feel in the near future.” He went on to describe those efforts encrypted some government servers, with malware with similar characteristics used by the ATP-29 group.
“The group specializes in cyber espionage, which is associated with the Russian special services (Foreign Intelligence Service of the Russian Federation) and which, for its attacks, resorts to recruiting or undercover work of its insiders in the right company,” said Demedyuk.
CISOs take heed of state-sponsored attack warnings
Microsoft on January 15 hit the industry klaxon hard in a blog post, “Malware attacks targeting Ukraine government,” by Tom Burt, vice president customer security and trust. It discussed the “destructive malware in systems belonging to several Ukrainian government agencies and organizations that work closely with the Ukrainian government.”
Burt continued how the malware is disguised as ransomware, but “if activated by the attacker renders the infected computer system inoperable.” Targeted entities, according to Burt, include “… government agencies that provide critical executive branch or emergency response functions and an IT firm that manages websites for public and private sector clients, including government agencies whose websites were recently defaced.”
Microsoft Threat Intelligence Center simultaneously posted a technical blog post, “Destructive malware targeting Ukrainian organizations.” It highlighted how the malware was first detected on January 14 (time zone differences between Ukraine and U.S.) and contained the call-to-action of, “We strongly encourage all organizations to immediately conduct a thorough investigation and to implement defenses using the information provided in this post.”
The Microsoft advisory was preceded by CISA, FBI and NSA noting Russia poses a cyber threat to U.S. critical infrastructure in a January 11 note to industry, where-in they urged “the cybersecurity community—especially critical infrastructure network defenders—to adopt a heightened state of awareness, conduct proactive threat hunting, and implement the mitigations identified in the joint CSA – Alert AA22-011A “Understanding and mitigating Russian state-sponsored cyber threats to U.S. critical infrastructure.”
The joint alert contained three action items which, if taken, may “reduce the risk of compromise or severe business degradation.”
- Be prepared: Confirm reporting processes and minimize personnel gaps in IT/OT security coverage. Create, maintain, and exercise a cyber incident response plan, resilience plan, and continuity of operations plan so that critical functions and operations can be kept running if technology systems are disrupted or need to be taken offline.
- Enhance your organization’s cyber posture: Follow best practices for identity and access management, protective controls and architecture, and vulnerability and configuration management.
- Increase organizational vigilance: Stay current on reporting on this threat.
Russian cyberattack sets the table
The White House declared the U.S. intelligence community has detected Russian efforts to deploy individual assets in east Ukraine to conduct sabotage operations. The warning from the White House was explicit: “The operatives are trained in urban warfare and in using explosives to carry out acts of sabotage against Russia’s own proxy-forces.”
Coupled with the cyberattack which was allegedly launched from Belarus, displays to the world the Kremlin’s wish to have plausible deniability, as they set put the pieces of their offensive puzzle in place in support of a potential Russian invasion of Ukraine actions taking place within Ukraine.
The call-out by both Ukraine and the United States serves to remove this fig leaf and lays bare the Russian efforts to both the international community and perhaps more importantly, the domestic Russian audience. In a press briefing, Jake Sullivan, national security advisor, reiterated the U.S.’s position should Russia invade Ukraine, “The United States and our allies and partners are prepared for any contingency, any eventuality. We’re prepared to keep moving forward down the diplomatic path in good faith, and we’re prepared to respond if Russia acts.”