As the West seeks to isolate Russia by issuing measures aimed at hobbling its economy, the country might retaliate with a tool of war it has been honing for some time: state-sponsored cyberattacks. Although Russia is suspected to have launched such attacks before, the scale and scope could be much bigger this time, experts warn.
CW case study offers 360-degree view of ransomware attack
Learn through the eyes of the C-suite at Vulnerable Electric, a fictional private utility company impacted by a significant ransomware attack, as part of Compliance Week’s latest members-only case study published in February. The report covers detection, containment, eradication, and recovery, with lessons learned providing readers opportunities for benchmarking their own cyber incident response programs and informing tabletop exercises at their organization.
Russia already launched two separate malware attacks against targets in Ukraine earlier this year, before its bombing campaign began, according to a Feb. 26 alert issued by the Cybersecurity and Infrastructure Security Agency (CISA).
Microsoft discovered the first version of malware, called “WhisperGate,” which “is intended to be destructive and is designed to render targeted devices inoperable,” CISA said.
Microsoft alerted the U.S. government about the malware, provided technical advice on how to stop its spread, and then provided “threat intelligence and defensive suggestions to Ukrainian officials,” according to a Feb. 28 blog post authored by Microsoft President and Vice Chair Brad Smith.
The second malware attack Russia launched against Ukraine was called “HermeticWiper,” and it worked by targeting “Windows devices, manipulating the master boot record, which results in subsequent boot failure,” CISA said.
These recent cyberattacks resemble an earlier version of malware launched by Russia in 2017 against Ukraine called “NotPetya,” said Alex Iftimie, a partner at Morrison & Foerster and former senior Department of Justice national security official.
At the time it was launched, the NotPeyta attack crippled Ukrainian utilities, banks, and other key businesses. But then the malware spread to other computers in the United States, Denmark, and India. The attack cost corporations as varied as Merck, FedEx, and Danish shipping giant A.P. Moller-Maersk hundreds of millions of dollars to repair damage done to their networks, as well as disrupted business and lost sales, according to the Wall Street Journal.
“There’s a real concern about retaliatory cyberattacks by Russia or an attack aimed at Ukraine that spreads outside Ukraine,” Iftimie said. There’s also a risk Russia, which has always maintained a “permissive environment” for cybercriminals, he said, will simply stand back and allow these bad actors to launch attacks with impunity against Western governments and companies.
“The Russian invasion of Ukraine significantly elevates the cyber risk for the U.S. financial sector. Russia’s ongoing cyberattacks against Ukraine could spillover and damage networks outside of Ukraine—as has happened in the past,” said a Feb. 25 alert from the New York State Department of Financial Services (NYDFS). “Escalating tension between the U.S. and Russia also increases the risk that Russian threat actors will directly attack U.S. critical infrastructure in retaliation for sanctions or other steps taken by the U.S. government.”
The major difference between Russian malware now and NotPetya in 2017 will be the lack of subterfuge, experts said. NotPetya was engineered to resemble ransomware. … In the next round of cyberattacks, Russia will likely dispense with the sleight of hand, wanting its victims to know where the attack originated and why.
The major difference between Russian malware now and NotPetya in 2017 will be the lack of subterfuge, experts said. NotPetya was engineered to resemble ransomware. During the days after the initial attack, victims were led to believe their systems were being attacked by criminal groups seeking ransom payments, instead of a state. Both WhisperGate and HermeticWiper initially presented as ransomware.
In the next round of cyberattacks, Russia will likely dispense with the sleight of hand, wanting its victims to know where the attack originated and why.
A Russian cyberattack could also launch as a joint effort between cybercriminal gangs and the state, experts said.
Russian security services could provide criminal groups with information collected about vulnerabilities in the cyber defenses of targets in the West, said Loney Crist, senior vice president, cybersecurity software development at IPKeys, a vendor that specializes in cybersecurity and compliance for utilities.
“They will have a lot more information than the typical hacker,” Crist said of the Russian government. “Their malware will be prepared to attack specific systems in a targeted way.” And unlike ransomware, which is a vehicle for extorting money for criminal groups, the Russians won’t launch malware with an economic motive.
“Their focus will be punching us back. Their objective is destruction and disruption,” Crist said.
How to respond to emerging cyberthreats
Cybersecurity experts said it is best to be on high alert for cyberattacks at the moment. This means empowering the security team, lowering the threshold for escalation regarding potential cyber incidents, testing response plans, and focusing on continuity of critical business functions, said Iftimie. At the same time, Iftimie said, the same cybersecurity fundamentals still apply.
“The reality is that all these attacks rely on an ability to get into a network. So, the technical response to that threat shouldn’t be all that different from what a mature organization is doing on a normal day,” he said.
Bad actors will be looking for outdated, vulnerable systems to attack, said Robert Nawy, chief executive officer at IPKeys.
“Firms should be asking themselves, ‘Are we properly patched? Are we continuously monitoring OT, IT, and cloud-based systems?’” Nawy said. “Firms should do all they can to lock the doors of their systems, monitor those locks, and comply with all applicable rules and regulations.”
Remember: Any firm’s most vulnerable link in its cybersecurity program is its people, said Crist. Train employees on methods hackers might use to trick them into handing over access to the system and where in the organization they should report those attacks after they occur, he added.
“Firms should be asking themselves, ‘Are we properly patched? Are we continuously monitoring OT, IT, and cloud-based systems?’ Firms should do all they can to lock the doors of their systems, monitor those locks, and comply with all applicable rules and regulations.”
Robert Nawy, Chief Executive Officer, IPKeys
As Iftimie recommended, firms might consider lowering the threshold for reporting cybersecurity incidents to management and even law enforcement. Understanding, tracking, and addressing cyberattacks as they happen will be key to warding them off.
There is a chance Congress will pass a law mandating firms in certain critical industries report cyberattacks to the government. The “Strengthening American Cybersecurity Act” would require companies to report “substantial” cyberattacks to CISA within 72 hours. Introduced in February by Sen. Gary Peters (D-Mich.), the bill unanimously passed the Senate on Tuesday and now heads to the House.
Reporting incidents to law enforcement does two things that can be beneficial in this heightened threat environment: Government can better understand the type and scope of cyber threats witnessed by various organizations if those organizations report cyberattacks, and the government might be able to provide assistance and guidance on countermeasures against specific cyberattacks. Sharing information on emerging cyberthreats will be key, Iftimie said.
CISA and the Federal Bureau of Investigation (FBI) issued a Feb. 26 advisory on how organizations should prepare for and protect themselves against malware attacks emanating from Russia.
“Destructive malware can present a direct threat to an organization’s daily operations, impacting the availability of critical assets and data. While there is no specific, credible threat to the United States at this time, all organizations should assess and bolster their cybersecurity,” the advisory said.
CISA and the FBI’s advice for strengthening cybersecurity included:
- Enable multifactor authentication (see CISA’s guide);
- Set antivirus and antimalware programs to conduct regular scans;
- Enable strong spam filters to prevent phishing emails from reaching end users;
- Update software (see CISA’s advice on the topic); and
- Filter network traffic.
Another government institution issuing cybersecurity advice is the National Institute of Standards and Technology (NIST), which has published step-by-step instructions for organizations seeking to implement a cybersecurity framework.
The NYDFS alert offered advice specific to financial services organizations, particularly on cybersecurity, dealing with new sanctions, and the likelihood virtual currency might be used by Russian entities and individuals in an attempt to evade sanctions.