Cyberwarfare in 2022

With the conflict escalating so dramatically between Russia and Ukraine, it is time to look at some of the possible consequences to us in the West, as there are actions that can be taken by Russia that could have a material impact on the everyday lives of British citizens.

 

Russia has a long history of hybrid warfare, including disinformation through RT (Russia Today) and other media outlets, and fake or “bot” accounts on social media, which promote Russia’s point of view when it comes to conflicts with the West (of course this is justifiable), but also including faked photographic or video “evidence” to back up false claims (unjustifiable). Such activities have led to a clampdown by social media following allegations that elections in the US and UK were targets of Russian influence via social media.

 

But more damaging than this is the use of cyberwarfare where critical IT systems, both public and private, are rendered inoperable through malware attacks. Russia has shown itself to be particularly proficient in this sort of activity.

 

 

State-sponsored cyber attacks

 

The 2017 Ukraine ransomware attacks were reliably attributed to Russian state-sponsored advanced persistent threat actors (APT). These attacks, though initially appearing as criminal ransomware attacks, were in fact irreversible destructive attacks, largely directed at Ukrainian institutions: financial, energy, and government sectors. Due to the relatively clumsy configuration of this malware, it spread outside the target area and caused an estimated $10 billion worth of damage worldwide.

 

It is reported that around 80% of the 2017 Ukraine ransomware attacks affected companies from Ukraine, but the ransomware also spread to several companies in other geolocations, due to those businesses having offices in Ukraine and networking around the globe:

 

Non-Ukrainian companies reporting incidents related to the attack include food processor Mondelez International, the APM Terminals subsidiary of international shipping company A.P. Moller-Maersk, the FedEx shipping subsidiary TNT Express (in August 2017 its deliveries were still disrupted due to the attack), Chinese shipping company COFCO Group, French construction materials company Saint Gobain, advertising agency WPP plc, Heritage Valley Health System of Pittsburgh, law firm DLA Piper, pharmaceutical company Merck & Co.,  consumer goods maker Reckitt Benckiser, and software provider Nuance Communications.

 

Other campaigns launched by Russian APTs include:

 

• Attacks on US governmental and aviation networks (September–December 2020) – networks compromised and data downloaded
• Global energy sector (2011–2018) – attacks against industrial control systems in energy sector networks, deployment of malware, and downloads of data
• Attacks on Ukrainian infrastructure (2015–2016) using the Black Energy malware toolkit, planting botnets to launch Distributed Denial of Service (DDoS) attacks as well as the KillDisk malware which wiped data from disks
• Attacks against US Military and the German Foreign Ministry
• Compromise of network devices and development of a large scale botnet by Sandworm, a group tied to some of the most destructive cyberattacks in history and believed to be a part of Russia’s GRU military intelligence agency

 

It’s clear from this incomplete list that Russia not only has the capability of launching cyberattacks on a broad front, which could leave an under-prepared target nation helpless, but has the will to use this capability. It is a mistake to think that such attacks would affect only inanimate machinery and would have no harmful effect on the population other than causing inconvenience.

 

For example, an attack on the energy supply (National Grid and gas distribution network) in winter could result in many hundreds, if not thousands of deaths through hypothermia, not to mention those who depend on electrical medical devices such as dialysis units for their lives. Threat actors taking control of the rail network could produce travel chaos or even cause collisions between trains. It is easy to come up with other nightmare scenarios.

 

Where does that leave us in the UK?

 

On 22 February 2022, the Prime Minister announced some preliminary sanctions to be used against Russia: the assets of five Russian financial institutions and three key Russian individuals were frozen, and all business with them is prohibited.

This may provoke retaliation, along the lines of those actions detailed above. If this happens, it is comforting to know that in this area, if in no other, we are prepared.

The Defence Secretary, Ben Wallace, has said that the UK has “offensive cyber capability”. The National Cyber Force, working together with the cyber-intelligence agency GHCQ and the military, is tasked with a mission to “degrade, disrupt and even destroy communications systems used by people posing a threat to the UK”. This could be retaliatory action, such as disabling ransomware and malware servers and lines of communication, or could include psychological pressure on the other side’s operators. The NCF’s operational capabilities have been successfully tested in real life situations, in Afghanistan and in the Middle East against Islamic State, and they may well provide some deterrent against escalation of the cyberbattle but clearly the onus is on individual agencies to protect themselves.

 

What can you do?

 

Whilst the UK’s National Cyber Security Centre has stated:

“it is not aware of any current specific threats to UK organisations in relation to events in and around Ukraine, there has been an historical pattern of cyber attacks on Ukraine with international consequences.”

The NCSC has also published guidelines and urged organisations to bolster defences.

A few simple rules to follow, many of which you may have heard before, but which are perhaps more relevant now than they ever have been:

 

• Security patches: make sure that all machines on your network are up-to-date, not just servers and workstations, but also network appliances, switches, routers, and printers.
• If you don’t have one in place already, implement a strict passwords policy that enforces the use of alphanumerical passwords.
• Require multi-factor authentication (MFA) across the organisation. MFA can stop the use of stolen credentials from being easily reused.
• Review your security policies and implementation, and revise them if necessary.
• Speak to IT partners and service providers that you work with, and ask what their experience is with dealing with complex cyber attacks. Consult with cybersecurity specialists if you feel your providers lack the necessary experience or skills.
• Create, document, and rehearse an incident response plan. Plans should be rehearsed on an annual basis and include both internal and external stakeholders, such as senior management, IT, HR, legal, finance, and service providers. If things do go pear-shaped, you should have an incident response plan, which has been worked through, and where everyone, from the CEO downwards, knows what her or his responsibility is.
• Develop and implement a backup plan for your organisation. Implementing offline backups that are not connected to your network or devices, can help reduce the risk of a ransomware attack leading to your backups being deleted. The recovery process for backups should be regularly tested.
• Make sure that everyone in your organisation knows and understands their responsibilities with regard to security. Don’t assume that the IT team will know what to do – recovery from a cyberattack is not a trivial everyday exercise.

 

First Response is able to provide Incident Response Specialists in the event of an emergency, and also to help develop plans to assist recovery in the event of an attack. Feel free to contact us to discuss your needs.

 

Other articles of interest:

This article looks at cybersecurity incident response services and the incident response process in more detail.

This article discusses the recovery process from backup systems following a ransomware attack.