IT security teams across Europe should be alert to the possibility of cyber attacks originating within Russia targeting their systems in the coming weeks, but this is no time for panic – rather, a rational, level-headed response should be employed.
That is the assessment of cyber community pros and analysts as they respond to the ongoing escalation in tensions between the US and Russia over Ukraine, and the very real risk of a shooting war breaking out in Eastern Europe. Any such incident would inevitably draw in Nato allies, including the UK.
It comes after the US Department of Homeland Security (DHS) warned law enforcement agencies across the US of the possibility of destructive cyber attacks emanating from Russia-backed advanced persistent threat (APT) actors.
The bulletin was sent to law enforcement agencies across the US on Sunday 23 January, and was promptly leaked to TV news station ABC.
In the bulletin, the DHS assessed that Russia would “consider initiating a cyber attack against the Homeland [the US]” should it perceive a US or Nato response to a full-blown invasion of Ukraine threatened its national security.
It said Russia had a range of offensive cyber tools at its disposal, with impacts ranging from distributed-denial-of-service (DDoS) attacks to destructive cyber attacks targeting critical national infrastructure (CNI). It cited previous attacks on Ukrainian targets as evidence.
The range of potential attacks, and Russia’s capability to deliver them, was assessed earlier in January by Mandiant.
The DHS said Russia’s threshold for conducting such attacks was very high and that it had not previously observed Moscow directly attacking CNI. Note that recent high-profile incidents targeting the likes of Colonial Pipeline were conducted by financially motivated ransomware gangs, rather than state-backed actors, although the lines between the two are frequently blurry.
Abundance of caution
Ken Westin, director of security strategy at Cybereason, said the risk of a Russian cyber attack right now was probably low, but that if an agency such as the DHS was aware of a threat and failed to notify people, it would face a backlash should something happen, hence the need for an abundance of caution.
Nevertheless, said Westin, the uncertainty around the intentions and capabilities of Russia’s offensive cyber teams was creating a stressful situation for all.
“Today, neither organisations nor private citizens should panic due to the DHS bulletin, but should remain vigilant, identify what assets may be targeted, establish plans for business continuity and cyber resilience, and pay attention to the news and threat intelligence if the situation escalates in the coming days,” he said.
Kev Breen, director of cyber threat research at Immersive Labs, said that given Russia’s hosting of advanced cyber criminal gangs, such as REvil, it would be a grave error to assume the state itself doesn’t have equally advanced capabilities.
“An attack of significant magnitude, including a deliberate attack on US critical infrastructure, would almost certainly have wider geopolitical consequences,” he said. “With this new bulletin, the DHS is working on the basis that to be forewarned is to be forearmed – and preparation is key.
“In this fast-paced world of constant cyber attacks and zero-day exploits, it is always better to err on the side of caution. It is better to assume you are a target and have strategic plans in place to match that of the adversaries’ capabilities. Resilience is as much about planning and exercising capabilities to ensure all potential risks are mitigated, in advance, as well as possible.”
Tom Garrubba, vice-president at Shared Assessments, said that all organisations, regardless of industry, should be operating at an increased state of alert as the geopolitical world and the cyber threat environment collide.
“Proper diligence is expected, and hopefully mandated, to ensure all cyber defensive tools and techniques are employed to protect your most precious data assets,” he said. “Continuous intelligence, monitoring, and dialogue with critical partners and suppliers should be ongoing to ensure ‘all is ready’ in the event of recovery needs or additional support is available in the event that something was to occur.”
Cybereason’s Westin added: “My concern with Russia today is that they have an arsenal of zero-day exploits at the ready, as well as initial access to some targets already. However any zero-days they may possess will be ‘spent’ on initial execution, so there is risk in Russia deploying them and exposing their capabilities.
“The US and allies also have offensive cyber capabilities, and businesses can be caught in the crossfire and be collateral damage. A key target may be not just critical infrastructure, but also our financial and healthcare systems or electricity grids to try to trigger a panic.”
While cyber warfare has been talked about for years – and many old hands in the security game agree that the West has been in a low-level cyber war with Russia for some time now – escalation of the Ukraine crisis into open conflict (a kinetic war) accompanied by cyber attacks on this scale would be a global first.
“The cyber security industry has gotten used to tossing around the idea of ‘nation-state’ adversaries, but I think we’ve yet to see cyber attacks used in concert with a fully fledged military campaign,” said Tripwire strategy vice-president Tim Erlin.
“The DHS’s warning sets that expectation that something has changed in the threat profile, and that organisations should be prepared for a change in the types of attack they see.”
Erlin added: “It is entirely valid for organisations to wonder what they are supposed to do differently when faced with this type of alert. Cyber security calls for constant defence already, and an alert like this doesn’t magically remove the obstacles that are preventing organisations from implementing solid security controls. For most companies, a DHS alert simply doesn’t create budget or add people to their staff.”
Roger Grimes, a defence evangelist at KnowBe4, said he thought it was “fairly natural” for cyber attacks to accompany kinetic battles, but that the possible targeting of entities other than government and government-linked contractors and suppliers was probably new. “Russia has changed that equation enormously over the past year,” he said. “Nation-state attacks are happening by the tens of thousands and occurring against organisations with no direct government affiliation. Everyone is apparently a fair target these days.”
Grimes theorised that the current situation marked a fundamental moment of change in the world of nation state-backed attacks and cyber war, which he suggested may be permanent, at least without some kind of Geneva Convention-style agreement to control such activity.
“Right now, it is do what you want with near impunity, with low risk,” he said. “We are in an especially dangerous and risky time because no one knows what the response will be if one side or the other goes too far.
“For example, if one side unilaterally attacks another side in cyber space, does that mean that a kinetic response is allowed or warranted? Does one side over-react? I think we will all be less stressed when the new rules of cyber warfare are figured out.”