{"id":18376,"date":"2022-02-25T15:10:07","date_gmt":"2022-02-25T23:10:07","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/02\/25\/news-12109\/"},"modified":"2022-02-25T15:10:07","modified_gmt":"2022-02-25T23:10:07","slug":"news-12109","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/02\/25\/news-12109\/","title":{"rendered":"Potential cybersecurity impacts of Russia’s invasion of Ukraine"},"content":{"rendered":"

Credit to Author: David Ruiz| Date: Fri, 25 Feb 2022 22:13:21 +0000<\/strong><\/p>\n

On Thursday night, Russia launched a military invasion of its neighbor and former Soviet Union member Ukraine, drawing a broad rebuke from international leaders, along with significant protest from the Russian public.<\/p>\n

The toll of human life from this war is unknown, and, like the many international acts of aggression that have preceded it, future figures and statistics will not, alone, make sense of it. The threats and dangers posed by this conflict will be borne by the combatants and the people of Ukraine, and they are in our thoughts. Our collective priority must be people\u2019s physical safety, but Russia\u2019s assault could also produce a range of cybersecurity-related risks that organizations and people will need to protect themselves against, starting today.<\/p>\n

Here are some of the ways in which Russia\u2019s invasion of Ukraine may impact cybersecurity, and what organizations can do to stay safe in a continually evolving crisis.<\/p>\n

The risk of increased stakes<\/strong><\/h3>\n

In tandem with the physical strikes against Ukraine, a piece of wiper malware first detected by researchers at Symantec and ESET had already begun targeting organizations in Ukraine. Analyzed by SentinelOne<\/a>, this wiper malware has been given the name HermeticWiper and it differentiates itself from typical malware in one, important way: Those responsible for it aren\u2019t looking for any payment\u2014they just want to do damage.<\/p>\n

Current analyses of HermeticWiper reveal that the malware is being delivered in highly-targeted attacks in Ukraine, Latvia, and Lithuania. Its operators seem to leverage vulnerabilities in external-facing servers while utilizing compromised account credentials to gain access and spread the malware further.<\/p>\n

These tactics are nothing new, and familiar cybersecurity best practices around privileged access hold true. But here, the stakes have changed. Even in the worst-case-scenario of any ransomware attack, there\u2019s at least a promise (which could admittedly be false) of a decryption key that can be purchased for a price. With a wiper malware, there is no such opportunity.<\/p>\n

As described by Brian Krebs on his blog<\/a>:<\/p>\n

\n

\u201cHaving your organization\u2019s computers and servers locked by ransomware may seem like a day at the park compared to getting hit with \u2018wiper\u2019 malware that simply overwrites or corrupts data on infected systems.\u201d<\/p>\n<\/blockquote>\n

The risk of collateral damage<\/strong><\/h3>\n

Russia\u2019s proclivity for cyber warfare is well recorded. In the past, the country has been credibly blamed or proven responsible for several cyberattacks against Ukraine<\/a> and its surrounding neighbors, including DDoS attacks in Estonia in 2007, Georgia in 2008, and Kyrgyzstan in 2009. Russia is also believed to have been responsible for an email spam campaign against Georgia in 2008, and also for the delivery of the \u201cSnake\u201d malware against Ukraine\u2019s government in 2014<\/a>. And in 2015 and 2017, when Ukraine\u2019s power grid suffered two separate shutdowns because of the malware variants BlackEnergy and Industroyer\/CrashOverride, much of the evidence reportedly pointed back to Russia.<\/p>\n

Though these attacks, like the current attacks involving HermeticWiper, were highly targeted, the idea of \u201ctidy\u201d cyber warfare is a farce.<\/p>\n

In June 2017, Russia\u2014as concluded by the CIA just months later<\/a>\u2014unleashed a cyberattack on Ukraine that spilled out into the world. The cyberattack involved a piece of malware reportedly developed by Russia\u2019s military intelligence agency the GRU, called NotPetya. Though it presented itself as a common piece of ransomware, it actually worked more like a wiper, destroying the data of its victims, which included banks, energy firms, and government officials.<\/p>\n

But the attack, which was reportedly carried out to harm Ukraine\u2019s financial system, spread out, hitting networks in Denmark, India, and the United States.<\/p>\n

It was at the time the most devastating cyberattack in history, costing the shipping company Maersk a reported $300 million, and the pharmaceutical giant Merck a reported $870 million.<\/p>\n

Though it’s impossible to predict what type of collateral damage could occur, the US Cybersecurity and Infrastructure Security Agency has released a cybersecurity guide for all organizations in the US to follow during this turbulent time. You can read that guide, called Shields Up, here<\/a>. <\/p>\n

The risk of escalation<\/strong><\/h3>\n

As Ukraine defends itself against Russian forces, world leaders are faced with a difficult decision. Should they deliver support to Ukraine in any material way, Russia may then retaliate against them with its own cyber-attacks,\u00a0and these attacks are unlikely to be borne by world leaders. Instead, the \u201ccrossfire\u201d between national cyber-fronts will likely inflict harm on everyday individuals and businesses.<\/p>\n

Already, this decision has produced a wrinkle, as world leaders are not just defending themselves against Russia\u2019s cyber-offensive regimes, but also against known ransomware gangs that have quickly sworn allegiance to Russia\u2019s cause.<\/p>\n

On February 25, the Conti ransomware group announced that it would retaliate against any known physical or cyberattacks against Russia. As we wrote on Malwarebytes Labs<\/a>:<\/p>\n

\n

\u201cAny doubt that some of the world’s most damaging ransomware groups were aligned with the Kremlin, this sort of allegiance will put an end to it.\u201d<\/p>\n<\/blockquote>\n

Despite a clarification about an hour later, which attempted to reframe the group’s “full support of Russian government” into “we do not ally with any government”, there can be no doubt about the threat the group poses<\/a>.<\/p>\n

Unfortunately, the risk of escalation seems likely, as countries ramp up economic sanctions against Russia, and as the US is walking a delicate balance about its own cyber initiatives. On February 24, multiple White House officials denied, as NBC News had earlier reported, that the Biden Administration was considering multiple \u201coptions\u201d of cyber engagement \u201con a scale never before contemplated.\u201d<\/p>\n

According to White House Press Secretary Jen Psaki, who wrote on Twitter, NBC\u2019s \u201creport on cyber options being presented to @POTUS<\/a> is off base and does not reflect what is actually being discussed in any shape or form.\u201d<\/p>\n

\n
\n
\n

This report on cyber options being presented to @POTUS<\/a> is off base and does not reflect what is actually being discussed in any shape or form.<\/p>\n

— Jen Psaki (@PressSec) February 24, 2022<\/a><\/p><\/blockquote>\n