There is a mood of nervous expectation among the cybersecurity communities. Whether the hats are white or black, we are in a period of jumpy hyper-vigilance, which so far is not justified by activity. However, it’s certainly justified by the threat. We may be on the verge of a stiff test of both private and state electronic defences and cyber resilience.

However the appalling situation in Ukraine is resolved, it is possible that the impact in the clandestine field of cyber operations will be seismic, whether it’s:

  • Nation-state originated
  • Sponsored (or proxied by quasi-criminal gangs with state ties)
  • Part of the daily work of the well-known array of hackers, gangsters, 419 teams, phishing farms, ransomware peddlers, romance fraudsters, data hawkers et al, and their white and grey-hatted counterparts

For example, sanctions of the kind imposed on Russia and the facilitators and supporters of the illegal war in Ukraine over the last 3 weeks, take dozens of organisations and thousands of people to implement. Even if Putin was to recall his troops tomorrow it seems likely that they will not be removed with the alacrity with which they are being applied.

Russia and her allies, most of whom are well established originators of cyberattacks and safe havens for criminal gangs who agree to broadly serve the interest of the host state, will be motivated and equipped to target those countries, companies and individuals helping to implement the financial and trade-based punishments for her actions in Ukraine.

Should I worry?

No, at least not yet. If you or your company have business interests in Ukraine or are involved in the huge international machinery of applying sanctions and finding assets, then common sense tells you that you are higher up the target list than most.

You should maintain a high level of vigilance – be aware of normal patterns of application and data movement in your environment, and regularly review for changes. You don’t need special or expensive tools to do this, even in a large company with thousands of users your existing IT management and security tools will tell you if they fail authentication attempts or VPN connections with aborted 2FA phases are on the rise. Similarly, your utilisation trends bandwidth on your internet links, web server disk, CPU and RAM consumption tell a stark story if you’re suddenly denying hundreds of connections or fending off gigabytes of traffic.

The security tools you do have in place, starting with the humble endpoint protection suite (AV in old money), will already have the signatures for the malware we know to be circulating in Ukraine. This is essentially a re-tooling of something called KillDisk, packaged into Hermetic Wiper, and it’s an ever-changing suite of derivatives. It is nasty and can cause irrevocable data deletion, but it’s currently easy to detect and deal with and if your EPP and IDS/P do not have signatures for it. It is easy to check here, and I would ask your vendor why.

If you have a SOC of your own or SOCaaS, you can get help with building detection rules in various formats to find evidence of the Hermetic family in your logs. The Virus Total checking link above provides workable rules in YARA and a quick search of the normal open-source feeds comes up with dozens of quality results ready to use in your environment for threat-hunting.

This reasonably benign state of affairs will not, I fear, last long. More and more difficult to detect destructive malware will be targeted at the west and involved parties. Everyone will suffer from the uncontrolled nature of self-propagating malware, which tends not to be confined by its original target criteria.

There will be sophisticated attacks on western critical national infrastructure, financial and legislative bodies, and supporting industries. There will be a gold rush as criminals of all stripes and nations put aside their moral objections and get back to business – stealing data from individuals and organisations of interest to sell to the highest bidder. Inside information on where your billions are and what the legislator’s next move is likely to be (in what could be years, possibly decades-long battle of attrition in the world’s courtrooms) will fetch a high price.

A quick note on CNI: if you operate security for critical national infrastructure then you have access to some of the best advice in the business via your mandated relationship with NCSC and others. If they’re not coming to you, go to them. But I’d be very surprised if they’re not coming to you.

In the midst of this, we shouldn’t forget that the cyberattacks carried out by the west against Russia will suffer from the same risk of collateral damage. The west does not have a set of neat magic cyber-bullets any more than Russia does.

The blessing and curse of the internet

Nobody owns it, and everybody owns it (Sorry Donald). Very much on the blessing side of the equation, the rapid increase in TOR nodes in Ukraine and Russia over the last 3 weeks has been significant as the volunteer privacy community rally to the cause of getting unexpurgated information in and out of the country. If you have a corporate policy of preventing TOR originated traffic from seeing your websites or communicating with you, you may wish to rethink that if you are involved in supporting the people of Ukraine directly. It can be done securely, and it may be something you wish to implement on the back of a broader rethink on privacy controls. Particularly if Russia joins China, with essentially its own version of the internet, as Putin has stated it will. I don’t see the Russian internet being a bastion of free speech.

If you sneeze loudly enough, everyone catches a cold

Let’s stay vigilant, make sure we use the IT and cybersecurity tools we have in place. This is exactly why you have controls and why you implemented cyber essentials / plus / ISO / [insert accreditation here]. Most organisations have the procedures and policies they need already, and for those that don’t, there is plenty of help in the open and commercial communities. Communicate with each other, being shy about admitting losing data or suffering a breach has never been helpful, but right now it could be a disaster.

Finally, make sure you talk to your user community. Sophisticated technical attacks which can destroy Iranian centrifuges or shut down power station cooling systems are rare because they cost a lot of time and money and do not scale. They are often highly tailored and crafted from scratch by seriously gifted teams of people and may require human intelligence services to help deliver initial payloads. You are probably not the target of this type of attack, but you’ll certainly know if you are.

In short, we need to pay attention to where it will be most effective. That means protecting our users and enabling them through training and tools to protect themselves. Malware of any variety is most likely to enter your organisation via a malicious email attachment or by a user clicking a dodgy URI. This remains the favourite attack vector because humans are fallible, and criminals are already starting to see the opportunity presented by a big world event like the war in Ukraine. Make sure your users are expecting phishing attempts from people purporting to be Ukrainians stuck on the border with Poland and a dying child, or from Spotify or Amazon claiming that your account has been used in Russia and you must click the link to see details.

Distasteful as it is, like all human catastrophes there will be many seeking to take advantage of your user’s fears or better natures. So as always, preparation and training is the watchword.

Author

Ade Taylor, Secrutiny’s Technical Director and Transformation lead. With more than 20 years IT experience across strategic technology deployment, global IT transformation programs, professional services and consultancy, pre-sales, data communications, data centre and hosting infrastructure and security.