Russia-Ukraine War / Cybersecurity Challenges and Recommendations

Sivan Tehila

Russia’s recent invasion of Ukraine has left the geopolitical arena in a spiral. While there has been constant fighting on the ground, fewer assaults across cyberspace have occurred than expected. Russia has a history of cyberwarfare, and given the unpredictability of the conflict, attacks in the virtual sphere have become one of the main fronts.

On one side is Russia, a hacking superpower with nation-sponsored APT groups that began its cyber efforts against Ukraine way before tanks rolled across the border. Though there is no definitive answer for who to watch out for, a few well-known groups are highly likely to attempt attacks during the conflict.

Using Spear- Phishing campaigns, the UAC-0056 group has primarily targeted the Ukrainian government and energy sector. These phishing emails deploy a first-stage malware used to install spyware and subsequent malicious payloads that embed themselves into computer processes and memory. The Sandworm team preys on Ukraine and Western nations’ government and critical infrastructure by taking advantage of zero-day exploits and botnets to leverage legitimate firmware using code injection. The Gamaredon Group uses a combination of off-the-shelf and custom-made malware, And the Fancy Bear (APT28) and Cozy Bear (APT29) are two bands of Advanced Persistent Threat (APT) actors. The former has gone after government, military, and press institutions in Ukraine and the West by scanning IP addresses for vulnerabilities and using those gaps to implant command-and-control servers, rootkits, file transfer tools, and port forwarding tools.

On the other side, Ukraine becomes the first country to fight back with an international army of volunteering hackers with the support of the Belarusian Cyber Partisans that claim to have hacked into the Belarusian Railways computer system earlier this week in a bid to sabotage the deployment of Russian military units in the country. The moves come under the understanding that Belarus may play a crucial role in a possible full-scale Russian invasion of Ukraine. The Anonymous collective also supports Ukrain and declared cyber war against the Russian government. Around 30 minutes after this declaration, they announced that they had taken down the website of the Kremlin-backed TV channel, which broadcasts in Britain and has been heavily criticized for its coverage.

Cybersecurity Strategy is Key

Ideally, all companies should already have a business continuity/disaster recovery plans in their arsenal. These document the steps an organization can take to continue business operations in the event of a disaster, such as maintaining connections to the internet and power, transferring copies of data, etc. That said, it is understandable not to consider a plan of action in the event of an armed conflict. In the wake of Russia’s assault on Ukraine, however, companies found themselves scrambled to strategize their next steps to protect their physical and logical resources in the region.

Given the wide array of attack methods used by state-sponsored cyber agents, it is imperative to implement robust security methods to protect cyber-based assets from the very real threat of attack. Here are five main recommendations that can serve as a starting point for organizations with connections in Ukraine and Eastern Europe:

1. Enable Strong Endpoint Protection

The user poses the greatest threat to an organization’s security posture. In times of peace, employees can often fall victim to social engineering and other attack methods. Downloading a file, clicking on a suspicious link, or visiting a questionable website can all expose an endpoint to viruses, malware, spyware, and any other number of tools used by threat actors to disrupt business operations or steal proprietary information.

During war, individuals in the affected region are even more likely to target rogue or state actors. Cyberwar campaigns will prey on the heightened stress and anxiety brought about by the conflict. Traditional security tools, like antivirus solutions and host-based intrusion detection/prevention systems, may not be enough to mitigate the sophisticated attacks created by state-funded cybercriminals.

When the resources required for threat detection are limited, especially within a larger organization, leveraging the services offered by a third-party solution can be a welcome addition to that first line of defense. One such example is CrowdStrike’s Falcon platform, which gives enterprises a robust, user-friendly method of swiftly identifying and eliminating attacks before they have the opportunity to cause serious damage to resources. Additionally, these tools can analyze and map trends, making it easier for security teams to install controls to mitigate attacks from specific avenues.

2. Create Regular Backups

Regular backups should already be part of any organization’s best practices. Whether accidental or with malicious intent, complications can result in the loss of data. This can have serious ramifications for business continuity. Having copies of data collected at predetermined intervals (daily, biweekly, weekly, etc.) allows information technology teams to restore a recent version of the system, minimizing the damage done and allowing the business to resume operations quickly. With the present threat of cyberattacks and/or damage to physical offices in Ukraine, having backup copies of data is critical.

Backups can be stored locally within the office on external media, like a hard drive. External storage devices can be easier to transport in the event of an evacuation, but they face the same risks as the building. A better option would be creating copies of the data and storing them on a remote server in another location, preferably further away from the conflict area. This way, the data is stored in a safer place and can be accessed remotely from the organization’s new base of operations. Ultimately, this decision will vary by each company based on capability and need. Regardless, backups should be created and tested often to ensure that they can be successfully restored in the event of a disruption to business operations.

3. Implement Centralized Logging and Monitoring

Attacks, potential and actual, can originate at any point across a network. It is incredibly challenging to monitor an entire network, let alone chase down every suspicious incident. To make it easier to observe everything, implement a method for centralized logging and monitoring of events. One method of achieving this is a Security Incident and Event Monitoring (SIEM) solution. SIEM is helpful for monitoring, correlating, and identifying trends within network activity. However, traditional SIEM platforms cannot respond to incidents; they can only create alerts.

Other options exist for teams with limited manpower to facilitate the detection and response processes. Next-generation SIEM platforms take this one step further by using artificial intelligence to generate automated responses based on predefined protocols. Similarly, Security Orchestration, Automation, and Response (SOAR) tools combine detection with automated response capabilities while also presenting aggregated data to create modified plans and playbooks. A SIEM or next-gen SIEM solution may be enough for most organizations, and these can be combined with some of SOAR features for more robust logging and monitoring.

4. Use Strong Identity and Access Management

While a user on a network may be recognized by name, it may be challenging to know who exactly is operating as that individual. Suppose a threat actor breaches an endpoint within the organization. In that case, they can use that machine to exfiltrate personally identifiable information (PII) or proprietary data, all while appearing as a legitimate user. Strong identity and access management (IAM) policies can help limit the range in which an attack can maneuver.

The most restrictive IAM policy is that of zero-trust. At its core, a zero-trust architecture refuses access implicitly to anyone and anything on the network. The entity must verify its identity to gain access. For users, in particular, multifactor authentication (MFA) should be used. This system requires users to authenticate themselves using two or more different methods, e.g., a classic username/password and a biometric. Even once granted access to the network, least privilege policies should be enforced, giving each user only the necessary permissions required for them to do their specific tasks.

If users occasionally require access to more sensitive information, it may be helpful to contract with a vendor that provides this service. CyberArk, for example, uses a Vault system that restricts data access to a limited number of users at any given time and tracks their activity within the Vault for future auditing and accountability. While this is unnecessary for effective IAM implementations, such a solution serves as an added layer for stronger defense in depth. 

5. Harden Bitbucket

For companies that use Bitbucket as their code repository, protecting the code is paramount to prevent its theft and any subsequent damage to the organization. A best practice that should already be implemented is using multifactor authentication to verify that anyone accessing the code is who they say they are. The least privilege principle should also be used to prevent developers from accessing unnecessary resources. Additionally, sensitive data and credentials should not be stored within the code; these should be kept separate and in a more secure environment, like a Vault or git-secrets repository. For additional insights, use scanning tools to test the overall security of the Bitbucket and to look for any vulnerabilities that may inadvertently be introduced into the code. Tools like Snyk, SonarCloud, and CloudClimate are excellent options for this purpose. And lastly, create backups of the code and store them on a remote server.

For companies that use Bitbucket as their code repository, protecting the code is paramount to prevent its theft and any subsequent damage to the organization. A best practice that should already be implemented is using multifactor authentication to verify that anyone accessing the code is who they say they are. The least privilege principle should also be used to prevent developers from accessing unnecessary resources. Additionally, sensitive data and credentials should not be stored within the code; these should be kept separate and in a more secure environment, like a Vault or git-secrets repository. For additional insights, use scanning tools to test the overall security of the Bitbucket and to look for any vulnerabilities that may inadvertently be introduced into the code. Tools like Snyk, SonarCloud, and CloudClimate are excellent options for this purpose. And lastly, create backups of the code and store them on a remote server.

In addition to the above recommendations, it behooves any security-minded organization to explore the “Shields Up” guide from the United States government’s Cybersecurity and Infrastructure Security Agency (CISA). This guidance offers pointers for everyone, from organizations as a whole to corporate leadership, specifically to private Internet users. “Shields Up” advises corporations and their leaders to improve incident detection and reporting procedures, create crisis response teams, and devise verifiable business continuity protocols to increase resilience in the wake of disaster. For at-home users, CISA recommends using strong passwords and multifactor authentication on all accounts, keeping devices updated with the latest patches, and being cautious when engaging with suspicious website links or emails.

As the Russia-Ukraine conflict continues to rage on, opportunists may take advantage of the chaos and attack targets that are not directly involved in the war. For organizations with assets or interests in the region, the tips provided here should serve as an effective foundation for building strong cyber defenses against threat actors. Even organizations that feel confident in their current capabilities should review their current security posture to ensure that they are properly protected.  

Previous
Previous

Cybersecurity Strategy – Start from the Basics