The Conflict in Ukraine and the Cyber Threat Landscape

Many of S-RM’s clients have been seeking advice on the evolving cyber threat actor and sanctions landscape related to the conflict in Ukraine. Here, we share our analysis and the steps we are taking in the hope that it supports other organisations in their decision-making.

Background

The UK, US and EU have imposed a raft of sanctions on Russian individuals and entities as well as broader sanctions aimed at crippling the Russian financial system in response to the invasion of Ukraine. Further economic sanctions remain under consideration by Western governments.

At least three organised cybercriminal groups have come out in support of Russia’s actions in Ukraine. Others, such as Lockbit, have pronounced neutrality, and more may take a side in the weeks to come.

Notably, Conti announced their full support of the Russian government and stated: “If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use all our possible resources to strike back at the critical infrastructures of an enemy.”

The hacktivist group Anonymous has proclaimed that they are supporting Ukraine, claiming that they are now “officially in a cyber war against the Russian government”.

To date, Russian state-sponsored cyber operations appear to be predominantly focused on supporting the invasion, with no immediate signs of change.

Escalations in economic sanctions by Western powers may spark low-threshold retaliatory sabotage by the Russian government in the coming weeks. However, we believe that this will be limited while Russian government resources are focused on the invasion effort.

There are two angles we have considered in response to this:

How does this change the activities of threat actors and the likelihood of cyber attacks on our clients and partners?
What implications do the statements have for dealing with groups like Conti in terms of sanctions exposure?

Threat landscape considerations

Here is our assessment, to date, of the implications for the broader threat landscape:

The majority of organised cybercriminal groups internationally will continue to operate as normal. Companies seeking to defend themselves against these groups should follow standard advice to protect against cybercriminal groups (see below).

Ransomware groups based in Russia will likely be able to operate with impunity with Russian authorities’ tacit approval, so long as their targets remain outside Russia. This may lead to an uptick in activity from groups like Conti, Lockbit, Pysa and others thought to be primarily located in Russia.

Groups who have declared support for Russia like Conti, Coomingproject and The Red Bandits may seek to target critical national infrastructure and government bodies in countries that have recently imposed sanctions on Russia, such as the UK, EU, Germany, France and US.

At this point, we have not seen any clear increase in the volume of cyber attacks outside of Ukraine, though in-country there have been several reports of wipers destroying data, disinformation campaigns and denial of service operations conducted by the Russian military alongside their invasion.

Unless there is an escalation of the conflict to involve NATO, we do not anticipate any changes in Russian state-backed groups’ targets at this stage. However, the situation is fast-moving, and it is possible that Russia will retaliate against economic sanctions with covert cyber operations against government or infrastructure targets in the countries which have openly opposed the invasion of Ukraine.

the defensive advice has not changed

As ever, the key frontline controls to prevent against most criminal and state-backed attacks are:

Deploy and monitor an EDR solution to increase capabilities to detect and respond to threats as they occur.
Maintain regularly tested backups of critical systems and data which are off-network or offline to reduce downtime in the event of a cyber attack. (These backups should be stored away from the core infrastructure with a segregated method of access management in place.)
Enable logging within the environment at the most granular level and with the longest retention feasible, particularly for network logs.
Review your public-facing infrastructure for vulnerabilities and ensure that the latest security updates and patches are applied and tested as fast as feasible.
Deploy multi-factor authentication to all external services and remote access methods.
Review your denial of service protections with your ISP and consider using web application firewalls where applicable.

Emerging sanctions risks

Currently, we are not aware of any impact of the recent sanctions on Russia on organised cybercriminal groups based in Russia. However, the landscape is quickly changing, and we are closely monitoring emerging sanctions via leading enforcement agencies and partners. Additionally, we are analysing the dump of leaked internal messages from the Conti ransomware operation, to identify any potential links to sanctioned entities and will keep our clients informed of any relevant findings and intelligence.

Any cybercriminal group subjected to sanctions is likely to “rebrand” and exploit their anonymity to begin operating under a new moniker. In this scenario, S-RM’s diligence to identify links to sanctioned entities will continue - tracking particular groups’ infrastructure (wallets, tools, servers) to identify links between gangs. We note that US law enforcement is currently exploring possible links between Conti and QuantomLocker.

To discuss these developments and how they impact your organisation, please reach out to us.

RODDY PRIESTLEY, Director, Cyber Security

Roddy has been with the S-RM Cyber Security practice since October 2017. Roddy oversees key client relationships and strategic accounts across the legal services and insurance sectors as well as S-RM’s corporate customer base. Roddy has been responsible for the build out of the Cyber Security practice’s technical services as well as the formation and growth of the security consulting team.