This Friday, the U.S. cybersecurity agency CISA published a general warning that there is an increased risk for cyber attacks against critical infrastructure due to the developments on the border between Russia and Ukraine.
Truesec has assessed that the heightened risk of cyber attacks on critical infrastructure also applies to Sweden. We base this on the following analysis:
- It is now obvious that there is a very high risk that Russia will commence a full-scale invasion of Ukraine within the next few days.
- In the event of such an invasion, it is highly likely that Western countries, including Sweden, will retaliate with extensive sanctions against Russia to damage Russia’s economy and force Russia back to the negotiating table.
- In such a situation, Russia can respond by damaging Western economies with asymmetric attacks on critical infrastructure to attempt to force the West to limit its sanctions.
- We also see signs of activities that indicate an increased threat against security industries and businesses with defense contracts.
What Does It Mean?
Based on what we have observed in previous Russian destructive cyber attacks, there are several levels of aggressive Russian actions in the cyber arena. Understanding these levels can help you navigate the developing situation.
Disinformation
This is basically the situation we have been living with for a long time. Russia is constantly targeting neighboring countries, including Sweden, with disinformation. Their aim appears primarily to be to create distrust in our society.
These disinformation operations are by themselves not a threat to a particular organization, but it is always good to be aware of these ongoing activities.
Terror Attacks
This level of cyber conflict is what Russia has conducted against Ukraine so far in 2022. This combination of relatively low-effort attacks is designed to create maximum publicity and public fear. Such attacks include:
- Defacement of government websites designed to incite fear and confusion.
- DDoS attacks against critical government and financial institutions.
These are relatively low-effort attacks, but the impact is amplified by disinformation designed to create the impression that the attacks are more impactful than they really are.
During the cyber attack in January 2022, the web defacement was amplified by messages claiming all the personal data of every Ukrainian had been stolen and leaked − a vast overstatement.
During the DDoS attack in February 2022, Russian Intelligence spread false text messages claiming that all ATM stations were down and the people could not access their money − this was not true.
These attacks were most likely aimed at inciting immediate panic and long-term fear by insinuating that the victims would be defenseless against even worse cyber attacks in the future.
Destructive Attacks
On 23 February a threat actor assessed to be Russian GRU unit 74455, or Sandworm, initiated a large scale destructive cyber attack on several Ukrainian government entities and one large hosting provider. At the same time new DDOS attacks were conducted against banks in Ukraine. This attack was likely timed to cause fear and confusion in the Ukrainian government hours before the invasion began.
Although the attack was highly sophisticated, in general it followed the pattern of a typical ransomware attack. The threat actor obtained access to the network, escalated to gain administration privileges, and then deployed the destructive malware using group policies in Active Directory. It is highly likely that the attack was planned in advance and that access had been obtained long before the attack.
In the past, Russia has conducted other destructive attacks against critical infrastructure in Ukraine and other countries. Such attacks have targeted government entities, energy grids, and TV and media. They have included the deployment of malware that destroys or encrypts vital data and malware specifically designed to interact with Industrial Control Systems (ICS) in critical infrastructure.
It is important to understand that while Russia has the capability to conduct such attacks in countries other than Ukraine, the key to making successful precision attacks against critical infrastructure in other countries is extensive reconnaissance. Russia has spent years infiltrating the infrastructure in Ukraine. Truesec has no information that similar extensive reconnaissance of critical infrastructure in Scandinavia has occurred or is currently underway, but heightened vigilance of such activities against critical infrastructure is crucial.
What Can Your Organization Do?
Suggested activities to quickly harden your organization against destructive cyber attacks include:
- Ensure that critical functions that depend on high connectivity have sufficient bandwidth and protection to withstand a sustained DDoS attack. This is especially important for financial institutions as such organizations have been targeted twice in Ukraine now.
- Ensure you have proper detection and mitigation capabilities. Verify EDR/XDR coverage and remediate any gap as a priority.
- Inventory all internet-facing applications, with particular attention to critical ICS devices. Immediately disconnect any internet-facing device that doesn’t need to be connected.
- Ensure that any internet-facing ICS devices have proper access control.
- Enable multi-factor authentication (MFA) for all exposed services where possible. Consider removing access to services that do not support MFA.
- Ensure all internet-facing devices and applications are properly patched.
- Backup critical resources, such as firmware, software, ladder logic, service contracts, product keys, and configuration information. Verify that the backup is stored offline in a tamper-proof environment.
- Ensure your organization has proper incident management routines, including phone lists to critical personnel.
- Disseminate an awareness message asking the workforce and contractors to be extra-vigilant with regards to email, chats, online meetings, and phone communications.
We also highly recommend that you read the recommendations from CISA regarding critical infrastructure.