The developing international crisis in Ukraine – which has already seen government websites attacked – is likely to engender further offensive cyber attacks as it unfolds, and concerns are growing that future activity will spread to encompass targets outside of Ukraine, according to Mandiant, which today warned IT security teams across Europe to be on the lookout for malicious activity.
Last week’s cyber attacks saw a hacking group supposedly linked to Belarus, a key Russian ally, use multiple techniques to access their targets, including the compromise of an IT service supplier’s systems, exploits linked to the Log4Shell vulnerability in Apache Log4j2, and distributed denial of service (DDoS) attacks. These were accompanied by a wave of attacks that defaced Ukrainian government websites, supposedly to distract from attempts to manually inject malware into government systems.
Mandiant now believes advanced persistent threat (APT) groups linked to Russia and its allies will conduct further cyber intrusions, as the stand-off continues. Many of these will likely be linked to information gathering and espionage, but the possibility of more aggressive or even destructive cyber attacks should not be discounted, the firm’s analysts warned.
In a post laying out the potential scale of the threat to global organisations, John Hultquist, vice-president of Mandiant Threat Intelligence, said: “Cyber capabilities are a means for states to compete for political, economic and military advantage without the violence and irreversible damage that is likely to escalate to open conflict.
“While information operations and cyber attacks such as the 2016 US election operations and the NotPetya incident can have serious political and economic consequences, Russia may favour them because they can reasonably expect that these operations will not lead to a major escalation in conflict.
“Mandiant recommends that defenders take proactive steps to harden their networks against [destructive attacks] and has provided a guide to this process…for free to the public,” wrote Hultquist.
Hultquist said Kremlin-backed cyber espionage APTs such as UNC2452, Turla and APT28 would “almost certainly” have received tasking to gather intelligence around the crisis, leveraging their expertise in penetrating government, military and diplomatic targets to gather intelligence for Moscow. Other groups, including some that operate out of the separatist Donbass region of Ukraine, and Crimea, which was annexed by Russia in 2014 and has been illegally occupied since then, may also be pressed into service.
Meanwhile, information, or rather dis- and misinformation operations, including the creation of fabricated content and the manipulation of social media platforms, are likely already happening, and one can expect to see more such campaigns targeting countries in Eastern Europe – such as Nato members Romania and Bulgaria, from which Russia is now demanding the alliance withdraw.
Information campaigns have become a regular feature of Russian cyber activity, seeking to control narratives and implant new ones that advance Moscow’s interests by exploiting divisions within and between the nation states it is targeting, undermining confidence in democratic institutions, and sewing distrust within blocs such as Nato and the European Union (EU).
Such campaigns have included the use of forged documents and doctored photographs, which were successfully used against Estonia in a recent campaign dubbed Secondary Infektion. In other cases, Russian information operations have leant on third parties, including journalists and activists, to try to “launder” falsehoods.
Destructive attacks more infrequent
Disruptive and destructive cyber attacks have historically been less frequently used elements of Russia’s cyber arsenal when compared to espionage and misinformation campaigns, although when used they have had deep and long-lasting impacts – NotPetya (which targeted Ukraine but spread much further) by the so-called Sandworm APT being probably the most notable.
Such attacks take a variety of forms, from the DDoS attacks already seen, to more complex attacks on critical national infrastructure (CNI), with the most effective such attacks – NotPetya again being a highly relevant example – focusing on causing damage to critical targets with extensive downstream networks of users, customers and dependencies.
Such attacks do, however, require more hands-on work and thus have a longer lead time. In the context of the current crisis in Ukraine, this could suggest that such attacks, if they occur, will target organisations that have already been compromised well in advance. Alternatively, said Mandiant, more destructive tools could be used against a larger group of targets simultaneously, most likely through strategic web compromises and software supply chains. At the same time, warned Mandiant, such attackers would likely try to obfuscate their actions by planting false flags, fabricating evidence of culpability, making misleading statements to pin attacks on others, and so on.
Beyond government and public sector organisations, those most at risk would likely include transport and logistics, financial services and media, and it is possible that in some circumstances, ransomware groups would also be leveraged, the Russian government having “unmatched access” to criminal cyber capabilities, noted Hultquist.