As the war continues and sanctions harden, the probability for more widespread retaliatory cyberattacks rises.
The number of organizations and private individuals pulling out of Russia grows every day. This includes suppliers of critical IT components and infrastructure. As sanctions exert increasing pressure, we assess with low confidence that the Russian Government may resort to the confiscation of foreign-owned IT resources. These resources could be obtained from the recently vacated offices of foreign companies and persons. It is therefore vital that organizations decoupling themselves from their Russian, Belarusian, or Russian-occupied Ukrainian work sites take the appropriate actions to secure their IT infrastructure.
Nixu Threat Intelligence assesses with moderate confidence that pulling out of Russia has an even chance of antagonizing local employees – aggravating factors may include poor communication and a halt on salary payments. We, therefore, assess with low confidence that there is an unlikely chance that an employee may become an insider threat. One of the most damaging forms of insider attack is a situation in which a disgruntled employee with an appropriate level of access sells it to a ransomware gang. The employee’s and gang’s aim may be to punish the departing foreign company. As of yet, attacks of this nature have not been observed. In addition to this threat, we assess with moderate confidence that there is an even chance for intellectual property theft.
Nixu Threat Intelligence assesses with low confidence that there is an even chance the retaliatory measures will be targeted following a logic that takes into consideration a company’s home country, sector, and economic importance. This somewhat approximate logic would be followed due to the large number of organizations pulling out, making more specific targeting a burdensome task. We assess with moderate confidence that primary targets would most likely be government and financial services, with the main attack method being DDoS.
Russia has recently identified the following governments as unfriendly: https://tass.com/politics/1418197
- Transfer or maintain offline backups outside of the impacted regions.
- Remove IT resources, backups, servers, etc. from the impacted regions.
- Practice network segmentation with access from internal ‘hostile’ networks limited.
- Disable former or temporarily suspended employee user accounts and VPN access to the main external networks.
- Practice disaster recovery plans for scenarios involving the sale of access to your network from an insider threat. Consider the inside actor likely having local user access.
- IT assets to be left behind, such as workstations and servers, should be encrypted.