Russia's war of aggression continues in Ukraine with the situation fluctuating every hour. The cyber threat landscape is also experiencing changes of its own.
Cyberattacks against Ukraine have thus far been more limited than expected. This contradicts what many came to expect from a Russian kinetic invasion. To date, we have not made any observations that would cause us to fear the type of damage that resulted from NotPetya in 2017.
Nixu Threat Intelligence Bulletin #4: Russia's War in Ukraine
Threat Intelligence Team
March 8, 2022 at 16:00
As the war continues and sanctions harden, the probability for more widespread retaliatory cyberattacks rises.
IT Resources
The number of organizations and private individuals pulling out of Russia grows every day. This includes suppliers of critical IT components and infrastructure. As sanctions exert increasing pressure, we assess with low confidence that the Russian Government may resort to the confiscation of foreign-owned IT resources. These resources could be obtained from the recently vacated offices of foreign companies and persons. It is therefore vital that organizations decoupling themselves from their Russian, Belarusian, or Russian-occupied Ukrainian work sites take the appropriate actions to secure their IT infrastructure.
Insider Threat
Nixu Threat Intelligence assesses with moderate confidence that pulling out of Russia has an even chance of antagonizing local employees – aggravating factors may include poor communication and a halt on salary payments. We, therefore, assess with low confidence that there is an unlikely chance that an employee may become an insider threat. One of the most damaging forms of insider attack is a situation in which a disgruntled employee with an appropriate level of access sells it to a ransomware gang. The employee’s and gang’s aim may be to punish the departing foreign company. As of yet, attacks of this nature have not been observed. In addition to this threat, we assess with moderate confidence that there is an even chance for intellectual property theft.
Distributed Denial-of-Service
Nixu Threat Intelligence assesses with low confidence that there is an even chance the retaliatory measures will be targeted following a logic that takes into consideration a company’s home country, sector, and economic importance. This somewhat approximate logic would be followed due to the large number of organizations pulling out, making more specific targeting a burdensome task. We assess with moderate confidence that primary targets would most likely be government and financial services, with the main attack method being DDoS.
Russia has recently identified the following governments as unfriendly: https://tass.com/politics/1418197
Recommendations
- Transfer or maintain offline backups outside of the impacted regions.
- Remove IT resources, backups, servers, etc. from the impacted regions.
- Practice network segmentation with access from internal ‘hostile’ networks limited.
- Disable former or temporarily suspended employee user accounts and VPN access to the main external networks.
- Practice disaster recovery plans for scenarios involving the sale of access to your network from an insider threat. Consider the inside actor likely having local user access.
- IT assets to be left behind, such as workstations and servers, should be encrypted.