When the world learned that Russia had invaded Ukraine in late February, outside observers expected a heavy dose of cyberattacks to play out in the invasion’s tactics. But to many people’s surprise, the cyber-attacks have been limited and targeted rather than widespread. Russia certainly has demonstrated its cyber power and capabilities in the past; a key example was the 2016 incident in which Russian hackers took out Ukraine’s power grid.
So why hasn’t Russia madelarge-scale cyberattacks a top priority over the last five weeks?
We know that the GRU (aka Russian Main Intelligence Directorate, not the character in Despicable Me) was involved in the Disruptive Denial of Service (DDoS) attacks against the Ukraine financial sector in mid-February. Another cyberattack, as reported by The Washington Post, hinted that Russian military spy hackers attacked a key satellite broadband service. According to U.S. intelligence experts, this cyberattack did cause a disruption in Ukraine’s military communications efforts last month.
Are more cyberattacks coming?
In preparation for an escalation of cyberattacks on U.S infrastructure, the White House put out a statement that suggested Russia could conduct malicious cyber activity against the United States. The White House urged each at-risk U.S. company to “harden its cyber security defenses … to strengthen the cybersecurity and resilience of the critical services and technologies Americans rely on.”
Despite these fears and expectations, little serious activity has occurred. One reason is the Russian government and military assumed that victory would be straightforward and swift, and physical force would be the only means necessary. As a result, cyberattacks, and their complex planning and implementation, would not be required.
A second scenario is that even as the war has dragged on, restraint in the area of cyber warfare has prevailed. A major Russian cyberattack against the U.S or NATO would potentially lead to engaging these formidable forces in a much more meaningful way.
Another school of thought is that our defenses are actually better than many people assumed. Beyond the U.S. and our NATO allies, even the Ukraine’s defenses are much more solid than they were six years ago. Ukraine spent time and money to shore up its cyber defense structures in the aftermath of their past experiences with Russian hackers attacking their power grid in 2016.
Some have also speculated that the crowdsourced force of cybersecurity talent both inside and outside of Ukraine have helped provide a level of protection against Russian attacks. At the same time, we know that a large number of hackers have come together to aid the Russian effort.
It is this group of unorganized, decentralized, hackers that have likely created the most activity over the past month and a half, and will continue to do so. However, it is the organized, advanced cyber weaponry of a government-backed entity that could create the greatest damage. And it isn’t just Russia we should be looking at, considering there is evidence to suggest China coordinated hacking attempts on over 600 websites belonging to the defense ministry in Kyiv along with medical and education institutions leading up to the invasion.
Many experts would say that more attempts are still coming, that advanced attacks take extensive planning, coordination, and implantation time, and that they are still being formulated against us.
So no matter which scenario or scenarios hold true, CISOs need to stay more vigilant than ever to protect against these threats emerging from both the hacker community and government-backed organizations.
Protect the network and cloud systems
Planning for a potential worst-case scenario is always top of mind for those who work in security roles – now more than ever. While there are many attack vectors, one logical and straightforward strategy would leverage compromised credentials from key employees of your organization. The adversaries have unfettered access to your systems and can go after your internal or cloud-based infrastructure, taking it offline.
How can you better protect your firm against such an attack? Consider these four practices:
- Make sure you have your employees’ identities and access control credentials locked down to the greatest extent possible. Hopefully, two-factor or multi-factor authentication is already in place. Two-step or multi-step authentication can better protect your firm against exposed credentials being put to harmful use.
- Enforce the need for employees to frequently reset their passwords to ensure that compromised passwords no longer work.
- Review your incident response playbooks and processes. Many companies have deployed SOAR solutions to help with incident response. It is critical to run drills or tabletop exercises with your teams to make sure you can effectively respond when an attack occurs.
- Information sharing with partners and peers must become standard practice. CISOs need to consider sharing threat data and best practices with these external organizations. We have talked about this issue for years, and there is still a great deal of reluctance. Protecting your industry, company, and country should outweigh the fear of disclosing problems.
Several different industry organizations are involved in data sharing, like IT-ISAC and ISAOs, but this activity can also take place on a more grassroots level. For example, you can set up a private Zoom call with a few peers in the industry to share information. You’ll be surprised with the knowledge you’ll gain and how eager some are to share what they know in this area.
Some experts have called for more (or less) government intervention in cybersecurity matters. However, I think that’s a topic for another article.
In the meantime, we as industry leaders need to step up our corporate defenses and keep tabs on our partners for new and evolving security risks. It can only help us as information architects to build the most powerful framework against any possible cybersecurity risks.