While the continuous and dynamic evolution of malicious cyber adversaries and threats has shown no signs of slowing in recent years, a large portion of the criminal activity has been determined to be emanating from within Russian borders.
Of course, the official Russian government response has been to emphatically deny any sanctioned involvement with the growing influx of malicious cyberattacks threatening organizations and nation-states around the globe. However, the reality is that digital forensic analysis has led multiple US federal agencies to determine that some of the most devastating cyberattacks in recent memory have been perpetrated by stated-sponsored threat actors and criminal gangs operating within Russian borders.
As these threats continue to evolve, organizations are facing greater demands for precautionary measures in the face of limited geopolitical action from the global community.
Federal Agencies Warn Against Russia-Borne Threats
When it comes to an official response, building a case against any Russian government officials for fostering global cybercrime activities that are traced back to within their nation’s borders is an entirely separate and unique diplomatic endeavor.
The fact remains that criminal cyber operations (whether state-sponsored or not) originating within Russia are believed to be operating with at least tacit acknowledgement from Russian government officials.
The devastation caused by such sophisticated and successful attacks, primarily aimed at critical infrastructure, has spurred several US federal agencies to publish a joint Cybersecurity Advisory (CSA) warning organizations of the types of threats stemming from this region, and offering mitigation solutions. The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) published the CSA to showcase the types of cyber operations; commonly observed tactics, techniques, and procedures (TTPs); detection actions; incident response guidance; and mitigations. Organizations with potential exposure to Russia-based cyberattacks should be sure to review the advisory.
Cyber Challenges Keep the Cold War at Room Temperature
Federal agencies have been consistently adding to a growing list of complex vulnerabilities known to have been exploited by Russian state-sponsored advanced persistent threat (APT) actors.
These vulnerabilities have affected a wide range of solutions from various technology vendors, including but not limited to: Fortinet, Cisco, Oracle, Citrix, and Microsoft. As each of these vulnerabilities are tied to well-known network services or management solutions, such vulnerabilities often result in supply chain attacks that threaten each and every organization that has chosen to adopt and deploy these popular products.
Such attacks have displayed the adversaries’ ability to maintain persistent and long-term access, undetected, often using legitimate credentials. The technological requirements, considerable expense, and orchestrated sophistication necessary to engage in such devastating and consistent attack campaigns has led officials to direct more of their blame toward a Russian government viewed as complacent in the criminal activity originating within its sovereign borders.
Sudden Contradictory Russian Assistance
In a recent twist, and likely the result of considerable international pressure, the Russian government has announced the dismantling of the REvil ransomware gang tied to the May 2021 Colonial Pipeline ransomware attack that crippled oil and gas operations on the East Coast of the US for nearly a week. The FSB, Russia’s domestic intelligence service, announced it had made multiple arrests, ultimately detaining 14 people, as well as considerable supplies of currency, and even luxury cars.
While there has yet to be any independent confirmation of the arrests and property confiscation, this appears to be an example of rare cooperation from Russian authorities. However, this sudden assistance has been viewed by many in the international community as a smokescreen to conceal Russian aggression toward their adversaries in Ukraine. In other words, don’t expect this unusual collaborative law enforcement action to be the start of a trend.
Ukrainian Concerns Take Center Stage
Within hours of Ukrainian security talks between Moscow and Western allies ending with no substantive resolution, Ukraine’s Ministry of Digital Development announced the country had been the victim of a cyberattack. The threat actors defaced roughly 70 government websites with a menacing warning to “be afraid and expect the worst.”
Needless to say, officials squarely laid the blame at Russia’s feet, with Moscow predictably denying any involvement. It appears that Russia’s strategy is to foment chaos and disorder near the Ukrainian border, in order to keep its geopolitical adversaries on the back foot, while amassing troops on the Ukrainian border, all while claiming complete ignorance.
The Ukrainian systems strike, while more of an ominous threat than a destructive attack, is in addition to Russia keeping the door open for any potential military reprisal should specific security demands go unmet. Primarily, these demands include that NATO never admit Kyiv, putting the influence of western allies directly at Russia’s doorstep.
As it appears that greater NATO cyber-defensive cooperation with Ukraine is imminent, all eyes will be on Russia’s official response.
Effective Response Demands Effective Preparation
The best time to develop a response plan to any attack, be it ransomware or a much more sophisticated threat event with nation-state ties, is not while your organization is actively suffering from one.
The mitigation efforts recommended by the joint CSA advisory are primarily focused on added digital diligence. One of the primary methods of mitigating any threat is to develop a comprehensive response plan definitively outlining the various roles and responsibilities shared by personnel during an attack, before an attack actually occurs.
Part of the process of digital diligence is to develop a business continuity plan (BCP) that ensures that critical operational functions are not disrupted during any specific incident. Whether that incident is an act of God or a criminal cyber actor, organizations need to develop incident response plans for addressing these threats prior to becoming the victim of one.
Such plans will demand additional cyber hygiene and security cognizance that will require a comprehensive and thorough effort to apply proper access controls while adhering to a defense-in-depth posture in order to fill any lingering security gaps.
Related Omdia Research (subscription required)