As the horrendous conflict in Ukraine continues to destroy cities and lives, global cybersecurity professionals are preparing for what many believe is the impending Russian attack against western technology and financial targets.
So far, most of the reported cyberwarfare activity in this conflict has been confined to either Ukrainian or Russian targets.
What we Know so Far
According to the Cybersecurity and Infrastructure Security Agency (CISA), Russian hackers have used wiper malware in January and February to disable systems in Ukraine.
Hitting back, an unidentified person (believed to be Ukrainian) leaked the Russian-based Conti ransomware group’s chats online, embarrassing the group after it announced that it stood with the Russian campaign.
With the exception of one US energy firm reportedly being “successfully infiltrated”, the shoe is still waiting to drop in terms of hackers taking any significant destructive action.
However, with the ramping up of sanctions from American and European governments, there are growing concerns that state-backed/adjacent Russian hackers may choose to retaliate.
Given their long history of using cyberattacks to strike at Western governments and companies, these fears are far from unfounded.
Why are Financials and Technology Companies Concerned?
Sanctions have been the West’s biggest stick in facing off against the Russians.
Talk of no-fly zones or other direct military action, outside of providing material support, are non-starters.
Russia made it very clear that they were willing to ratchet up tensions from zero to 11 when they escalated their nuclear threat level in a move aimed at deterring more active Western engagement.
While nobody other than President Vladimir Putin can predict the future, the Russian military likely understands that any moves to attack critical infrastructure like an American power plant risks sparking a wider war with NATO.
At the same time, the Russian government could make a stronger case for targeting financials and technology companies, drawing a connection to the sanctions on Russian banks and American tech firms pulling out of Russia.
Over the past decade, Russian state actors have put in the work to gain persistence in these target systems. More specifically, they have demonstrated that they can exploit access control systems using a mix of advanced and brute force attacks to compromise accounts and get around authentication protections like MFA.
They have also expanded their target list beyond the big names, diversifying to include organizations that feed the supply chains of government, tech, and financial institutions.
These organizations are much softer targets and provide easier points of entry into the better defended organizations like Microsoft or the banks with their bigger security budgets and tighter regulatory oversight.
So while the financial institutions and technology companies have concerns about being attacked directly, they know that they should also be worried about their suppliers being exploited.
If an attacker succeeds in taking control of a vendor’s privileged account, then they can inject malicious code or use it for other means of malicious mischief.
Given these well founded concerns, all organizations need to take precautionary measures to reduce not only their risk of a breach, but also to minimize their blast radius if there is an attack.
Actionable Advice for Risk Mitigation
No organization is “hack proof,” but there are key steps that we can take to reduce our overall risk along the spectrum from breach to an adversary reaching our most sensitive crown jewels.
1. Identify your Sensitive Assets and Privileged Access Accounts
The first step is to know who and what to protect.
Ideally you would make sure that everyone and everything is under the highest layer of protection. But given the massive number of identities and assets in the cloud era, we have to prioritize our efforts.
Figure out which accounts and assets could cause the most damage to your organization if they are compromised. This will give you a base for planning your protection and monitoring going forward, giving them that bit of extra attention that they deserve.
This list includes but is not limited to company IP, customer or financial data, access to your production environment, admins, shadow admins, and others that can have an indirect impact on your security.
2. Implement the Basic Protections
Make sure that everyone, especially admins, are following best practices like enabling MFA on their accounts.
Even if attackers have methods for overcoming security measures, it doesn’t mean that we should make it easy for them. Avoid password reuse, patch/update to the latest secure software/OS versions, and do all the other best practices that you know you should be doing on days when you are not worried about cyberwar.
3. Watch for Suspicious Activity
Keeping an eye on accounts gaining admin privileges or those granting them similar access (shadow admins) is particularly important because it could indicate that an attacker is escalating privileges.
Monitor for new admin access being granted to sensitive resources. This was the method that the Russian state actor group Nobelium used against SolarWinds.
Be on the lookout for previously inactive accounts that have returned to life as well. Attackers can leverage inactive accounts, which are often unmonitored, to exploit their access. See the Colonial Pipeline hack as an example of an old VPN account being used for the attack.
Ideally delete these accounts to avoid troubles ahead.
4. Work Towards Least Privilege
Identities should have exactly the privileges that they need to do their jobs. No more, no less.
Use tools that understand which access privileges make sense for a user to have or not have. For example, folks in finance not having access to your AWS production environment – and visa versa. You need to also understand which access privileges that the identity has are not being used and remove them to avoid a situation where the user is overprivileged.
Minimizing your blast radius reduces the risk of more serious damages if an account is successfully compromised.
5. Confirm that your Partners and Vendors are Following Best Practices
Good security starts at home. But we do not work in a vacuum.
Create a process where you can validate that your partners are taking significant steps to securing their environments.
An upstream breach can impact you downstream, so encourage/require that your vendors hold themselves to risk and security standards that meet your threat model.
Hoping for Peace, Preparing for Conflict
So far it is still early to see how far the cyber component of this conflict will take us.
Russia is feeling intense pressure from being slowly choked off from the global technology and financial systems, which lowers their stake in them and may encourage them to take action.
But we need to remember that a main driver of cyber-attacks is that they are a step or two below that of kinetic conflict.
There is plausible deniability, and it acts as more of a threat of worse actions to come because of the lack of visibility over where the enemy may have penetrated. We are already in a shooting conflict in Ukraine and the stakes are already raised.
While hybrid warfare is now a part of our present and future, the subtleness of cyber may be behind us as the pew-pew shifts to a more resounding bang. Only time and temperaments will tell.
We should take the opportunity now to improve our posture, increase resilience, and hope for quieter days ahead.