There are indicators that Russia will deploy cyberattacks on an unprecedented level in its continued hybrid warfare in Ukraine. Furthermore, these attacks are likely to hit beyond Ukraine and reach allies around the world.
As a possibly related example, last week, ransomware gang Conti released a statement vowing to retaliate against critical infrastructure if cyberattacks are launched against Russia.
Providing insight into the nature of recent and future attacks is Christian Have, CTO at LogPoint’s POV (and former head of network security for the Danish National Police. He is also a guest lecturer on cybersecurity at leading Danish universities).
Digital Journal: What is known about the Conti attacks?
Christian Have: The ransomware gang Conti has issued a statement saying it will strike back at critical infrastructure if anyone targets Russia. Intelligence agencies in the US and UK warn against a new type of malware that can withstand the typical remedies. They attribute it to the hacker group Sandworm, responsible for the infamous wiper NotPetya in 2017 – a reminder of the damage well-funded and state-sponsored attackers can inflict. More new malware types are likely to emerge as the war progresses, escalating cyber turmoil. Recently we are seeing Belarussian UNC1151 ramp up activities. Organizations in Ukraine and NATO countries continue to have to focus on improving defense and response capabilities to defend themselves against unknown cyber threats.
DJ: How can threat protection be improved?
Have: Detecting never-before-seen cyberattacks is possible. Even highly capable and advanced state-sponsored attackers leave digital tracks. The key to protecting organizations against new types of malware is anomaly detection. Detecting threats requires a varied set of tools and capabilities. If a nation-state threat actor initiates a malware campaign using phishing with a malicious word document as their delivery vehicle, monitoring how the operating system behaves is critical.
In that case, opening the Word document is likely to trigger some kind of execution of malicious code spawned by a new process. Setting up an alert that detects if your Word application suddenly starts a new child process is trivial to set up, but will give you an early warning that something is afoot. Early warnings and established procedures greatly improve the chances of detecting and stopping attacks, even novel attacks from well-funded nation-state attackers.
DJ: What are the cyber-related danger signs?
Have: Knowing what to look for is difficult. Intelligence agencies across the globe highly recommend organizations to heighten their cyber defenses. While the recommendations are sensible, they do not offer much tangible advice, leaving many organizations struggling to understand exactly what to do. We call upon the intelligence agencies to share more tactical advice, like validated Sigma or STIX or MISP attack descriptions, that organizations can apply regardless of what security controls they use.