Organisations in the UK are being urged to bolster their cyber security defences as the Russian invasion of Ukraine escalates.
The incursion has been accompanied by a flurry of cyber attacks from hackers on both sides of the conflict. Some of those assaults are directly tied to ground operations, such as Russia’s malware attack on the Ukrainian military hours before it launched a full-scale invasion.
Kremlin-sponsored hackers also launched a phishing campaign using a Ukrainian soldier’s email address to disrupt efforts to help refugees flee the country.
Other attacks have more broadly political motives. A group of Ukrainian hackers took the Moscow Stock Exchange offline on Monday, while the hacking collective Anonymous, which has declared “cyber war” against Russia, said it had taken down RT News, the Russian state-controlled television network.
The group tweeted: “Anonymous has ongoing operations to keep .ru government websites offline, and to push information to the Russian people so they can be free of Putin’s state censorship machine.”
The UK’s NCSC (National Cyber Security Centre) has already warned businesses that they could be targeted by Russian cyber criminals.
It said: “UK organisations are being urged to bolster their cyber security resilience in response to the malicious cyber incidents in and around Ukraine.”
It later transpired that, prior to that warning, the UK Foreign Office had been hacked by a suspected nation state.
Since then, the UK has strengthened its sanctions against Russia, which could put it in the firing line.
IT Governance Systems and Security Engineer Adam Seamons believes those sanctions could result in “retaliatory attacks”.
He said: “Business leaders of critical infrastructure such as the power suppliers, oil, gas, telecoms, and financial services should expect DDoS (distributed denial-of-service) and ransomware style attacks. I’d also expect public services, hospitals and schools to be targeted.”
DDoS attacks have been the most common weapon in the cyber war so far. Unlike most attacks, the goal isn’t to steal sensitive information but to flood the target’s websites with traffic until it is knocked offline.
Such attacks are often conducted to render services unavailable, create confusion and damage morale.
An online war
There is obviously a lot more at stake in this conflict than the possibility of criminal hackers affecting organisations’ websites and other operations. However, cyber attacks have proven to be a useful political tool, with hacking groups on both sides of the conflict compromising systems to gain a political, economic and military advantage.
The cyber battle began in earnest hours before Russia launched its full-scale invasion, with state-sponsored attackers hitting Ukraine’s government and military with a wave of DDoS attacks.
“Another mass DDoS attack on our state [has] begun,” Ukraine’s Digital Transformation Minister Mykhaylo Fedorov wrote on Telegram.
The damage was short-lived, with a researcher telling BBC News that Ukraine has “seen a more rapid recovery, likely due to preparedness and increased capacity to implement mitigations.
“Despite this, the incident is ongoing, with latency and outages continuing at the Security Service of Ukraine, which points to the severity of the incident.”
This incident gained widespread attention because of its timing. It occurred just over 12 hours before Vladimir Putin gave a televised address announcing the incursion, which suggests that it was part of a co-ordinated attack.
But that attack was just the latest in Russia’s cyber aggression against Ukraine. In January, the country was accused of instigating a similar attack against the Ukrainian Ministry of Foreign Affairs and the Education Ministry.
The hackers defaced government websites to display the message: “Be afraid and expect the worst”.
In 2015, the Ukrainian power grid was shut down in an attack that was reportedly conducted by Russian forces. Two years later, Russia was again alleged to have targeted Ukrainian essential services in a ransomware attack dubbed ‘NotPetya’.
In 2020, the US government charged six Russian intelligence officers thought to be responsible for the incident.
John Demers, the US assistant attorney general for national security, said: “No country has weaponized its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite.”
Now that an invasion is underway, there are fears that Russia might use its cyber capabilities to support ground forces. Power lines and communication channels are the most obvious targets, potentially giving Russian forces the upper hand during conflicts.
If you’re facing a cyber attack, IT Governance is here to help. Our Emergency Cyber Incident Response service provides the help you need to deal with the threat, as our experts guide you through the recovery process.
They’ll review the breach, mitigate the damage and ensure that you are up and running again as soon as possible.
Just as Russia has used cyber attacks to support hard power, so have opposition forces. In January, a pro-Ukrainian group called Cyber Partisans launched a pre-emptive cyber attack on the Belarusian railway system after discovering that it was being used by Russia to transport tanks and weapons into the region.
Speaking to Ars Technica, a representative for the hackers said: “The government continues to suppress the free will of Belarusians, imprison innocent people, they continue to unlawfully keep […] thousands of political prisoners.”
Cyber Partisans added: “The major goal is to overthrow [Belarusian President] Lukashenko’s regime, keep the sovereignty and build a democratic state with the rule of law, independent institutions and protection of human rights.”
As the threat of cyber attacks and counter-attacks grew, the EU announced that it was deploying a cyber rapid-response team across Europe, following a call for help from Ukraine.
Ukraine has also taken steps to bolster its cyber warfare capabilities. A senior Ukrainian defence ministry official contacted Yegor Aushev, the co-founder of Kyiv-based cyber security company CyberUnit, asking him to recruit volunteers.
Aushev, who is known for promoting the development of ethical hacking, created a Google Docs form with the message: “Ukrainian cybercommunity! It’s time to get involved in the cyber defense of our country”.
Volunteers are asked to post their cyber skills, and those who were accepted are being divided into “defensive and offensive” teams.
Defensive volunteers are reportedly tasked with protecting critical assets, such as energy and water utilities, whereas the offensive group are working with Ukraine’s military to conduct cyber espionage.
The Ukrainian government has also called for volunteers to join its ‘IT Army’, which seeks volunteers regardless of their technical expertise.
More than 175,000 people have joined and have been given a series of tasks, including spamming Russian websites with traffic as part of a DDoS attack. Targets have so far included banks, government websites and the energy giant Gazprom.
Anonymous joins the fight
On Thursday, 24 February – hours after Vladimir Putin announced the invasion – the hacking group Anonymous declared cyber warfare on Russia.
“The Anonymous collective is officially in cyber war against the Russian government,” the group tweeted.
In the days since, Anonymous has launched several DDoS attacks and has claimed credit for outages at RT News and Russia’s Ministry of Defence.
The group also says that it has compromised Russian state TV channels, posting pro-Ukrainian content and displaying images from the invasion.
The group’s informal – not to mention anonymous – nature means that it’s usually difficult to attribute attacks to the group directly. However, RT News has credited its outage to the collective, suggesting that it takes Anonymous’s declaration of war seriously.
However, it’s important to keep Anonymous’s actions in the context of the overall war effort. As one Anonymous splinter group admits: “DDoS [attacks] alone will not bring down a regime”.
Rather, the group’s intention is to “keep the Russian IT apparatus busy and to provide Putin’s hacker troops […] with defensive work so that they cannot do anything in Ukraine or the West.
“Obtaining information is also an important point and you just don’t see a lot of what activists are currently doing.”
That’s not to suggest that we should celebrate any report of a cyber attack against Russia. With individuals and independent groups acting freely, there is the risk that an attack could do more harm than good.
J. Michael Daniel, the head of Cyber Threat Alliance and former White House cyber coordinator for President Barack Obama, warned that sophisticated attacks, such as worms, could create spillover incidents that go beyond their intended target.
“You could take anything from emergency services, health care systems, or other things offline without meaning to. Which both has an immediate impact – you could hurt civilians inside Russia – and it could also inadvertently escalate things if the Russians perceive that as a direct order,” he said.
Likewise, hackers must avoid frivolous and unfounded attacks, which could undermine reports of genuine and successful intrusions. For example, a group affiliated with Anonymous called NB6 claimed this week to have hacked Roscosmos, Russia’s space agency.
The group posted on Twitter: “#Russia has no more control over their own Spy-Satelites”.
However, the space agency’s chief executive has denied that it has been affected, and there is no evidence to support NB6’s assertion.
If hackers can’t prove that their attacks are successful – or demonstrate the purpose of the incident – it will dampen the public’s reaction to these stories.
Remember, in cyber warfare, attacks are often conducted to demoralise or confuse the opponent.
However, if the target can simply dismiss the attack and doesn’t show any damage, it will have the opposite effect – making their defences look strong and the hacker’s attacks ineffectual.
The threat to the UK
As promising as it is to see volunteers striking back against Russian actors, it only increases the threat of bystanders falling victim.
We saw this with NotPetya, an attack that originally targeted Ukrainian organisations but resulted in organisations across the globe being infected after attackers failed to control the malware’s worming capabilities.
But as the UK joins the fight – both in sanctioning the Russian government and sending volunteer fighters – there is also the threat that it becomes an active target.
An Isle of Man-based organisation has already claimed to have fallen victim to a cyber attack “of Russian origin” – although it’s doubtful that the attackers were affiliated with the war effort.
Of greater concern is the announcement that the NHS has been put on cyber attack alert.
NHS England warned trusts that they could be targeted by state-sponsored hackers, and urged them to ensure that their IT systems are “patched and protected, and that immutable backups are in place”.
Speaking at the HSJ Digital Transformation Summit last week, the UK’s secretary of state for health and social care, Sajid Javid, said: “I think it’s sensible for us to be prepared for all types of Russian action.
“It would be inappropriate for me and the government to discuss the kind of preparations we make, and exactly the form. But I think it’s common sense to be prepared.”
He added: “The shocking events of the past few weeks have reminded us of cyber attacks and how established a form of conflict they’ve now become, and we can only make these digital reforms if we keep the system safe from those who want to cause us harm.
“A chain is only as strong as its weakest link, and we are shoring up cyber resilience in all parts of health and care, backed by over £300m of investment since 2017. In this period we have prevented four major cyberattacks which could have caused a catastrophic impact on the front line.”
How to protect your organisation
The key to defending against Russian cyber attacks or spillover attacks conducted by either side is no different from any other type of attack.
Organisations should implement multifactor authentication, keep systems updated and ensure that employees have strong, unique passwords.
These measures will help protect you from many of the threats we’ve discussed in this blog, including phishing emails and intrusions caused by hackers exploiting vulnerabilities.
We also recommend that organisations conduct a penetration test as soon as possible.
The process is essentially a controlled form of hacking in which an organisation hires someone to look for vulnerabilities in its networks or applications.
A penetration tester will use the same techniques as a criminal hacker, giving the organisation a unique insight into the way its systems might be targeted in a real-world scenario.
Penetration tests can help organisations identify:
- Inadequate or improper configuration;
- Hardware or software flaws;
- Operational weaknesses in processes or technical countermeasures; and/or
- Employees’ susceptibility to phishing and other social engineering attacks.
With this information, organisations can bolster their defences and stay one step ahead of attackers.
IT Governance is a CREST-accredited penetration testing provider, and we offer services that are aligned with your business requirements and budget.
You can find out more about penetration testing by speaking to one of our experts or by downloading our free green paper: Assured Security – Getting cyber secure with penetration testing.
A version of this blog was originally published on 24 February 2022.