On Thursday February 24th, Russia began invading Ukraine with a combination of physical strikes and cyberattacks on banks, security services, and government websites in Ukraine. Government officials have issued multiple warnings that retaliatory cyberattacks on critical infrastructure will hit the US and countries in the European Union imposing sanctions against Russia. As we wait and hope for a diplomatic resolution to this political conflict, nations are gearing up for the potential that the situation will escalate further, setting the world stage for the possibility of war. But what form will that war take? Will this global conflict be characterized as the first official cyberwar in history?
While state-sponsored APTs are already a constant concern for security professionals, the implications of the current political situation between Russia and Ukraine lead us to consider the possibility of hybrid warfare and large organized strikes occurring across our virtual fronts. This concern is supported by the Gerasimov Doctrine - an outline of how to support Russia’s political goals using hybrid warfare tactics that started in 2008 with cyberattacks on Georgia, then since 2014 on Ukraine, and 2015 on Syria.
Russian cyberattacks on critical infrastructure are nothing new, whether from criminal groups or state sponsored APTs, but what constitutes an act of “cyberwarfare” is a bit of a gray area. While last year’s attack on the Colonial Pipeline turned heads by demonstrating Russian hackers’ capacity to breach critical infrastructure, the breach lacked a clear state actor and the use of aggressive force necessitated by international law to deem it an act of war. Similarly, the ongoing DDoS and malware attacks on Ukraine including HermeticWiper and WhisperGate, provide a shroud of plausible deniability for Russia and show restrained force causing disruptive outages calibrated to generate confusion and internal conflict without undue risk.
Russia has a demonstrated history of using covert strategies such as spreading disinformation and interfering with communications channels to fragment political alliances. Now that the format is virtual, it is easier than ever for Russia to compromise legitimate companies and information sources for use as launching platforms to achieve broader goals like gaining access to more strategic targets and better intel. The February 16, CISA Alert AA22-047A details how Russia has been busy at play using the aforementioned tactic to compromise small defense contractors and gain sensitive intel from the US Defense Networks since January 2020.
Security professionals must gear up for a potential increase in attacks, whether or not they’re deemed “cyberwarfare.” For many organizations, this is a difficult ask—cyber risk management can already be a complex and overwhelming issue. Below, we share some guidance to help you simplify and improve your security risk posture to drastically reduce the odds that your organization will be compromised.
Anticipating the fallout from political tensions from Russia’s advances towards Ukraine, CISA Alert AA22-011A issued back in January, advises organizations to increase their security postures and defenses against the impending threat of future cyberattacks on the US supply chain. The alerts come as a warning of the potential for a Russian-backed retaliatory strike of attacks on critical US infrastructure that could eclipse the Colonial Pipeline shutdown that grabbed headlines last year. Accompanying the alert, CISA, the FBI, and NSA released the AA22-011A Joint Cybersecurity Advisory, Understanding and Mitigating Russian State Sponsored Cyber Threats to U.S. Critical Infrastructure which includes guidance and recommendations for companies seeking to strengthen their security posture. In summary, these government affiliates provide broad advice to:
Using CISA’s official checklist gives organizations a place to assess their current security posture and start hardening defenses with the advice to implement zero trust architecture, prioritize threat hunting, and leverage key information sharing sources for the most up-to-date threat intel. Supporting the collective missions for organizations to improve their security postures and develop strong practices and programs, Zscaler has a proven track record of providing our customers with innovative solutions and intel that simplify security transformation and speed broad cyber risk reduction.
To protect your organization from collateral damage, it is important to lay a solid foundation for addressing cyber risk and eliminating attack vectors. While there are many existing security tools that can protect against specific types of threats, implementing a complete zero trust strategy is the most effective way to reduce risk overall.
Zscaler helps organizations adopt zero trust. The Zscaler Zero Trust Exchange for users and workloads delivers enhanced cyber protection and user experience for secure access across your internal and external applications, to help you:
Consider the attack chain of a ransomware attack: first, attackers perform reconnaissance to understand your assets and security controls. Then, they compromise your system (perhaps using phishing, an exploit, or credential stuffing), move laterally to escalate privileges and infect as many systems as possible, exfiltrate any data that they’d like to use for extortion purposes, and then encrypt your data.
Zero trust uses inspection and policy-driven conditional access to minimize the success of each of these steps and maximize resiliency. In the above example, the Zscaler Zero Trust Exchange hides your attack surface, inspects and analyzes all traffic to prevent intrusion, keeps attackers from moving laterally, and stops sensitive data from leaving to command and control servers. These multi-layered defenses disrupt every stage of the ransomware attack chain and help you quickly uncover and stop advanced threat actors before they can cause harm.
To learn more about how a zero trust architecture can help you protect against cyberattacks and harden your security posture, visit this page.
With so many novel threat discoveries happening all the time like WhisperGate, a wiping malware that masquerades as ransomware, you need enhanced visibility and expert determinations to detect new exploits and advanced threat behavior. The majority of security teams don’t have dedicated headcount for threat hunting so they typically organize threat hunting activities with key members across the organization on an ad-hoc or periodic basis. To help make this strategy a success, it is important to leverage additional insight that can help verify and contextualize your team’s findings. If you are a Zscaler customer, you have access to real-time telemetry from the Zscaler cloud, the world’s largest security cloud and feed, that provides the context your threat hunting program needs to stay on track and close gaps in your security program.
It is essential to stay up to date on the latest discoveries and advances with updates from information sources you can trust. CISA recommends subscribing to their mailing list and feeds to receive notifications about new security topics and threats. One way that Zscaler supports our customers and the larger SecOps community is by sharing our latest security research findings from ThreatLabz. It is important to put a formal SecOps plan in place that includes how your team will collect and triage intel from trusted sources and how they will respond in making critical updates in the most efficient way possible. Check out the latest threats and discover critical insights from Zscaler Security Advisories, backed by ThreatLabz continuous threat research discoveries across millions of real-time samples.
As the security landscape grows in complexity and new threats evolve across the globe, the Zscaler team is here to provide direction and guidance on the best ways to keep your organization safe. In the face of this political conflict, our mission is to help support the whole community of cybersecurity professionals tasked with the difficult job of preparing their defenses against the world’s most advanced threats. To this end, we remain committed to diligent research, timely information sharing, and rapid assessments to help secure our customers, community, and all the people, infrastructure, supply chains, and services that they protect.
For more detailed information on the cyberattacks against Ukraine visit:
ThreatLabz Technical Analysis: HermeticWiper & resurgence of targeted attacks on Ukraine
ThreatLabz Technical Analysis: PartyTicket Ransomware linked to HermeticWiper