Right now, the Russian Federation continues its full-scale invasion of Ukraine. Made under demonstrably false pretenses, this act of war will change much across the world. On the news, we’re seeing terrible updates on explosions, helicopter attacks, and aggressive tanks in places like Kyiv, Kharkiv, Dniepro, or Mariupol.
The world stands with Ukraine, but we also must wonder how the Russian security services and their associated threat actors will next lash out at Ukraine or other nations. Given this latest Russian demonstration of physical violence, attacks against our information or computing systems seem almost quaint or unimportant in comparison.
But we cannot discount the seriousness of the possibility.
Threats of removal from global banking and finance networks now loom over the Russian economy. Security services or allied criminal organizations have wreaked havoc in other countries before over less. The Russian president himself, Vladimir Putin, said that interference from other nations will elicit dire consequences.
Now is the time to take precautions to defend against the kinds of information and computing system attacks we might expect from a hostile nation-state. In this article, we will detail a few categories of attack to prepare against.
Using the information and links provided here, you too will be able to better defend yourself against these particular threats.
3 Nation-State Cyberattacks and How to Avoid Them
1. Ransomware
Ransomware continues to dominate the headlines. Unfortunately, it’s more than just hype:
- The IBM Security X-Force Threat Intelligence Index shows that ransomware was the most reported attack vector in 2021.
- The good news is that law enforcement worldwide has significantly disrupted some ransomware threat actors—most notably REvil (Sodinokibi). The bad news is that more threat actors continue to operate with minimal consequences.
- Worryingly, research tracking attacks in January of 2022 showed that most observed (if not most successful) attack was the NotPetya ransomware worm attack first observed in 2017.
Why is this a problem for you?
- Ransomware not only threatens the availability of affected systems and data but also the confidentiality of the data affected as well.
- The attacker encrypts the files and possesses the means of decryption, demanding a ransom to recover access.
- Ransomware attackers have also been known to extort their victims further. They threaten to disclose the stolen data or make public statements that could harm your reputation or expose you to legal or regulatory liabilities.
- While ransomware attacks that disrupt prominent organizations in dramatic ways have significant sway over market forces and public consciousness, ransomware attacks that disclose data, such as personal financial data or health information can also adversely affect thousands or millions of people.
It's also worth pointing out that ransomware doesn’t necessarily have to disrupt the most used or best-known aspect of your organization. Take the Colonial Pipeline ransomware attack, for example:
- Based on the best public reporting available, the hackers did not infiltrate any industrial control systems, such as pumps or valves, but attacked the back-office part of the organization, including finance and billing.
- Unable to tell who was consuming the product they transported or how much to bill, the pipeline operator chose to shut down until it could recover its normal function.
Ransomware may also have an amplified attack on secondary targets:
- Back in December, the UKG/Kronos ransomware attack shut down the Kronos Private Cloud.
- The ripple effect on its customers, particularly during the holiday season, was incredibly severe.
- Many organizations could not recover timekeeping and payroll functions while Kronos was down for over a month.
Despite all this, there are measures you can take to protect yourself against these attacks. For more information on ransomware, along with tips for improving your technological and human defenses against such, read our article here.
2. Supply Chain Attacks
Software supply chain attacks have actually existed for many years. They burst into public consciousness in late 2020 with the Solar Winds attack.
And since that was also coordinated by Russian actors, we need to now be especially wary of this type of cybersecurity issue.
Supply chain attacks can take several forms:
- Software component attacks: The Log4Shell attack exploits Log4j embedded in numerous common applications like Apache Struts.
- Attacks on fully executable pieces of software: In the Kaseya supply chain attack from mid-2021, attackers breached Kaseya VSA—their remote management tool. They deployed ransomware to nearly 1500 other organizations, including Kaseya’s customers.
- Attacks on third-party services: These fundamentally target a less secure element as a means of accessing a more secure element. For instance, in 2012, attackers gained access to one of Target’s third-party contractors. They were able to traverse an accounts payable portal to then access the retail network and capture payment data.
Speculation about what kinds of supply chain attacks a hostile nation-state would use can be endless. In this case, we must consider Russia’s long ramp-up of threats and military buildup—and of course, their history. It’s entirely possible that their government has one or more of these attacks queued up to disrupt businesses and governments as part of its larger strategy.
To help bolster your defenses against this kind of breach:
- Strongly consider incident response and business continuity exercises.
- Run scenarios as if threat actors have attacked commonly used components in your software supply chain or important third parties or cloud services.
It’s not likely that anyone can guess exactly the component or provider that gets attacked. But taking these steps, along with further preparation for such a circumstance will prove valuable in a swift and effective response to whatever arises.
3. Advanced Persistent Threats (APT)
It’s all in the name: "advanced" meaning sophisticated, and “persistent” meaning exactly that—persistent.
APT is just an idea about the nature of the threat actor and their techniques. But nation-states do wield this type of continuous and covert hacking to gain access systems. Their success can result in potentially devastating consequences for the victim.
The trick to APTs is that they require considerable effort, knowledge, and reconnaissance work of a target organization. If the attackers can find the right convergence of circumstances, even the less sophisticated actors can punch through.
Regarding Russia in particular, we know their actors to be well-equipped and talented. As such, organizations should prepare their defenses accordingly:
- Aggressively patch systems;
- Protect user access, especially remote access and privileged users;
- Monitor event data intelligently; and
- Respond to concerns effectively.
Next Steps for Improving Your Cybersecurity
While the world remains in turmoil, it’s hard to predict what attacks will transpire next. But that doesn’t mean we can’t prepare accordingly. Now, you understand 3 different threats to prepare for, given these unique global circumstances.
Yes, attacks are varied and the effects of successful intrusion are not always predictable. But investing in these core defense strategies for protection against significant threats will pay dividends.
As you continue to build up your cybersecurity within your organization, you may desire further assurances of your defenses against incoming threats.
Over the last few years, the AICPA has released specific reporting guidance that can help you assess your risk posture against these unique threats we mentioned above. Read our articles on these two possible options as you consider what route is best for you:
- What is SOC for Cybersecurity and How It Can Help You (and Your Vendors)
- SOC for Supply Chain: The Who, Why, and What
About the Author
More Content by Schellman Compliance
