It is still unclear whether a real cyber conflict will be added to the analogous Ukraine war – if such a conflict can be precisely defined at all. In any case, the current armed conflict poses a risk for the IT security of companies, even if it remains to be seen how the further risk situation will develop.
In order to protect themselves effectively, companies should, on the one hand, keep an eye on current dangers and, on the other hand, follow security standards even more strictly. The company's own risk potential is measured by the geographic, business or even digital proximity of an organization to Ukraine.
Build a defense before the attacks become concrete
Currently there have been fewer security incidents in connection with the war than feared. Most of these were denial-of-service (DDoS) attacks. So far, the experts have not received any confirmed reports of attacks on vulnerabilities in industrial control systems (ICS). Such actions paralyzed Ukraine's power supply in 2015 and 2016. The Curated Intelligence website offers a constantly updated overview of what is happening. How the situation will develop is of course not foreseeable. But because war has returned to Europe, companies, government agencies and KRITIS operators must prepare for the arrival of a cyberwar.
The more connected to Ukraine, the more at risk
It is obvious that the risk for IT security from an attack increases with the physical or digital proximity to Ukraine. The potential victims can be divided into three risk classes.
Risk class 1
Companies and institutions based in Ukraine: You should be prepared for the attackers to try to completely interrupt processes. Past activities show this. At the same time, the availability of services and IT systems is being targeted. DDoS attacks and the deletion of data are to be feared, as is downtime in the network infrastructure. The criminals, dubbed "initial access brokers," who continually search for vulnerabilities for resale and provide access credentials to networks and systems in advance of attacks, now have an opportunity to sell their findings to the highest bidder. The attackers' arsenal of weapons includes cyber tools designed to cause irreparable damage.
These include, for example, the malware CrashOverride or NotPetya or the data eraser HermeticWiper from the KillDisk malware family. With HermeticWiper, authors can target their victims or spread attacks across an IP address space to cause as much damage as possible. Many APT cyber criminals would be able to perform such an attack such as Gamaredon, UNC1151 (Ghostwriter), APT29, APT28, Sandworm, or Turla. The Conti Group's intention to take action against targets in the Ukraine is known. However, interventions by pro-Ukrainian groups such as Anonymous and GhostSec can also endanger IT infrastructures.
Risk class 2
Companies and institutions connected to Ukraine: So far, cyber attacks have been limited to Ukraine. But it can be assumed that neighboring countries and organizations connected to Ukraine will also be affected. Anyone who is connected to organizations in the country via VPN or via the supply chain should put their IT security team on alert and prepare for defense. At the same time, those responsible should also assess the type of networking and thus the specific risk.
Risk class 3
Companies and institutions in countries supporting Ukraine: This includes all member states of NATO and the EU. Here there is a risk of acts of revenge by state groups or digital mercenaries. The possibility that a wiper-like malware has already been deployed is high, although there is no evidence as of yet. Those responsible have a duty to evaluate the resilience of security systems and defense plans now, before an actual attack occurs.
Defenses against attackers
Jörg von der Heydt, Regional Director DACH at Bitdefender (Image: Bitdefender).
The security situation remains unclear, but companies can prepare for potential risks. IT security solutions and services such as Endpoint Detection and Response (EDR) or Managed Detection and Response (MDR) help and are indispensable. But there is also specific homework to be done to optimize IT security. The following advice applies to all organizations in the risk classes just defined:
- Patching vulnerabilities known to have already been exploited by government-backed APT groups have top priority. A list of relevant and known vulnerabilities can be found here.
- The secure location of backups and the testing of the processes as well as the tested complete restoration of a disaster recovery are on the agenda in view of the danger posed by wipers. Companies that are particularly at risk should switch off all computers and servers that are not IT system-critical in order to limit the effects of an attack.
- The infrastructure, the network and the connectivity of the company's IT to external partners must be constantly monitored. This is the only way to identify potential attacks at an early stage and implement defense plans.
- Phishing campaigns related to Ukraine are currently booming. Cyber criminals take advantage of the willingness to help in public with a repertoire of ever better made scams, which can also have security-relevant effects: The captured access data is then the entry ticket to systems and processes. Every employee must be aware of this danger.
- Standard IT security measures are important pillars for defense. This includes multi-factor authentication for all remote, privileged or admin access to the network, updating software, deactivating ports and protocols that are necessary for the business, as well as checking and evaluating the cloud services used .
Cyber attackers will punish those who come too late to defend themselves. However, it is still unclear whether this will occur in the context of the ongoing conflict. Expert opinions on the extent of a cyber attack also differ. Some experts argue, not implausibly, that once war has broken out, it is easier to bomb or seize a factory than to shut down its servers. After all, attacks on production and supply facilities need to be prepared if they are to really have an effect. DDoS attacks or disinformation campaigns that contribute to uncertainty are more attractive because they are more efficient. EU and NATO countries would certainly be a target for subliminal attacks, which are already familiar from peacetime. However, underestimating the danger means being unprepared for what can sometimes be a great risk.
More at Bitdefender.com
About Bitdefender Bitdefender is a leading global provider of cybersecurity solutions and antivirus software, protecting over 500 million systems in more than 150 countries. Since it was founded in 2001, the company's innovations have consistently ensured excellent security products and intelligent protection for devices, networks and cloud services for private customers and companies. As the supplier of choice, Bitdefender technology is found in 38 percent of security solutions deployed around the world and is trusted and recognized by industry experts, manufacturers and customers alike. www.bitdefender.de