Russia’s offensive cyber actions should be a cause for concern for CISOs

Recent cyber attacks against Western entities operating in Ukraine aim to disrupt or conduct espionage. CISOs should be wary of such attacks expanding beyond the Ukrainian border.

While acknowledging there are “not currently any specific credible threats to the U.S.,” Anne Neuberger, deputy national security advisor for cyber, continued how “we’ve been working with the private sector, engaging, sharing specific information, requesting that they act to reduce the cybersecurity risk of their organization, and providing very focused advice on how to do so.”

Neuberger was briefing the global media when she made this observation on February 2 as she spoke to the continued presence of Russian cyber threats to Ukraine and beyond. In her briefing, Neuberger, was unambiguous: “We’ve been warning for weeks and months, both publicly and privately, that cyberattacks could be part of a broad-based Russian effort to destabilize and further invade Ukraine. The Russians have used cyber as a key component of their force projection over the last decade, including previously in Ukraine, in the 2015 timeframe.”

A sense of urgency to tighten cybersecurity posture

While one may posit Neuberger was sending a message from the Administration that, “We see you, Russia,” via the media, she was also hoping to instill a sense of urgency to CISOs to tighten up their cybersecurity posture. In other words, batten down the hatches.

As if on cue, the threat researchers at Unit 42 of Palo Alto Networks published information that they had uncovered targeting of a western government entity (not further identified) in Ukraine by “Gamaredon” (a.k.a. Armageddon, Primitive Bear, Shuckworm, and ACTINIUM). By way of background, Gamaredon was identified in November 2021, by the Security Service of Ukraine (SSU), as being led by five Russian Russian Federal Security Service (FSB) officers, operating under the auspices of the FSB Center for Information Security from their offices located in Russia-occupied Crimea.

In November, the SSU highlighted how the 5,000 attacks by Gamaredon were initated with the goals of:

• Garnering control over critical infrastructure facilities (power plants, heat and water supply systems)
• Acquiring data to include theft and collection of intelligence, including information with restricted access (related to security and defense sector, government agencies)
• Gaining informational and psychological influence
• Blocking information systems

The SSU’s “technical report” on Gamaredon details the creation of the group as well as its ascendancy from obscurity to a viable threat to national infrastructure and credible threat in the cyberintelligence offensive actions.

The Unit 42 report highlights the efforts by the Gamaredon group to leverage an outstanding personnel requirement within Ukraine by a Western government entity. The group uploaded an applicant’s resume in Word format. Gamaredon’s gamble was the payload-loaded resume coming in via an “applicant” would not receive the same level of scrutiny that the group’s targeted phishing emails were receiving. The report also references Estonian CERT report of January 27, 2021, about Gamaredon, which notes that since 2020 the Gamaredon group has been targeting European Union countries using spear-phishing techniques.

Meanwhile, Symantec’s Threat Hunter Team published its own research on January 31, 2022, which notes Shuckworm specializes in “cyber-espionage,” a finding consistent with the SSU’s in November 2021. The Threat Hunter Team’s report provides an interesting case study of the Gamaredon’s attack chain which began with a malicious document. The timeframe of the case study is July 14 through August 18, 2021.

This was followed shortly thereafter by Microsoft’s Threat Intelligence Center and Digital Security Unit on February 4, which shared information on the threat posed by the ACTINIUM group targeting of Ukraine for the past ten years. Their report highlights how this group targets government, military, non-governmental organizations, judiciary, law enforcement, and non-profits. The Microsoft findings mirror those of others, highlighting the group’s efforts are focused on exfiltrating sensitive information, gaining a foothold for sustained access.

Neuberger concluded how the United States is collaborating with the EU and NATO to “enhance national and alliance resilience in cyberspace.” She emphasized that her efforts and those of the United States are to ensure cyber-related contingency plans are in place to “coordinate and support Ukraine and each other in the event that such incidents occur…. We’ve been working with the private sector, engaging, sharing specific information, requesting that they act to reduce the cybersecurity risk of their organization, and providing very focused advice on how to do so.”

On the heels of the above, and as tensions in Ukraine continue to rise, a joint advisory was issued on February 9 by the cybersecurity authorities in the United States, Australia, and the United Kingdom regarding the increased globalized threat of ransomware (Alert (AA22-040A)). The alert highlights the marked increase of ransomware incidents against 14 of 16 U.S. critical infrastructure sectors.

David Klein, cyber evangelist at Cymulate commented, “This alert from the various cyber commands should be taken on board by CISOs as a realization that the U.S. offensive and disruptive activity against ransomware criminals has caused some criminal organizations to drift focus away from 'big game' targets and to go to easier mid-sized targets." In the current climate, it is clear, size is not a determinant to being targeted.