The war between Russia and Ukraine has escalated rapidly and substantially. Since the crisis began, over 80% of cyberattacks worldwide have been targeting Russia or Ukraine. However, organizations in the U.S. should not assume that cyber conflict will not reach our shores. Information security professionals are warning organizations worldwide that the current situation is likely, as UK tech publication The Register put it, “the quiet before the cyber-storm.” Most at risk from state-sponsored cyberattacks are government agencies, financial services, local government, healthcare facilities, utilities, transportation networks, and other critical infrastructure. In the run-up to the Russia-Ukraine war, cybercrime groups linked to Russia attacked U.S. natural gas producers in what appeared to be a “prepositioning” campaign, meaning that threat actors were attempting to establish a presence inside networks in preparation for a larger attack later on.
What is a state-sponsored cyber attack?Most cybercriminals are motivated by money. They attack organizations with deep pockets with an end goal of stealing valuable data for resale on the Dark Web, encrypting systems to force a ransom payment, or, in the case of a double extortion ransomware attack, both. Conversely, state-sponsored threat actors, also known as nation-state threat actors, have more in common with “hacktivists.” Like hacktivists, state-sponsored actors are motivated by ideology, not money. However, unlike hacktivists, state-sponsored actors are well-trained, well-funded, and well-resourced by their sponsoring nation-state, with access to highly advanced hardware and attack tools. Nation-states utilize cyber threat actors to achieve political, commercial, and military objectives while maintaining a thin shroud of deniability. Rarely is a threat actor an official government employee. The end goals of state-sponsored cyberattacks vary widely, to include:
- Espionage. This broad category encompasses everything from stealing military, medical, and trade secrets to uncovering information about political dissidents.
- Attacking critical infrastructure, including stopping operations through system encryption or a DDoS attack, possibly to cause disruption as part of a wider-scale cyber or real-world terrorist attack.
- Attacking key companies, such as financial firms and logistics companies, again causes widespread disruption and social unrest.
- Spreading disinformation, including website defacements and “fake news” on social media.
- Stuxnet (2010), a malware worm widely believed to have been created jointly by the U.S. and Israeli intelligence agencies. Stuxnet caused significant damage to the Natanz nuclear facility in Iran. The classified program to develop Stuxnet was allegedly given the code name “Operation Olympic Games.”
- NotPetya (2017) was a Trojan used in a cyberattack that primarily targeted Ukraine but quickly mushroomed into an extremely disruptive global malware outbreak. NotPetya leveraged a Windows exploit called EternalBlue – which was developed by and stolen from the U.S. National Security Agency (NSA). It is widely believed that Russia was behind the NotPetya attack.
- A single compromised password caused the Colonial Pipeline Ransomware Attack (2021), which forced the shutdown of the largest fuel pipeline in the U.S. Later, the company paid a $5 million ransom to DarkSide, a Russia-linked cybercrime group.
- Over the past two years, at least 52 critical infrastructure organizations in the U.S., including manufacturing, energy, financial services, government, and information technology organizations, have been attacked with Ragnar Locker ransomware. To date, the cybercrime group behind Ragnar Locker has publicly released stolen data from at least 10 of these organizations.
How organizations can protect themselvesState-sponsored cyberattacks are notoriously difficult to stop. Payments to threat actors are made in cryptocurrency, making it very difficult or impossible to trace senders and receivers. Even when threat actors are identified, they generally live abroad, and U.S. authorities have no jurisdiction to apprehend them. However, there are proactive steps organizations can take to prevent attacks from happening in the first place, such as:
- Performing a security assessment to evaluate their current security posture and identify areas of improvement. Security frameworks such as NIST are an excellent guide to security best practices.
- Run a Dark Web scan to determine if any employee credentials have been compromised.
- Ensure system backups are working properly.
- Consider restricting web traffic based on risky geographic locations.
- Ensure security alerts are being monitored and addressed in near real-time.
- Review the organization’s cybersecurity insurance policy. Obtain cyber insurance if the organization does not already have it.
- Take advantage of CISA’s new free cyber resources for public and private-sector firms.