As images of the war on the ground in Ukraine have dominated news across 2022, another less visible cyber war against Ukraine has played out across computers, websites and servers all over the world. At a recent Head Resourcing IT Leadership Forum, our speaker from a leading cyber security consultancy who advise the government on security shared the challenges observed in the online conflict.
While some Ukrainian organisations such as military and governmental bodies were unsurprising early targets, attacks have been tracked across almost all Ukrainian critical sectors including telecom service providers, financial institutions, and media outlets. Despite these sectors seeing increased threats from non-state hacking groups over recent years, earlier incidents were normally designed to temporarily disable services to extract a ransom on the promise of restoring service or files. In comparison, attacks on Ukrainian bodies were predominantly intended to destroy data and permanently damage systems in order to create disruption and aid the Russian war effort. This was echoed by Victor Zhora, Ukraine’s lead cybersecurity official who described one newly discovered malware strain “Industroyer2” at a US conference in late 2022. The malware was able to control an electrical substation software and cause power blackouts, as well as cause long term damage to industrial equipment.
As the war continued, the wide range of cyber attacks drew in many EU and US technology companies as they supported their Ukrainian clients. The nature of the modern distributed internet means that while attacks are being launched against servers that are running websites and services for Ukrainian companies, many of the servers are actually based outside of Ukraine and hosted by multinational companies, blurring the lines of where the war starts and ends. Microsoft reported this year that they had detected Russian network intrusion efforts on 128 organizations in 42 countries outside Ukraine while Google’s Threat Analysis Group (TAG) warned that the Russian based Conti cybercrime group was attacking Ukrainian organisations and European non-governmental organisations (NGOs).
Many agencies have also been actively working to protect their customers essential services and data against this unprecedented flood of threats. This round the clock work has involved monitoring, event triage and continuous threat hunting on Ukrainian systems, in addition to providing strategic and practical advice to IT teams on the ground. The talk also touched on the practical difficulties of the Ukrainian IT teams working to defend against and restore systems affected by cyber attack. Many teams are already depleted due to staff being called up for military service. For those that remain, many struggles have to be overcome before any IT work can be begun including intermittent power supplies, determining which server sites are safe to visit and communication, as normal channels are disrupted. The low numbers of available staff and huge efforts required put teams under incredible stress.
The bleak picture painted of the scale of attacks resulting from the war in Ukraine and its cyber spill over leads to a question - is there anything that businesses can do to protect themselves against a threat of this scale? The talk offered two possible rays of hope for CISOs and IT Managers.
Firstly, IT security best practice is as important as ever. While Russia does have teams that build advanced zero-day vulnerability attacks, these are relatively rarely seen due to their high value. The largest volume of attacks target known vulnerabilities and can often be prevented or mitigated through keeping software patched, implementing two factor authentication for services, using up to date malware monitoring and building off-site backups.
Secondly, while few businesses have the resources to run dedicated information security teams, tech partners such as Google (who have recently acquired Mandiant) and Microsoft allow smaller IT teams to tap into the same level of protection that very large businesses and even governments rely on to protect them.
In an era of ever expanding cyber threats it’s more important than ever for businesses to invest in cyber security skills and teams with experience of working with third parties to secure their digital footprint.