Over the past few days (and as universally predicted), a cyber-offensive has been emerging alongside Russia’s military buildup and eventual invasion of Ukraine.
Evidence of the escalating cyber offensive has been mounting: according to ZDNet, Ukrainian government and financial sites have been hit with “massive” DDOS attacks; and ESET Research has reported that a data wiper malware dubbed HermeticWiper has impacted hundreds of computers in Ukraine.
The recent attacks come just a month after Microsoft detected and analyzed destructive malware that has been weaponized against Ukrainian organizations. The situation around this specific malware is monitored and analyzed by a number of other cyber security companies around the world.
At the same time the US DHS CISA (Cybersecurity and Infrastructure Security Agency) has issued a joint US-UK advisory for a new malware by the Russian state-sponsored Sandworm group, which has previously been responsible for the notorious Black Energy attack in Ukraine in 2015 and 2016, among many others. This malware, codenamed Cyclops Blink, replaces the infamous VPNFilter which has targeted network devices, and among other capabilities was able to monitor Modbus protocol traffic, and therefore was used for the reconnaissance of ICS networks.
This serves as an indication that VPNFilter’ successor is as capable as, if not more advanced as its predecessor, and has the ability to target multiple network devices (although the advisory mentions only WatchGuard devices) and specifically those exposed to the Internet. And assuming the cyber capabilities of such next-generation cyber warfare tools have not been downgraded, Cyclops Blink and its additional modules (which haven’t been revealed yet) is most probably capable of taking over Internet-facing network devices of small and medium organizations, including critical infrastructures.
Cyber implications of the Russia-Ukraine war
Obviously, the situation is dire for Ukrainian organizations of all sectors, and there’s no reason to believe the cyber-bombardment will end any time soon. What’s more, organizations around the world with ties to Ukraine, or even those unrelated to any Ukrainian entity, may be impacted by collateral damage, either intentional or not.
Since Western governments have imposed and will continue to impose economic and other sanctions against Russian entities, it can be assumed that some Russia-based cyber groups will respond mainly by attacking (including ransomware attacks) the financial sector. And as in the 2017 NotPetya attack, many enterprises with less mature cyber defenses than those of financial enterprises may by impacted by collateral cyber-disruptions.
We recommend that all ICS-based organizations (especially in the critical infrastructure and transportation sectors) take the increased threat of cyber attack very seriously. This is the time to review and implement cyber security protocols, from refreshment of employee cyber awareness training to emergency network shutdown procedures. It is important to monitor all network activity for breach-attempt indicator anomalies. Critical network devices, especially Internet-facing devices, should be hardened by implementing multi-factored authentication (MFA) where applicable, closing remote management options and applying the latest security patches.
In addition, OT network operators that are accountable for the cyber security and resilience of their networks who have not conducted a security review in recent months are strongly encouraged to do so, to detect and mitigate vulnerabilities in industrial networked devices, protocols and connections, user authentication schemes or any other possible breach entry point. It’s never too late to be prepared for ransomware and data destruction incidents.
Another important precaution users should take is reviewing enterprise incident response procedures, to ensure proper business continuity and functionality during possible cyber incidents.
The Radiflow team will continue to diligently monitor the latest developments in the cyber-conflict, and issue recommendations accordingly. We invite you to contact us to discuss how Radiflow can help you secure you operations.
Please join us in the hope that this conflict will be resolved peacefully soon.