News

'Now is the time' says Cisco as Ukraine cyber threats grow

Ukraine flag

As cyberattacks continue to be waged against Ukraine, carriers and data centre operators are being urged to assess the traffic controls they have in place.

The advice was shared by Nick Biasini, head of outreach at Cisco Talos, speaking to Capacity after the attack on Ukrtelecom earlier this week. Executed on Monday, this attack disrupted nationwide access to the internet, including military, private and enterprise access.

Biasini said that one of the most notable things the war has highlighted for carriers is how to deal with traffic isolation and increased traffic monitoring for specific geographic regions.

He explained: "The resiliency of your data, equipment, infrastructure is going to be increasingly important. You may have this type of scenario now where you have this region of the world where something is going on and you need to either be able to isolate that traffic, analyse it more thoroughly, or shut it off completely.

"If you don't have mechanisms in place to do that, now is the time to start planning for that eventuality because this has really proven that this is a possibility that we are going to have to deal with," Biasini continued.

Lying in wait

The attack on Ukrtelecom occurred only days after the State Special Communications Service confirmed that more than 3,000 cyberattacks have been recorded by Ukraine since Russia invaded on 24 February.

Cisco Talos has detected a range of threats, with remote access trojans (RATs) and info stealers notably prominent. Defacements and wiper activity are also of concern, with Biasini reporting that multiple variations of wipers were likely deployed in the region before the invasion.

"The wipers themselves have been deployed using something called GPO which is a mechanism to deploy software in a network. That implies they had access ahead of time, because it requires access to do that kind of stuff," Biasini said.

"A lot of these types of attacks are planned over the time. these groups specialise in espionage. Their goal is maintaining access into networks so this access could have been held for a very long period of time," he added.

On the impact for those who have active networks – or network-dependent businesses – Biasini said: "CISA [the US Cybersecurity and Infrastructure Security Agency] and the Whitehouse have said more recently that this is a time when we are very concerned that cyber activities will occur. They have been saying this type of stuff for a long time and providing recommendations. What they are really saying now is now is the time that we referred to previously and the likelihood of attack high.

"Now is the time to make sure you have all those things done. If you don't have MFA involved. If you haven't validated what your posture looks like, if you haven't revisited where you have accepted risk in the past to make sure that you are OK and ready for what may be coming in the near term."

Global network impact

The current threats aren't specific to Ukraine and Nordics-based Holm Security also raised concerns about long-term espionage activity.

Claus Nielsen, CMO, told Capacity: "The worry should be more focused on what is lurking underneath the surface. What I mean is that just as the military is actively 'monitoring' other nations e.g., to see where they have their military bases located or if they are manufacturing atomic weapons, cyber armies are actively monitoring government installations or in this case communication infrastructure for vulnerabilities that they can eventually use to attack a government’s essential infrastructure when they want to declare 'war'.

"This should be the main concern of any organisation because it is harder to protect against what you can’t see or don’t know," Nielsen added, advising that defences should focus on unknown vulnerabilities.

Talking specifically about the attack on Ukrtelecom earlier this week, Jamie Moles, senior technical manager at ExtraHop, said the events confirmed the fears of CISA and have "nation-scale implications".

"Given Russia demonstrated few qualms about training its cyber-weapons on private entities to disrupt Ukraine’s critical infrastructure, it's only a matter of time before Russia's cyber weapons are trained on new targets outside of Ukraine. Private sector organisations must adopt a heightened security posture and prepare for the likelihood of an attack - particularly those who have been vocal against Russia," he said.

"Digitalisation has indeed redrawn the lines of the battlefield in many ways already, and we're about to see the next era of that as nation-states target the influential private organisations that act against them," he added.

What's of even more concern is that Ukraine's cyber defences are reportedly strong

Biasini said: "Ukraine has done a great job in the last several years in the wake of NotPetya, five or six years ago they have done a great job at hardening their defences. It is commonly said that Russia underestimated Ukraine on a lot of fronts, and it appears they underestimated their cyber capabilities, as well."