Russian-Ukrainian Cyberwarfare - What You Need to Know
Want to hack Russia? Don't do it
But first, let’s look at the call to hackers from the Ukrainian Vice President. Maybe you, or your employees, feel the need to help in the battle against a state actor. This is very understandable. However, I do not think it is a good idea. Here’s why: there is a big chance you will interfere with legitimate intelligence-gathering or operative actions by organizations that are a lot better at this than you. You could be compromising a carefully built-up position. Or even with simple DDoS attacks, you probably will cause the opponent to block all foreign traffic, potentially cutting off access to assets developed over the last years. Because while the invasion and war might be new developments, the cyberwar component has been here for quite a while. So my advice is, as attractive as it can sound, to go out and hack Russia: don’t do it.
Second, participation in such an IT-Army may not go unnoticed by the opponent. If your OPSEC (operational security) is not high-end, you expose yourself and potentially your employer or even your family to unknown consequences. Anonymization technologies such as Tor are also not the answer here. Your browser fingerprint is likely to be unique enough to target you. Check out https://amiunique.org/ to learn more about fingerprinting and to check if you are unique. So, unless you really know what you’re doing (you probably don’t), I would advise staying away from offensive actions that might make you a target.
How to Improve Your Cyber Defense?
Some of our customers are reporting a drastic increase of simple scanning intensity on the internet, up to 100-fold more events. This might be a simple diversion tactic, but it can also expose many weak points that might provide initial entry, such as services without strong authentication or exposed management interfaces. Using default, stolen, or phished credentials is, after all, the most common way of gaining initial access.
If you are struggling to determine your priorities for a better cyber defense during this crisis, Secura has a few pieces of advice for you:
Prevent account abuse
Obviously, account abuse can be prevented mainly by requiring the use of Multi-Factor Authentication (MFA) on all external login functionality (this includes VPN, outlook, exchange, Office365, portals, Citrix, RDP, AWS, Azure, and any other service that currently uses a username and password). Simply do not allow attackers to enter anywhere with just a password. Given the current threat landscape, passwords are no longer a proper security mechanism anymore in 2022. Use Google authenticator, hardware fobs, smart cards, or anything else, but not a password. Management interfaces should not be exposed to the internet to start with and should be put behind a VPN or IP-allowlist.
Patch your systems ruthlessly
Twenty years ago, it was customary to have a lag in patching of many months and get away with it. These days, this is no longer possible because adversaries have near-real-time insight into your attack surface. How to patch as soon as possible without disruption is also the subject of the THESEUS research project that Secura is participating in together with the Vrije Universiteit of Amsterdam. Please see https://project-theseus.nl/ for more information on this long-overdue research project.
Inventorize assets, get insight into your attack surface
Making sure your systems are patched, having MFA wherever technically possible (and for *all* users), changing default passwords, and blocking hacked accounts is essential but not easy. It will take a structural review and also the search for unknown assets. Most larger organizations struggle even to know what they have exposed on the internet and what it’s connected to, let alone make sure it’s secure. It should be a priority for all organizations to find out their attack surface, including all those domains and hosts that are not yet included in the regular asset inventories.
Often, when asked what the scope of our assessment should be, our customers provide us with a list of a few IP ranges and some hostnames. In reality, when we start scanning and testing, we usually find many more assets, often with significant vulnerabilities. To protect yourself, you need to know what you own, and you need to monitor that continuously, not just once every year.
Get your defenders organized and informed
Fortunately, the defenders are also coming together and sharing information. Your SOC should be on high alert and look for indicators of compromise (IOCs). Not much different from any other situation, but what to look for? Well, besides quite a few Twitter feeds, the following sites will provide some good pointers for your threat hunters:
A list of hacker groups and their perceived or proclaimed allegiances can be found here: https://cyberknow.medium.com/2022-russia-ukraine-war-cyber-group-tracker-update-1-ee3834fb03c, with daily updates on their Twitter: https://twitter.com/Cyberknow20/.
We will update this blog if and when there are relevant changes. For our customers, please get in touch with your account manager if you have any questions. Stay safe!