Business Continuity Management / Disaster Recovery , Critical Infrastructure Security , Cybercrime
Cyberattack Spillover From Ukraine: Be Prepared, UK Warns
'Malicious Russian Behavior' Targeting Ukraine Has Previously Had Global ImpactAll organizations in Britain are being urged to immediately bolster their business resilience capabilities due to an increased risk of fallout from cyberattacks targeting Ukraine. Specific guidance includes ensuring that all systems are patched and covered by a working backup and recovery plan, among other recommendations.
See Also: Gartner Guide for Digital Forensics and Incident Response
The alert from Britain's National Cyber Security Center comes as 100,000 Russian troops remain massed on the border with Ukraine in advance of a potential invasion. Since last December, cybersecurity experts have been warning of a rise in cyber intrusions seeking to disrupt or infiltrate Ukrainian systems, as Russian President Vladimir Putin has publicly decried moves by Ukraine to join NATO.
The NCSC, which is part of Britain's security, intelligence and cyber agency GCHQ, warns that while it knows of no imminent online attacks that might directly target Britain, "malicious cyber incidents in and around Ukraine" could nevertheless cause damage to U.K. organizations.
"While we are unaware of any specific cyberthreats to U.K. organizations in relation to events in Ukraine, we are monitoring the situation closely and it is vital that organizations follow the guidance to ensure they are resilient," says Paul Chichester, the NCSC's director of operations.
Security experts say such alerts from government cybersecurity agencies should be treated seriously. "NCSC are not known for issuing these types of notices en masse and if you see one, it's worth taking notice," says cybersecurity expert Alan Woodward, a visiting professor in the University of Surrey's computer science department. "The reason for warning people now, even though there may be no specific threat identified, is that if matters escalate, there will be no time to prepare: You need to be ready now even if it's never needed."
The NCSC's alert follows one that was reportedly issued Sunday by the U.S. Department of Homeland Security to domestic law enforcement agencies, warning that Russia's "threshold for conducting disruptive or destructive cyberattacks … remains very high."
The alert says: "We assess that Russia would consider initiating a cyberattack against the Homeland if it perceived a U.S. or NATO response to a possible Russian invasion of Ukraine threatened its long-term national security."
No Warning of Imminent, Direct Attack on UK
The British alert avoids warning of any direct attack on the U.K. by Russia.
"Let's be clear what the government's not saying: It's not saying that there's an imminent, devastating cyberattack on its way from Russia," Ciaran Martin, who served as the head of NCSC until 2020, told Britain's Times Radio on Friday. "It explicitly says there's no specific intelligence or threat information to that effect."
Rather, he says, the NCSC's alert offers "sensible advice at a heightened time of geopolitical tension."
In terms of the best next actions for organizations to take to defend themselves, "there's all sorts of good advice on the government's website," Martin, who's now a professor of practice at the Blavatnik School of Government at Oxford University, told Times Radio. "But the one thing that stands out is: How would you withstand the loss of a key network? What could you do until you got it back? Are you completely stuffed or have you got a plan? And that's a really, really good test, which I think everybody can understand."
Many experts say it's unlikely that Russia would directly target NATO with cyberattacks. But with any cyberattacks Russia might launch against Ukraine, that and the fog of war might screen malicious efforts online by nation-state groups and crime gangs.
"You wouldn't invade Ukraine using just cyberattacks, but if the tanks do roll, then in the smoke of battle, some others might take advantage with attacks whilst we're all distracted," Woodward says.
Legacy of NotPetya
Previous cyberattacks against Ukraine that Western intelligence agencies have attributed to Russia have included attacks on the power grid in 2015 and 2016 that left parts of the country without power in the dead of winter.
In 2017, another attack, involving NotPetya destructive malware, which was disguised as ransomware, left infected systems unrecoverable. The attack involved subverting an update server for a legitimate piece of widely used accounting software developed by a Ukrainian firm. A Trojanized update for the software was issued containing the malware, which was then triggered.
The resulting malware outbreak spread globally, taking out systems at organizations such as Fedex, Danish shipping giant Maersk and pharmaceutical firm Merck, causing up to $10 billion in estimated damages commercially.
"At one point, a large number of the world's merchant ships were being controlled by WhatsApp and other emergency means, because the systems were down," Martin told Times Radio.
The U.K. and others also attributed a 2019 attack against the Eastern European country of Georgia to Russia's GRU military intelligence agency.
"The GRU carried out large-scale, disruptive cyber-attacks," the NCSC said in a February 2020 alert. "These were against a range of Georgian web hosting providers and resulted in websites being defaced, including sites belonging to the Georgian Government, courts, non-government organizations, media and businesses, and also interrupted the service of several national broadcasters."
Ukraine Hit by WhisperGate Malware
A fresh wiper attack against Ukraine was seen earlier this month, although it has not been officially attributed to Russia.
Starting on Jan. 13, multiple Ukrainian government websites were defaced and some systems were destroyed by wiper malware. Security researchers subsequently reported that the affected systems appear to have been infiltrated in late summer 2021. "The wiper malware was deployed several months after initial access was secured, depending on the network," said Matt Olney, director of threat intelligence and interdiction at Cisco Talos.
The Ukrainian government's computer emergency response team, CERT-UA, on Wednesday issued a report into the attacks, dubbed "Operation Bleeding Bear," saying WhisperGate malware was used to target the sites. The malware, it says, deployed two components: BootPatch and WhisperKill (see: Teardown: Fake Ransomware Targeting Ukrainian Government).
BootPatch is a malicious program written in C that overwrites the master boot record, or MBR, of a hard disk. "The malware displays a ransom message and distorts the data by overwriting every 199th sector on the hard disk with a corresponding message," CERT-UA says. Rather than being ransomware, however, it says the malware is designed to leave systems unrecoverable.
WhisperKill, meanwhile, is "commodity malware," also written in C, that installs itself in memory, deletes the .NET code that installed it and then overwrites a number of different file types, CERT-UA says.
"Over several years, we have observed a pattern of malicious Russian behavior in cyberspace," NCSC's Chichester says. He adds that the recent "incidents in Ukraine bear the hallmarks of similar Russian activity we have observed before."
One risk posed by such attacks is that they could again spread beyond the systems that were targeted.
Actionable Steps
The NCSC offers extensive advice on its website about how to bolster defenses. Just some of the actions organizations should be taking now, NCSC says, include:
- Keeping all systems patched and updated with security fixes;
- Improving access controls and enabling multifactor authentication;
- Implementing and maintaining an effective incident response plan;
- Ensuring all backup and restore mechanisms are working;
- Continually reviewing all online defenses to ensure they're working as anticipated;
- Keeping a close eye on the "the latest threat and mitigation information."
The NCSC alert also urges any British organization that falls victim to an online attack to notify its incident management team.