Join online with today’s leading executives at the Data Summit on March 9th. Register here.
Strict sanctions against Russia and Vladimir Putin on Ukraine could mean a wave of cyber-attacks for the US and other Western nations in retaliation, cyber experts say, as part of what could become a growing “cyber war.”
Security teams, of course, are constantly on the lookout for Russian attacks – but this time around, the threat could be particularly difficult to spot, experts told VentureBeat.
That is because Russia is believed to be saving some of its best options for a moment like this. Russian software makers are widely believed to have gained a foothold in corporate and government systems through software supply chain breaches such as Solarwinds, Log 4J vulnerabilities, or even the Solarwinds hack – which has not yet come to light.
But they will probably soon. Cyber experts are warning of the growing risk of cyber attacks from Russia in the wake of the ban on booting large Russian banks from the SWIFT financial system. The move essentially prevents Russian banks from conducting international transactions, and follows another round of sanctions on Russia’s invasion of Ukraine, some of which have hit Putin himself.
Supply chain breach
The SWIFT sanctions were previously described as “nuclear alternatives” and are exactly what Putin vowed to retaliate against. And cyber attack is his preferred method of counterattack against the West.
To assess the size and scope of Russia’s military operation in Ukraine, “the attack was planned for years,” said Eric Byres, CTO of cyber firm aDolus Technology. “Efforts to prepare their cyber campaigns will be matched by efforts on the ground, so you know Russia will have the resources for cyber attacks to match their military.”
According to cyber experts, Russian malicious artists – whether in government agencies such as GRU and SVR, or in sympathetic groups such as Conti – have almost certainly tampered with software supply chains that we do not yet know about. And in any cyber warfare maneuver targeting the West, they may choose to use this access.
“I am willing to bet that the Russians did not use a single bullet in their cyber arsenal,” Byrne said in an email.
Revealed in December 2020, the attacks on customers of Solarwinds and its Orion network monitoring platform have been linked to the Russian intelligence agency SVR. The attackers managed to breach the software supply chain and insert malicious code into the application, which was then distributed to thousands of customers as an update.
As a result, the attackers are believed to have had access to a number of companies and government agencies, including FireI, Microsoft and the Departments of Defense, State and Treasury, for nine months.
Notably, however, Solarwinds was not the first major software supply chain attack attributed to Russia, or even the most damaging.
The 2017 NotPetya attack is believed to have originated from a compromise of the accounting application, MeDoc, which was created by a Ukrainian company and was widely used in the country. Malware spread by updating compromised software spread around the world. And it’s the most expensive cyber attack ever, with a loss of $ 10 billion.
Other high-profile supply chain breaches include Kasaya and Kodakov – and according to Aqua Security data, software supply chain attacks increased by more than 300% overall in 2021.
The Russian threat actors have probably committed many such violations which are unknown for now. “The supply chain does not appear in satellite photos like penetration tanks, so we do not really know where the Russian cyber implants are hidden,” Byres said.
In the wake of Russia’s unprovoked attack on Ukraine, the country is stopping using its attack capability in the US to see how hard it will respond with sanctions and support for western Ukraine, Byres said.
Researchers at Cisco Telus are similarly warning of the growing risk of Russian attacks on software supply chains in the wake of Russia’s invasion of Ukraine.
“We evaluate whether these actors will misuse the components of complex systems to achieve their objectives in a targeted environment,” Telus researchers wrote in a blog post. “Past examples of this include the use of Ukrainian tax software to distribute NotPetya malware in 2017 and, more recently, the misuse of SolarWinds to gain access to high-priority targets.”
Experts say that in all likelihood, the Russian dangerous actors behind the Solarwinds attack still have access to the breach in many companies that have so far been unusable, experts say.
The SolarWinds attack “was unique in that the risky actor targeted and gained constant, aggressive access to the enterprise networks of select organizations, their federated identity solutions, and their active directory and Microsoft 365 environment,” said James Turgel, a former 22-year veteran. Of the FBI, and now vice president of the cybersecurity consulting firm Optiv. “The actor used that privileged access to collect and extract sensitive data and built back doors to enable their return.”
Turgel, whose time included serving as executive assistant director for the FBI’s information and technology department, said the risk came from the dangerous actor’s “deep penetration into compromise networks.”
“Unless every server, drive, or compromised device is replaced or re-baseline, due to the high cost and complexity of such a solution, the chances of a complete removal of the malicious code will be low,” he said. “In the absence of full replacement or re-baseline remediation operations, the victims’ enterprise networks and cloud environments will be exposed to a significant risk to recurring and long-term unrecognized Russian threatening actor activity, and those compromised organizations may be re-victimized.” Is. “
After all – with SolarWinds, and even NotPetya – “there may be victims who have been affected by these attacks, and they don’t know it yet,” Turgel said.
Byres agreed, saying it was “certain” that Russia had access to victims of the Solarwinds campaign, of which we were not yet aware.
“In February 2021, I heard a briefing from the G7 Security Agency where the director commented that critical infrastructure companies were still reporting to the agency that they had just discovered Solarwinds software in their system. This was three months after the malware was exposed, “said Byers. “Three months is a lifetime in the cyber world and the Russians will have more than enough time to hide inside the system and cover their tracks.”
Today, Reuters reports that US banks are preparing for a possible cyber attack in exchange for sanctions on Russia, such as SWIFT. The report specifically mentions that for banks, breaking Solarwinds is “a matter of the mind.”
And SolarWinds is “the only campaign we know of,” Bayer said.
For example, Apache Log 4, which was exposed to vulnerabilities in December, was “a Christmas present for the Russians,” he said. “Sensitive software is extensive, and exploitation was easy and powerful.”
Russian agencies have used almost certain vulnerabilities, apparently in the logging software used by almost every company, to gain a foothold in critical systems in the U.S. that they have not yet taken advantage of, Bayer said. (Researchers have noted that larger attacks using Log4j are far less likely than expected.)
In the current overall threat situation, according to Byers, Western companies that have a business relationship with Ukraine are particularly at high risk.
Mersk, for example, noted that the Notepatia attack cost him 300 million. When the shipping firm is based in Denmark, it allegedly used MeDoc accounting software – “which indicates that they have business dealings with Ukraine, a fact that was unpleasant in Moscow,” Bayer said.
And notably, while NotPetya was consistent with the Russia-backed separatist movement in Ukraine, “there was not a fully developed war,” he said. “So anyone who deals with Ukrainian businesses in the West is facing a much bigger risk today in 2017 than Mersk.”
Fighting the fire
That being said, Russia will also consider launching a cyber war against companies that do not deal directly with Ukraine, Byrne said. Putin has made it clear that the entire Western world is his enemy and that all options are on the table, he said.
“Any country and its infrastructure is a fair game for a cyber attack, if Putin understands that he is interfering with his goals,” Byrne said.
If the Russians had succeeded in capturing the whole of Ukraine in just a few days, they would probably have kept cyber weapons in the US infrastructure for a rainy day in the future, he noted. But after recent days of sanctions and the stiff resistance of the expected Ukrainian forces, that calculation may change.
For cyber defenders in the West, “our job is to get these attacks out quickly and get them out before they spread and cause serious damage,” Byres said. “It’s a lot like fighting a forest fire – the effective response is to quickly find a small fire and extinguish it before a big one.”
It can only happen when you have “visibility of both the whole forest and the trees inside that forest,” he said. “Government and company management should be able to see forests and trees in our software supply chain.”
Venturebeat’s mission Digital Town Square is set to become a place for technical decision makers to gain knowledge about the changing enterprise technology and practices. Learn more