The ongoing conflict between Russia and Ukraine poses cyber threats that extend beyond Ukraine’s borders across the entire EMEA region. Cyber attacks are a significant part of Russia’s military arsenal, and threats of retaliation to Western sanctions have featured heavily in the recent rhetoric of Russian leaders.
While any industry or sector is a potential target of Russian cyber warfare, critical infrastructure is particularly vulnerable. This article looks at the threat landscape and assesses whether organizations in industries such as manufacturing, energy, and utilities need to seek improved, advanced cyber protection to mitigate the increased risks.
A Brief History of Modern Russian Cyber Warfare
To get an understanding of Russian cyber attack capabilities on critical infrastructure, it’s worth briefly examining the history of Russian cyber warfare during periods of geopolitical instability.
In 2014, the Russian military invaded and annexed the Crimean Peninsula region of Ukraine. Following the fallout between the two nations over this annexation, Russia began hitting Ukraine's critical infrastructure with cyber attacks.
An incident in December 2015 saw a damaging multi-phase attack that took down Ukraine’s power grid. Over 230,000 people were left without electricity for several hours. A Russian military unit dubbed Sandworm deployed a range of tactics in the attack, including spear phishing, malware, seizing SCADA systems, and disabling components.
The following year, the Ukrainian Ministry of Finance and State Treasury suffered severe disruptions to IT systems that destroyed data and blocked access to networks. In investigating the attack, security teams identified the same malware as was used a year earlier in the Ukraine power grid hack.
Another damaging attack came in 2017 when Russian hackers targeted at least 80 Ukrainian organizations with a ransomware variant known as NotPetya. Affected critical infrastructure organizations included Ukrainian ministries, banks, and even metro systems. Most concerning was the fact that the NotPetya attack took radiation monitoring systems offline at Ukraine’s Chernobyl nuclear power plant.
In perhaps a strong indication of what’s possible during the current climate, the NotPetya attack spread to affect several organizations in the EMEA region. Danish container ship operator Maersk reported losses of up to $300 million after the ransomware strain crippled Masersk’s IT network. It took over nine days to restore the company’s Active Directory system. Other EMEA victims included French construction company Saint-Gobain and German logistics company DHL.
During the current Russia and Ukraine crisis, history has already repeated itself. In February 2022, a DDoS attack took several Ukrainian government websites that provide critical information to citizens offline. The same DDoS attack also targeted Ukrainian banks.
Preceding the engagement of physical combat was a cyber campaign using data wiping malware on Ukrainian organizations. Named HermeticWiper, the malware evades detection on endpoint systems, fragments disk data, and then overwrites the data. Affected systems are impossible to recover. Luckily for other EMEA nations, there is no sign of this destructive data-wiping malware extending beyond the borders of Ukraine.
Likely Attack Vectors in Critical Infrastructure
Increased OT-IT convergence opens many opportunities to optimize processes, improve decision-making, and reduce costs across several critical infrastructure industries. The potential downside of this convergence is that it potentially widens the attack surface for threat actors to compromise ICS environments and halt or sabotage the crucial operations that societies depend on.
Despite the complexity of critical infrastructure networks, adversaries typically find their way in through well-trodden paths. Let’s look at some of the attack vectors likely to be exploited in any potential Russian cyber attack on EMEA critical infrastructure. Awareness of these attack vectors facilitates an appraisal of your current protection level and affords the chance to strengthen defenses.
Threat actors regularly find an initial path into an organization’s infrastructure via phishing emails. These emails are getting more convincing every day, to the point that security-aware business leaders and employees often struggle to detect them using traditional secure email gateway technologies. With an abundance of information available from past data leaks and social media, hackers can tailor their phishing emails to specific individuals at organizations responsible for critical infrastructure.
Unpatched vulnerabilities continue to pose significant cybersecurity issues. Organizations that aren’t on top of patch management are low-hanging fruit for today’s sophisticated hackers. In one pertinent example highlighting the patch management issue in critical infrastructure, 97 percent of the OT devices impacted by a group of vulnerabilities URGENT/11 remained unpatched over a year after a security update was released.
Even in a world where countless government cybersecurity departments recommend strengthening authentication mechanisms, credential compromise still provides hackers with a route into critical infrastructure networks. You don’t need to go far back in time to find an example—the 2021 Colonial Pipeline attack started with using an employee’s VPN credentials obtained in a previous data leak. A lack of encrypted communications can make it easy for lurking threat actors to sniff out passwords and usernames from industrial environments.
Once inside a critical infrastructure network, the types of malicious actions used include disabling or manipulating critical industrial control systems, deleting, or destroying important data, taking systems offline with DDoS attacks, and shutting down entire networks.
Steps to Protect Against Increased Risks
So, what are some actions that might make the most difference in protecting critical infrastructure organizations from heightened cyber risks?
- Advanced phishing protection — given that phishing emails are getting more challenging to manually catch, and Russian threat actors are known for their ability to weaponize information, seeking more advanced solutions to detect these emails with AI is a smart move.
- Properly segment your network — a lack of robust network segmentation leads to risky security issues, such as direct communication between ICS and enterprise applications, poorly controlled data flows, and rogue access. Use a secure network architecture, ideally with an industrial demilitarized zone that tightly controls the flow of data across the IT-OT boundary.
- Prioritize patch management — there is no reason not to get on top of patch management because it’s a quick win that prevents your organization from being exploited through vulnerabilities for which there are already security updates available.
- Have a unified security policy — siloed security policies and procedures between OT and IT lead to security gaps that can expose weaknesses, such as default configurations, that let intruders into your network; work to develop a unified security policy that protects both IT and OT through cooperation.
- Rehearse incident response playbooks — the provision of critical infrastructure depends heavily on maintaining availability and integrity. Corporate IT networks can afford a degree of downtime, but extended downtime from cyber attacks on critical infrastructure can affect large swathes of society. Often, responses are slow because incident response playbooks are rarely if ever rehearsed. One of the key lessons learned by Maersk’s CISO after NotPetya was that incident response was far too slow at the company.
Continued sanctions damaging the Russian economy make it increasingly likely that the current crisis will see cyber attacks on EMEA nations. While the cybersecurity risk landscape is undoubtedly heightened, and Russia possesses significant capabilities to cause damage with cyber attacks on critical infrastructure, it is possible to protect your organization.
Recent history shows that the attack vectors in even the most sophisticated attacks still exploit the same basic security flaws. By reassessing your current security posture, you can flag areas that might benefit from improvement as outlined above and defend against any Russian escalation of cyber warfare into the EMEA region.
To learn more about IRONSCALES’ award-winning anti-phishing solution, please sign up for a demo today at ironscales.com/get-a-demo.