The Russia-Ukraine war and its cyber implications has heightened government and business awareness around the world. But how real is the threat now? We haven't seen widespread ransomware attacks and we haven't hear about any mass/major compromise campaigns against U.S. entities like SolarWinds.
We sat down with Gary De Mercurio, VP, Global Practice Lead, Trustwave SpiderLabs to cover all the implications of the cyber threat posed by Russia.
The general notion is the Russian invasion of Ukraine was not accompanied by any major cyberattacks. Is that true?
Gary De Mercurio:
We should also take a minute to refine the definition of what comprises a "major cyberattack." Typically, a sophisticated attack isn't one that simply sends and then executes a malicious payload. Yes, that happens, and yes, it can be devastating for a company or utility, but a truly major attack is one that lurks in multiple network locations, waiting for a specific moment to rear its ugly head. The backbone of any really nasty cyberattack is when it propagates through networks with the attacker hoping this process lasts for a long time resulting in the malware spreading widely through its victim.
What are the cyber risks to businesses and which organizations are more likely to be targeted?
Gary De Mercurio: I know this is a common refrain in cybersecurity circles, but the statement is true (especially for high-value targets). It's not if the attacker will get in; it's when.
When a nation-state targets businesses or organizations it is usually just a matter of time before they are breached, unless the target has an excellent security team and has been practicing solid cyber defense. A nation-state just has too many resources.
Because a successful attack is likely, the most important aspect of an organization's defensive posture should be how quickly it can locate the attackers and mitigate the attack's effects. If an organization's security isn't great, then the attacker will gain access to valuable data and then most likely lock down your systems and hold you for ransom to make additional money.
When it comes to which businesses are higher on an adversary's hit list, it varies. But take China, for example. Anything that China feels can give it an advantage in manufacturing is most likely a target.
If your company has something a nation-state could benefit from by stealing or destroying, you could be a target. For example, suppose your organization has money, information in the form of PII, customer data, supply chain logistics information for high-value customers, or anything that could help piece a puzzle together for the attacker to better copy, steal, or destroy – a nation-state attacker will likely target your organization.
The other important angle for companies to remember is the threat vector does not always come through the Internet. There are insider threats and the physical aspect to maintaining security.
Such attacks often resemble corporate espionage -- finding someone with gambling debts who is an engineer with access to data and paying that person $10,000 to exfiltrate data. Or a nation-state actor may just walk into a facility and take photos of a process or procedure, parts or machinery, etc. This type of attack is real and happens more often than people want to acknowledge.
How should your cybersecurity strategy reflect the current landscape?
Gary De Mercurio: The best strategy for defending against nation-state threats is to take a holistic approach to security, being prepared, and having a plan.
As we just discussed, organizations must realize that security doesn't simply stop at an external firewall or networks – it goes well beyond that to all aspects of security – including physical.
Organizations should conduct frequent security testing, employee awareness training, and performing Red Team exercises to ensure that any gaps in their security posture are found and filled. These exercises shouldn't be done on just an annual or quarterly basis; they must be consistent.
What's the risk of a major cyber-attack similar to NotPetya being launched by a nation-state?
Gary De Mercurio: There is a massive risk of a nation-state launching a major cyberattack similar to NotPetya. In fact, it's almost a guarantee. When a nation-state tool like NotPetya is released, it has officially "entered the wild."
Every criminal, cybersecurity researcher, "script kiddie" and wannabe hacker will try to get their hands on it and weaponize it for their own use.
This is dangerous for many reasons.
The cyber warfare landscape differs from a real-life battlefield. In a shooting war, when an adversary comes out with a new weapon, it can take months or years of engineering, manufacturing, and delivery before you can copy and use that weapon. In the cyber world, adversaries can copy tactics and techniques to leverage the weapon on the same day. Nation-state attacks simply put new weapons in every criminal's hand every time they drop a new zero-day or exploit like NotPetya.
However, the risk of an attack with a specific tool created by a nation-state on your specific company isn't what you should be worried about. It's the fallout from that attack. It's what happens after that tool is weaponized. Every nation-state is now using it, every hacker collective, every state-sponsored group. They all now have that tool and will throw it at anyone with information or money.
Which nation poses the biggest risk? Should we be solely focused on Russia during this time?
Gary De Mercurio: Hands down, China is the most significant risk for IP and information theft.
Russia is typically more politically and financially driven, and many of its attacks are from financially motivated government-sponsored groups. Again, it's not about major organizations being targeted by Russia. Trying to understand the political and economic drivers behind a nation is near impossible, especially when those drivers are mixed with a sponsored group that is money driven.
Pure capability, however, overwhelmingly resides with China, partially due to the massive state-sponsored groups they have relationships with and the foothold in manufacturing. Back doors galore have been found in Chinese manufactured computer components. They often don't need to hack any organizations; we've already let them right in.
In the end, what poses the largest threat is an organization's lack of installing real holistic security, and the basic understanding that every weapon released is another weapon others will use.