The Coming Cyberattack Blitzkrieg – And How To Survive It

Cyberattacks are a known quantity. But analysts are warning that we're not ready for the onslaught that's coming.
16 September 2022

IBM Security: Backdoor deployments are becoming easier, more lucrative for cybercriminals

  • Three national governments – outside Ukraine – have been crippled by cyberattacks in 2022 so far.
  • The nature of attacks is changing, from single campaigns to months at a time of incessant attack.
  • Companies – especially enterprise-level companies – are being used as proxy targets in national attacks.

 

Most cybersecurity analysts in the West understand the way cyberattackers have operated previously – from simple malware DDOS cyberattacks, to email scams, to ransomware and phishing. A few understand the correlation between world geopolitics and the rise in hardcore gangs of cyberattackers, to help push causes as well as hurting both governments and commercial operators.

Few governments or companies though have sensed – or begun to properly prepare for – a potential blitzkrieg of attacks by the cyber-armies now fighting the conflict between Russia and Ukraine.

To get a true sense of the scope of what seems inevitably to be coming, we sat down with Sergey Shykevich, Threat Intelligence Group Manager at Check Point Research.

THQ:

With the Russian invasion of Ukraine, we’ve seen a dramatic rise in cyberattacks against government and military infrastructures, and we’ve seen co-ordinated cyber and real-world attacks in war for the first time. How does this change the nature of warfare going forward?

The Changing Nature of Warfare

SS:

We’re already starting to see consequences, but there are other attacks worth talking about, as well as Ukraine-Russia itself. I think it started with what we saw in Costa Rica. Ransomware Group Conti, which is affiliated to the Russian government and started supporting Russia in the Ukraine war, just attacked Costa Rica in April and May. And we classified that attack as country extortion. And the group encrypted 27 governmental agencies in Costa Rica. So that’s a huge attack that covered the whole of Costa Rica for around a month. And it wasn’t “just” a system attack – it also contained a lot of pro-Russia messages, and calls for the people of Costa Rica to take to the streets and rise up against their government, and demand that the US government support Cota Rica in any such uprising.

But there are two examples that are even more blatant. Take the case of Albania. Now, Albania is a NATO member, which is important, because Costa Rica’s a demilitarized county, so it’s nothing special from a defence point of view. But Albania being a NATO member means there are consequences under Clause V. If you attack a NATO member with traditional military power, all of NATO is pledged to swing behind the member country and defend it in the same way.

Since July, Albania’s been suffering extreme cyberattacks from Iran. Iran never took official responsibility, but it was hacktivist groups that are closely connected to Iran, and both Albania and the United States claimed the attacks came from Iran. That was two months of severe attacks that paralyzed the Albanian government. And last weekend, there was a second week of cyberattacks, which this time paralyzed Albania’s border control. And why all this happened is because Albania provided refuge to some Iranian refugees.

So these are clear examples of what has changed about the nature of warfare since the Russian invasion of Ukraine began. Countries and governments understood that this was another weapon in their arsenal – and in the case of Albania, it’s a bit more. If Iran had attacked Albania with traditional military force, it would have required NATO to invoke Clause V, and send military support to a NATO member that was under attack from another army. But because it was “only” a cyberattack, there was a lot of condemnation, but nothing aggressive – nothing like the force of Clause V – happened to Iran.

The Failure of International Law

THQ:

So, cyberattacks are an area where the established rules of international geopolitics don’t yet apply?

SS:

Yes. And I think that’s why Russia – and also, Ukraine – are feeling very free to operate in cyberspace. Russia’s already experienced at hacktivism, but also, Ukraine recruited hackers from all over the world to attack Russia. That sort of thing – the recruiting of an international ‘cyber-army’ to attack another government – never happened before, and it’s happened now because there are no clear rules about what happens in cyberspace.

And then there’s what happened in Montenegro.

THQ:
Wait, hang on – what happened in Montenegro?

SS:

Montenegro’s another NATO member. This summer it was attacked by ransomware – similar to Costa Rica, but this time by a group called Cuba. Again, it’s a Russian-affiliated group, it’s not the Russian government, but a big Russian cybercrime group. But in this case, the Montenegran government officially claimed that the Russian government was behind the attack.

THQ:

Something is flagged by all this. The West as an entity and Western governments individually, don’t seem to have really appreciated the shift that’s taken place in the scope of cyberwarfare. Is it something we think they’ll wake up to soon?

SS:
Yes, this year I think it will start happening. In fact, I think it’s started to happen, but they’re not fully there yet. There are certainly technological gaps that need filling in the West’s capability to react to this type of attack, and there are many governments and companies in the West that are still not fully prepared, definitely. Again, it’s worth reiterating that the governments of three countries were paralyzed by cyberattacks. This year.

But it’s important that we highlight the point you made. International legislation is extremely far away from where it needs to be on this. The situation with governments is that there are lots of them that are far from where they should be. But the situation with international legislation is much, much worse.

And I think part of the reason for that is that certain players in the cyber environment and industry just don’t want the rules. They prefer not to have any international law ecosystem in cyberspace.

Targets By Proxy

THQ:

Where’s the big danger here? In future cyberattacks against NATO countries and their infrastructure? Or in attacks on corporate entities?

SS:

It’s both. What we’re seeing is that when a group decides to after a country, in many cases, they don’t differentiate between its governmental and military infrastructure and its big corporate entities. I mean, just last month, pro-Russian groups attacked 27 countries apart from Ukraine. And a major part of their attacks are not aimed at government or military targets. For instance, let’s say we attack Estonia or we attack Japan. Last month, one of the groups launched a big attack on Japan. And yes, it aimed attacks at the government infrastructure of Japan – but it also attacked the second biggest social media platform in Japan too, and they tried to attack ports in Japan. When they attacked Estonia, they went for the big banks – which is an effective way to cripple a country without technically going anywhere near its government or its military. So yes – they’re not differentiating any more. Any company that’s affiliated with a country can be attacked as part of a bigger attack against that country.

THQ:

So companies become targets by proxy?

SS:

Exactly, yes.

What Companies Should Be Doing

THQ:
That being the case, is there a To-Do List of things that companies should be jumping on right now to prepare?

SS:

Oh yes – but it’s not even a case of preparing for “when they will be a target.” They are a target. Right now. Everyone who has any assets in the internet – and most companies today have assets in the internet, it’s how the world works – they’re a target.

So the first thing every company needs to do is to look at how they build their holistic cyberattack prevention strategy. And that strategy needs to cover all the assets they have, and all the media they use to hold them. Because there’s a sense that up until a few years ago, companies would say “We have our network, and if we protect that network, everything will be fine.”

But since Covid-19, that’s changed, because many more of our assets are in clouds, or on remote machines, and staff have access to corporate networks through standard cellphones. So companies need to understand what assets they have and how they’re connected, and there needs to be some deep work done on how you protect all those assets.

Secondly, there’s education. You can’t start telling your people what to do and what not to do when the war starts, so to speak. If you only act when the events start coming, you’re going to be too late. People need to understand the risks every quarter. Every month. Even every day. You’re not out to scare people, but to educate them on the realities of a situation that’s coming.

And the third thing is to build disaster recovery plans. Understand what you can do if the worst happens.

The thing is, CISOs and technologists probably understand the danger. But convincing the board to spend what is, let’s face it, a great deal of money in advance of an incident is extremely hard. As we said, you need to put all this in place before there’s an incident, but it’s much easier to convince a board to do that once there’s been an incident.

THQ:

Catch-22.

How crucial will cross-platform threat intelligence be to doing business in the wake of the war? Will that be a thing that has to become absolutely standard?

The Nature of Future Attacks

SS:

Oh, I think it will be crucial, yes, because right now there’s a separation between people who look in detail at malware, and people who look at cyberstrategy and geopolitics. I think it will become more necessary and more commonplace either for those two groups to talk to one another more coherently, or for groups to be formed within a company that can do both, and produce intelligence that spans both areas, and informs cybersecurity decisions more fluently.

It’ll be a difficult change, because there’s currently a lack of skilled people who can deliver both sides of the equation. But I think it’s important in terms of building the new generation of staff that can do both.

THQ:

Fifth Generation attacks have been seen as something of a nuclear event in cyberattack terms up till now. Are we likely to see a significant rise in this level of attack once the war ends?

SS:

I think these attacks will increase, yes, but more importantly, they’ll stop being single events. You think of them as nuclear events now because they’ve usually only been singular, one day, business-crippling attacks. But we’ve seen what’s coming now. In Costa Rica, it was a month and a half of those attacks.

THQ:
Like a blitzkrieg of nuclear-level cyberattacks. With companies as the proxies for national attacks.

The times, they are a-changing. And companies need to start preparing now for an oncoming war in the cyber-arena, specifically because the international legislation does not exist that treats cyberattacks like military attacks, despite the fact that, since the invasion of Ukraine, cyberattacks are being increasingly used to paralyze, destabilize and potentially destroy nations, using their leading enterprises as proxy pawns to lead the destabilization.

Is your company ready yet?