IT Directors and CEOs: What to expect in terms of cybersecurity following the current military conflict between Russia and Ukraine
IT Directors and CEOs: What to expect in terms of cybersecurity following the current military conflict between Russia and Ukraine
An increase in cyber-attacks has been observed since the start of the military conflict between Russia and Ukraine. An increasing number of cyberattacks has been noted since February 23rd, targeting primarily the Ukrainian infrastructure which pushed the Ukrainian authorities to seek help from volunteers in order to respond to these cyberattacks.
As an IT Director or Manager, you probably asked yourself the following questions:
- Could this conflict have an impact on Canada in terms of cyber-attacks?
- If so, which attacks are most likely to target Canadian organizations?
- Will I be targeted? What could happen to my organization?
- Am I prepared enough if any cyber-attack targets my organization?
In this article, we will review the potential threats to Canadian organizations and suggest some solutions to mitigate them.
Canada and NATO countries to be targeted by cyber attacks
In terms of cybersecurity, Canada has always been one of the principal targets of the Russian pirates, like many other NATO countries. However, it is becoming clear that these attacks on Canadian organizations (like many other countries) are likely to increase as a result of the sanctions taken against Russia.
Note that Canada will not be an exception, all NATO countries will observe an acceleration of cyber-attacks targeting their organizations.
Which organizations are likely to be targeted?
Canadian critical infrastructure (private and public) will be the primary target, including but not limited to: power providers, financial institutions, manufacturers, pharmaceuticals, high-tech design industry, transportation, etc.
Cyber attacks against its infrastructure can have a major impact, as seen in previous military conflicts involving Russia. Ex: Massive attack targeting Georgia in 2019, or the more recent one taking place against Ukraine on February 23, 2022. A new malicious tool named HermeticWiper is involved in this latest attack.
Organizations active in R&D in advanced fields including Universities and Research Centers will also be targeted. Given the general confusion, this is a good opportunity to try to steal intellectual property with impunity.
Government computer networks are second on the list of potential targets. Governments are currently on high alert for potential attacks related to this military conflict.
Finally, other organizations. These will be targeted by random, much more sophisticated attacks and we should expect more victims of cyber attacks in the days to come.
Ransomware will be the number one threat
A significant increase in ransomware cases is to be expected. The more sanctions are imposed on Russia, the more cases of attacks will increase. It is also to be expected that the amounts demanded for ransomware will increase. It is a safe bet that hackers will not provide data decryption keys even in case of ransom payments.
Distributed denial of service (DDOS) attacks will also be observed, particularly against critical infrastructure and government computer networks and websites. Defacements of government websites could also be observed.
The risk of intrusions to seize intellectual property is also high.
Finally, some attacks will aim to take control of critical computer networks and maintain persistence (continuous access). This access could be used for future actions.
What to expect if Russia is excluded from the SWIFT interbank network
If Russia is removed from the SWIFT interbank network, the ransom amounts will increase as the goal will be to do as much damage as possible to organizations in NATO countries. In such a case, there will be no point in trying to negotiate a ransom payment in case of ransomware, you simply will not receive the decryption keys.
Collateral victims, the financial institutions of NATO countries will be privileged targets and we could see DDOS attacks or website defacement targeting them.
Who will attack the organizations of the NATO countries?
Attacks will be launched mainly by the Russian government or affiliated organizations. But they will not be the most. Indeed, Russian or pro-Russian hacker groups will also be on the front line. We will see targeted attacks, especially against critical infrastructure of NATO governments and their allies. For example, the notorious ransomware distribution group Conti has stated that it is prepared to attack critical infrastructure in support of Russia.
Countries that are active in cyberattacks, such as China, could also take advantage of the confusion to accelerate the pace, especially by launching attacks in order to gain access to intellectual property that they covet. After all, with Russia likely to be blamed for all the cyberattacks currently taking place, we might as well take advantage of this and fly under the radar.
Finally, there will be all those known and unknown hacker and cybercriminal groups
(ransomware distributors, etc.) who will take advantage of the opportunity to increase their pace.
A possible response from NATO countries
The U.S. is preparing a response plan in case Russian cyberattacks accelerate. Options presented include disrupting the internet throughout Russia, cutting off electricity and stopping trains on their tracks.
Other NATO countries could also consider setting up response plans.
Note also that the famous hacker group Anonymous has decided to declare a cyberwar against Russia. Others could follow suit.
Everything will depend on how the situation develops.
What does your organization need to do to protect itself in the current period
Here's what you need to do to minimize your security risks during this time:
- The urgency of making data backups: in the view of the high level of risk of cyberattacks, especially ransomware, we strongly recommend that companies make data backups and keep a copy offline.
- Deploy intrusion detection capabilities (IDS/IPS/NDR) and monitor your network security 24/7 at least until the end of the military conflict.
- Assess your level of exposure: if your organization is considered a critical infrastructure, your level of exposure is high. If not, your risk level is medium.
- Stay alert and monitor the situation.
- Note that not all cyber attacks will come from Russia alone.
- Follow recommendations from Canadian authorities, including the Communications Security Establishment of Canada
Do not forget that traditional cybercrime also continues to exist
Obviously, cyberattacks launched by traditional malicious actors will continue to exist. Organizations will continue to fall victim to ransomware, phishing and other types of intrusions unrelated to Russia or the current military conflict.
As an example, the Alouette aluminum smelter in Sept-Îles experienced a major cyber attack on the night of Thursday 24 to Friday 25 February 2022. It would be very tempting to attribute this attack to Russia, as we have seen in the media. But as things stand, there is no proof.
So it would be a mistake to focus only on Russia at the moment and put traditional malicious actors on the back burner. Don't forget that the majority of cyber attacks are launched by bots/automats that scan the Internet 24/7 looking for vulnerabilities to exploit.
You may not be covered by your cyber insurance during this period of military conflict
If you have cyber insurance, we strongly recommend that you check with your insurer to see if you are covered during cyber attacks that take place during exceptional times like the ones we are experiencing right now. Indeed, several organizations that were victims of ransomware during COVID-19 were denied compensation/reimbursement by insurers on the grounds that COVID-19 was a force majeure event.
The current military conflict can easily be interpreted as a force majeure by insurers. It is therefore important to know what to expect if you happen to be the victim of a cyber attack.
What steps does StreamScan take to protect its customers?
- We have set up a crisis cell that supports our Threat Intelligence team to monitor the situation (from a cybersecurity perspective). If at any time we feel that action is needed to strengthen the security of your IT infrastructure, we will alert you and help you do so.
- Our MDR monitoring team maintains a heightened level of vigilance and surveillance of your network security, 24/7
- We will continuously share new relevant information with you if the level of attack increases.
How can Streamscan help you?
If you would like to assess your level of exposure during the current conflict or strengthen your level of cybersecurity to minimize the risk of being hacked, talk to one of our experts