Illusive Blog May 17, 2022

Webinar Recap: What is the Cybersecurity Risk of the Russian/Ukrainian War?

By Mark Jaffe

Illusive recently hosted a webinar The Russian/Ukranian War’s Cybersecurity Impact featuring Charles Carmakal, SVP & CTO of Mandiant and Ofer Israeli, CEO and Founder of Illusive Networks.

In this webinar they had a lively and thought-provoking discussion covering

  • The real and immediate cyber threats arising from the conflict
    How the threat landscape has changed since the conflict started, and may continue to change in the coming year
    The pressure put on security teams to be on high alert without knowing when the conflict will end

Some key highlights and takeaways from the webinar include:

Where are Russian Cyberattacks Targeting?

Carmakel said that today the majority of attacks are centered in Ukraine, on both government and commercial infrastructure. Interestingly, the Russians are deploying “hybrid attacks, which attack communications infrastructure in parallel with the physical invasion.

He went on to say that in the Western world there has been a lot of conversation anticipating destructive attacks on banking organizations, energy organizations or other critical infrastructure, but the good news is that they haven’t seen anything very disruptive or destructive to date.

What is being seen though is a lot of poking and prodding, a lot of scanning by threat actors that they know are affiliated with the Russian government, and a lot of the attacks are noisy and somewhat basic right now, which could be deliberate. It is pretty uncharacteristic for Russian government threat actors to conduct intrusion activities or scanning that’s really loud and noisy. A lot of times when you have loud and noisy scanning, organizations think it can’t possibly be the Russian government, given this is not their usual behavior. He believes it is possible they are operating this way because by being noisy, people won’t think it is actually them.

What we are not seeing are large and sophisticated attacks against entities in the United States, and that is good news, but we are all anticipating that it may very well happen at some point in time.

What are the Tools, Tactics and Procedures (TTPs) of Russian Cyberattacks?

Attacks we are seeing today look and feel like what we usually see, but the end goal is different. The attackers are not seeking to steal or extort money, their goal is to cause chaos and destruction and interrupt communications.

The #1 way they are getting in is no longer through phishing mails, it is through the exploitation of vulnerabilities and misconfigurations. It has been interesting to see the shift; organizations as a whole are getting better at blocking phishing emails. There has been a focus on escalating privileges and moving around the network; vulnerable identities, such as cached RDP credentials are the first stepping stone toward the ultimate target of the domain controller.

Another way they get it in through abusing weak, easily guessable or commonly used passwords. That is one reason it is so concerning that 62% of local admin passwords haven’t been changed in more than a year.

People often ask about Multi Factor Authentication (MFA), and we know that threat actors are abusing MFA as well – they basically spam MFA pushes until someone mistakenly accepts the push.

Essentially, most threat actors look for the path of least resistance to get into an organization.

How Can Organizations Prepare for Future Cyber Attacks?

No question, security professionals are fatigued. The anticipation of attacks is putting stress on security teams and when the threat doesn’t come to fruition it may seem the effort wasn’t worth it. We are all very fortunate that we haven’t seen large scale and widespread attacks across the world, but we must be realistic that we will see some attacks, so we need to prepare and stay vigilant.

The lines between nation state attacks and ransomware are blurring. We’ve seen North Korea directly engaged in ransomware attacks. Russia could be forced to engage in similar tactics as they become more isolated. Another possibility are ransomware attacks that are impossible to pay – essentially a destructive attack masqueraded as being financially-motivated.

But regardless of the threat actor or their motivation, it all comes back to identity. Privileged identities have become the primary target for cyberattacks to escalate privileges, establish persistence, and to take over the entire domain.

As security professionals struggle with the stress of imminent attacks, they may be overwhelmed by noisy alert systems – a symptom of weak cybersecurity hygiene. Leveraging an identity risk management solution, such as Illusive Spotlight ™ , enables organizations to automatically and continuously discover and remove vulnerable identity risks, which can help minimize some of this fatigue.

We encourage you to watch the full webinar here!