Cybersecurity lessons: Ongoing Russia-Ukraine conflict

The ongoing situation in Ukraine is deeply concerning, and our thoughts go out to those affected. While the physical aspects of the conflict appear to be largely localised, an elaborate cybersecurity play exists in the virtual space, targeting government entities, financial institutions and critical infrastructure.

Singtel’s Cybersecurity Threat Intelligence has been tracking and analysing these developments to shed light on the evolution and modus operandi of these cyberthreats and the implications that they could have for enterprises.

According to our threat monitoring services, the cyberattacks could have started back in October 2021 with the use of off-the-shelf tools to exfiltrate sensitive data, gain access to critical infrastructure and maintain persistence before following up with lateral movement within the target IT environment or infrastructure.

The attacks have since escalated. In January, cyber intelligence sources detected operations using a new computer network attack malware called WhisperGate. Leveraging the Log4j vulnerability which allows malicious actors to execute code remotely on any targeted computer, WhisperGate masquerades as a ransomware attack but includes a bootloader wiper malware which maliciously deletes data and programs in the target infrastructure.

This series of cyberattacks reached a peak in February with the emergence of a new custom-written malware called HermeticWiper. The highly-targeted exploit leverages stolen credentials of employees or authorised third parties to access a target network and/or move laterally across the IT environment, and makes use of a benign partition management driver to execute sabotage operations.

Another new malware that emerged during this ongoing conflict is Cyclops Blink, a large-scale modular malware framework targeting network devices. Cyclops Blink appears to be a successor to the VPNFilter malware that enabled traffic manipulation, destruction of host devices, the exploitation of downstream devices, and the monitoring of Modbus SCADA protocols for industrial equipment and critical infrastructure. 

For now, Cyclops Blink is reported to have compromised a range of WatchGuard firewall appliances¹, but the malware has the potential to compromise other architectures and firmware. It allows threat operators to deploy new modules at run time to add new capabilities and to manage clusters of victims with separate lists of command-and-control IP addresses and ports.

1. Strengthen awareness

At the organisational level, it is important for enterprises to maintain a high level of situational awareness by leveraging threat intelligence services. Threat intelligence provides enterprises with organised and analysed information about past, present, and potential attacks, enabling them to define their risk measurements and gain greater clarity into the assumptions, variables, and outcomes.

At the end-user level, enterprises should conduct regular mandatory information security training to reinforce awareness of phishing attempts and strengthen the weakest link in cybersecurity efforts – the human factor.

2. Establish a robust cybersecurity framework

The cybersecurity framework is a set of standards, guidelines and best practices to manage cybersecurity risk and reduce exposure to vulnerabilities. To operationalise the framework, enterprises need to conduct a thorough identification and prioritisation of cyber risks through risk assessments, vulnerability assessments, and system reviews; and carry out periodic vulnerability assessment and penetration testing to safeguard any exposed assets.

The framework should be underpinned by a Zero Trust Policy which assumes that no one can be trusted and requires strict identity verification for every user or device attempting to access resources on a network, even if the user or device is within the network perimeter. 

Based on the cybersecurity framework, enterprises can leverage tools such as security information management, advanced security analytics platforms, security user behaviour analytics, and other analytics systems to help their security personnel observe in real-time what is happening within their networks so that they can orient defences more intelligently.

3. Review your business continuity plan

Business continuity and resilience plans help the enterprise to prepare for potentially disruptive events and enable it to get back quickly to “business as usual” after problems occur.

These plans are living documents that have to be reviewed regularly to include updates on all critical business processes, systems, applications, employees and resources. They also have to be validated through regular exercises and drills to test the enterprise’s preparedness.

1. Device and application level

• Update indicators of compromise (IoC) filters on intrusion prevention and intrusion detection systems (IPS/IDS) to improve signature detection and thwart suspicious inbound traffic.

• Apply IoC filters to Security Information and Event Management (SIEM) systems to detect suspicious inbound or outbound traffic on systems that contain sensitive information, particularly institutional proprietary data.

• Disable PowerShell wherever possible to minimise the likelihood of hackers using it for lateral movement modules.

2. Network level

• Apply network segmentation based on network type, purpose and access privileges within a converged IT/OT environment. This is a critical security control measure that can curtail the snowball effect in the event that a network segment is compromised.

• Secure the enterprise’s Internet-facing properties with robust security protocols and encryption, including the configuration of authentication or access credentials, to ensure that critical information stored in databases/servers is always safe.

3. Organisational level

• Ensure that organisational systems are protected with updated versions of firewalls and anti-malware/anti-virus software.

• Ensure that all applications/hardware are updated to their latest versions to flush out exploitable vulnerabilities.

• Incorporate Digital Risk Protection (DRP) as part of the overall security posture to proactively defend against impersonations and phishing attacks.

In view of developments in the Russia-Ukraine conflict, the Cyber Security Agency of Singapore has issued an advisory² to local firms to be on the alert. All enterprises must be prepared for what is happening now and how things could develop and morph in the coming months.

Businesses have to keep an eye out for the usual suspects - advanced persistent threats (APTs), malware, ransomware, DDoS, network attacks, zero-day vulnerabilities, code flaws, privilege escalation, data anomalies and network anomalies – as well as new ways in which these suspects could be carrying out their nefarious activities. And they must take active steps now to strengthen their cybersecurity posture, ensure heightened vigilance, and boost their online defences.

Sources:

¹WatchGuard, Cyclops Blink FAQs, 2022
²CSA, Strengthening Your Cybersecurity Posture Amidst Developments in the Russia-Ukraine Conflict, 2022