A day after Russian tanks tore through Ukrainian border posts on February 24, the US Cybersecurity and Infrastructure Security Agency (CISA) issued a rare “Shield Alert Up warning that “all organizations, large and small, must be prepared to respond to disruptive cyber activity.”
The expectation was that Russia would attack not only Ukraine but also Ukraine’s Western allies.
For whatever reason, that hasn’t really happened in a big way.
“We haven’t seen anything that we can directly attribute to Russia setting its sights on Canada,” Sami Khoury, head of the Canadian Center for Cyber Security, told CBC News. “There have probably been indirect effects in some cases, but we haven’t seen anything that is directly aimed at Canadian infrastructure or the Canadian ecosystem.”
Instead, Russia has found itself being hacked, in one case with disgraceful results that surely must have spoiled President Vladimir Putin’s Victory Day extravaganza.
As RuTube, the Russian version of YouTube, was taken down by hackersYouTube itself remained online in Russia and continued to share videos demonstrating Ukraine’s dominance in the information space in this war.
Hacktivist groups like Network Battalion 65 they have stolen lots of emails and data from Russian government and corporate sites. In March, for the first time in history, more Russian email credentials were leaked online than those of any other nation.
Even Russian hackers could not interrupt voting in the Eurovision Song Contest. (Ukraine won).
Just as Russia’s armored divisions entered this conflict with a fearsome reputation that turned out to be grossly exaggerated, the reach of Moscow’s cyber legions may have been overestimated. And just as the Russian war has diminished the reputation of Russian weapons, it could also lead to a reassessment of the relative strengths of nations in the virtual world.
fearing the worst
Ukraine had every reason to expect the worst. Online attacks have been going on there since the war started in 2014.
A Russian “persistent threat group” known as Sandworm was behind a December 2015 attack on the Ukrainian power grid that led to widespread power outages.
A year later, in December 2016, the Ukrainian financial system was attacked by Black Energy malware which also caused power outages in kyiv.
Then, in June 2017, the same group struck again with a powerful new malware called Petya, throwing government ministries into chaos, forcing banks to close, jamming telecom networks and once again disrupting Ukraine’s power grid. Airports and railways were affected, and Chernobyl’s radiation monitoring system went offline.
Ukrainian and Western officials blamed the attacks on Russia’s GRU (main intelligence directorate) and SVR (foreign intelligence service).
Last year, Ukraine’s SBU security service reported that it had “neutralized” an average of four cyberattacks per day.
Thus, it was widely assumed that a bot army would act as the vanguard of any real invasion by attempting to cut off power and communications, clog transport links, and generally sow confusion.
Russia tried something modest in that regard.
In mid-January, a Cyberattack affected about 70 Ukrainian government websites hours after talks between Russia and NATO failed to deliver the concessions the Kremlin hoped for.
“All information about you has been made public, be afraid and expect the worst,” read a message on the pop-up screen. “This is for your past, present and future.” He repeated familiar Kremlin tropes about the Nazis and the persecution of Russian speakers.
In addition to targeting government and military sites, the Distributed Denial of Service (DDOS) attacks also targeted two banks, shutting down ATMs and credit card transactions.
hack and attack
Russia launched another cyber attack in Ukraine on the day of the invasion with a piece of malware called Hermetic Wiper that targeted hard drives.
Last week, the Canadian government accused the Russian army having “directly targeted Viasat KA-SAT satellite Internet service in Ukraine” in February. The The UK government says the attack also hit collateral targets such as wind farms in central Europe.
But the trains continued to run and the Ukrainian government continued to run. The attack was far less damaging than the 2007 attack on Estonia, or the attacks that preceded the invasion of Georgia in 2008.
Ali Dehghantanha, Canada Research Professor in Cybersecurity and Threat Intelligence at the University of Guelph, said Russia may have underutilized its offensive cyber capabilities because it was banking on a quick military victory.
But Ukraine is also better defended after years of successive attacks, he added.
“Because of its previous history with Russia,” Dehghantanha said, “since the time of the conflict in Crimea, Ukraine, with the support of Western allies, has done a very good job of protecting its physical infrastructure this time.”
western involvement
Those Western partners include Canada’s digital counterintelligence agency, the Communications Security Establishment.
“While we can’t speak to specific operations, we can confirm that CSE has been tracking cyber threat activity associated with the current crisis,” CSE’s Ryan Foreman told CBC News.
“CSE has been sharing valuable cyber threat intelligence with key partners in Ukraine and continues to work with the Canadian Armed Forces in support of Ukraine.”
CSE also has Canada’s own assets to worry about, of course.
For years, major cyberattacks on North American assets have taken place with some regularity. CISA has compiled a long list of US online assets it sees as coveted targets for Russia’s disruption and theft operations, including “COVID-19 research, governments, election organizations, healthcare and pharmaceuticals, defense, energy, video games, facilities nuclear and commercial , water, aviation and critical manufacturing”.
“Russia has significant cyber capabilities and a proven history of using them irresponsibly. This includes SolarWinds Cyber Compromise, Development of the COVID-19 vaccine, Georgia’s democratic process Y Malware NotPetya”, Foreman told CBC.
shotgun tactics
Dehghantanha said state-sponsored hackers are now moving away from creating the most sophisticated malware to employ a more scattershot approach, which involves installing simpler backdoors on a wide range of less-defended infrastructure targets.
“Before 2020, we saw a lot of effort in creating the best malware or the best cleaner or the best exploits,” he said. “The problem is that if your opponent discovers that malware, he knows a lot about you, about your capabilities, all your investments.
“So if it comes with the most advanced malware, it can take two or three years of research and development. But from the moment it is implemented and it starts to make an impact, it takes them only a couple of weeks to fix it.”
Hacktivists on the battlefield
Dehghantanha said Russian players have had some success in the emerging field of “social cybersecurity,” where hackers behave more like hacktivists.
“The cost of creating fake content that looks very convincing to the general public is pretty low these days,” he said. “And I’m seeing a rapid shift in the activities of hacking groups in that direction. Instead of trying to impact capital infrastructure or IT infrastructure, we can impact humans and achieve the same result.”
An example of a “fake hacktivist” attack would be a disinformation campaign designed to spread panic in a particular town or district.
“They try to impact at that micro level,” Dehghantanha said.
Ukraine also warned that it may not yet have felt the full effects of Russian hacking.
The country’s top cyber official, Victor Zhora, recently said that Russia stole Ukrainian government data to give its forces a list of targets to arrest or kill in the occupied areas. He said he fears the data is already being used.
The lower abdomen remains soft
Canada remains vulnerable, Dehghantanha said, “especially the soft bellies of critical infrastructure like water treatment systems, the agricultural sector, any supply chains, and of course pipelines.”
Increasingly, hostile actors have been seeding malware in advance with an eye toward attacks months or years into the future. Dehghantanha said Canada should tighten its requirements for private companies running critical infrastructure.
“We need to change our policy from blacklist to whitelist, which means instead of telling you that you can’t install A, B, and C, and anything else is allowed, we need to tell you that you can only work with A, B, and C.” and nothing else is allowed,” he said.
“There is no way, there are no resources for the nation to control everything. So it is better that we limit ourselves to specific suppliers, to a specific product that we know.”
The balance can change quickly
Foreman said the CSE is in constant contact “with Canadian critical infrastructure partners through protected channels,” beyond what is seen in its public notices.
“Now is the time to take defensive action and be proactive,” he added.
That means isolating critical systems from the Internet, creating and testing backups, and testing manual controls to ensure critical systems continue to function when networks fail, he said.
Dehghantanha said he is reluctant to downplay the threat posed by Russia simply because it has been disappointing in Ukraine.
“Cyber warfare is not like an equilibrium where you can say I have bigger weapons or more aircraft, so I’m superior. That’s not the case at all here,” he said.
“You could have just 10 fantastic cyberattackers who could create an exploit and gain access to that critical infrastructure, and they would make a significant difference.”
Reference-www.cbc.ca