And in the midst of ongoing global diplomacy, phrases like "cyber attack" and "cyber war" keep showing up in the media as steps leading to a possible military conflict or all-out war.
Consider these recent headlines:
NPR — More than 70 Ukrainian government websites have been defaced in cyberattacks: “While the Russian military might be poised to invade Ukraine, hackers in the region are also creating chaos in cyberspace — and the consequences could be far-ranging.”
WSJ — Ukraine Hacks Signal Broad Risks of Cyberwar Even as Limited Scope Confounds Experts: “A recent cyber attack in Ukraine has heightened concerns in Kyiv that Moscow is plotting to support a land invasion with destructive hacks, although some experts remain puzzled about the Kremlin’s intentions.
"Last week, hackers defaced the websites of more than 70 government agencies, according to Viktor Zhora, deputy chief of Ukraine’s State Service of Special Communication and Information Protection. More worryingly, the hackers also installed destructive 'wiper' software designed to render computer systems inoperable in at least two government agencies, he said.
"Russia has denied any involvement in the cyber attacks.”
Politico.eu — Don’t call it warfare. West grapples with response to Ukraine cyber aggressions: “In the standoff between Russia and the West over Ukraine, hackers have upped the ante with cyber attacks and disinformation targeting the eastern European country.
"The question for Western security officials is this: What exactly are we dealing with — and how do we respond?”
Reuters — Poland raises cybersecurity terror threat after Ukraine cyber attack: “Poland on Tuesday raised its nationwide cybersecurity terror threat in the wake of a cyber attack on Ukraine last week, adding that the new alert level was preventative.”
THE LATEST CYBER ATTACKS
So what exactly happened regarding hacking details with Ukraine? There are different views on the source of the attacks, but these bulletins and articles describe the technical details. Note that different media sources describe the online attacks as destructive malware that was made to initially appear to be ransomware.
Microsoft — Destructive malware targeting Ukrainian organizations: “Microsoft Threat Intelligence Center (MSTIC) has identified evidence of a destructive malware operation targeting multiple organizations in Ukraine. This malware first appeared on victim systems in Ukraine on January 13, 2022. Microsoft is aware of the ongoing geopolitical events in Ukraine and surrounding region and encourages organizations to use the information in this post to proactively protect from any malicious activity.”
Cybernews — Log4j used to deploy WhisperGate malware in Ukraine cyberattack: “Last week Ukraine was hit with a massive cyber attack, affecting the websites of the foreign ministry, education ministry, ministry of agriculture, energy, and sports ministries have been hit, as well as that of the state emergency service."
U.S. Government Response and Alerts
According to CNN:
In his comments Wednesday, Biden suggested that a "minor incursion" could prompt a disagreement among NATO countries about how strongly to respond to Moscow…
On Thursday, Biden sought to clarify his earlier remarks, telling reporters at the White House, "I've been absolutely clear with President Putin. He has no misunderstanding. If any -- any -- assembled Russian units move across Ukrainian border, that is an invasion," Biden said. "But it will be met with severe and coordinated economic response that I've discussed in detail with our allies, as well as laid out very clearly for President Putin."
As he sought to clean up his previous remarks, Biden noted that Russia has a "long history" of using measures other than overt military action to carry out aggression, from paramilitary tactics to cyber attacks.
"We have to be ready to respond to these as well and decisively," Biden said.
The Cybersecurity and Infrastructure Security Agency (CISA) issued this Alert (AA22-011A) on Jan. 11, 2022, entitled "Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure." Here’s an excerpt:
CISA, the FBI, and NSA encourage the cybersecurity community — especially critical infrastructure network defenders — to adopt a heightened state of awareness and to conduct proactive threat hunting, as outlined in the Detection section. Additionally, CISA, the FBI, and NSA strongly urge network defenders to implement the recommendations listed below and detailed in the Mitigations section. These mitigations will help organizations improve their functional resilience by reducing the risk of compromise or severe business degradation.
- Be prepared. Confirm reporting processes and minimize personnel gaps in IT/OT security coverage. Create, maintain, and exercise a cyber incident response plan, resilience plan, and continuity of operations plan so that critical functions and operations can be kept running if technology systems are disrupted or need to be taken offline.
- Enhance your organization’s cyber posture. Follow best practices for identity and access management, protective controls and architecture, and vulnerability and configuration management.
- Increase organizational vigilance. Stay current on reporting on this threat. Subscribe to CISA’s mailing list and feeds to receive notifications when CISA releases information about a security topic or threat.
WHAT ABOUT CYBER INSURANCE AND NATION-STATE CYBER ATTACKS?
Slate published this article on cyber insurance recently: Should Insurance Companies Pay Out for Damage Caused by State-Sponsored Cyberattacks? I think it is an important discussion for all public- and private-sector organizations that are relying on cyber insurance to help them in the event of a major cyber incident.
Michael McLaughlin, who I have interviewed for this blog in the past, posted a great discussion on LinkedIn this week that began this way: “As the drums of war continue to beat on the Ukraine border, now might be a good time to check your insurance policy.”
Michael continues:
“NotPetya was specially tailored to target Linkos Group – a small Ukrainian software company in Kyiv. Linkos Group manufactures M.E.Doc, which is an accounting software used by nearly everyone who files taxes in Ukraine. After initial compromise, the M.E.Doc server pushed NotPetya to all users as a software update, infecting any system running the software and rapidly spreading across the victim networks.
"These networks were not limited to those in Ukraine. Affected international corporations include A.P. Moller - Maersk, Merck, Mondelēz International, Saint-Gobain, and Reckitt-Benckiser. In total, NotPetya resulted in over $10 billion in losses. No surprise, then, that Merck, like many companies, turned to its insurance coverage to recoup some of the enormous losses NotPetya caused. Merck, in particular, had $1.75 billion in property insurance that it hoped would cover the computer damages and business interruption losses it suffered as a result of NotPetya.
"But the company’s claim was denied on the grounds that NotPetya was an act of #cyberwar — because the malware had been designed and released by the Russian government as part of an ongoing conflict with Ukraine — and therefore was not covered by the standard property insurance policy. These companies battled with their insurance providers for over four years to cover losses before finally prevailing. What does your policy say about covering acts of #cyberwarfare?”
FINAL THOUGHTS
No one knows where this Russia/Ukraine situation is heading next. However, the parallels in this situation with the CISA alert in 2016 are striking.
Many experts think that we may be in a global holding pattern until after the Winter Olympics in China. But it is clear that public- and private-sector organizations need to be on alert and ready should more global cyber attacks be launched (in whatever capacity) as a part of the situation in Ukraine at any time.