Officials warn of asymmetric cyberattacks as Ukraine conflict simmers

Dive Brief:

Security officials warned private sector and critical industry partners to brace for a possible campaign of asymmetric cyberattacks after the websites of the Ukrainian defense ministry and at least two major banks were knocked offline from a series of DDoS attacks this week.
Mandiant warned Russia was emboldened to use aggressive cyber capabilities against Western targets, according to a blog post by Sandra Joyce, executive vice president and head of global intelligence. This would allow Russia to send a strong message without engaging in direct military confrontation.
Crowdstrike officials said traffic volume observed during DDoS malware attacks was three times the normal volume, according to Adam Meyers, senior vice president. About 99% were from HTTPs requests, indicating an attempt to overwhelm the circuit.

Dive Insight:

The cyber activity comes amid a tense standoff between Russia and major western powers.

President Joe Biden warned that U.S. was prepared to respond if Russia launched an asymmetric cyberattack against critical infrastructure belonging to the U.S. or its allies, he said in a speech Tuesday.

The risk to U.S. multinational companies was at a heightened state, given the current military activity in the Ukraine, said Jamil Jaffer, founder and executive director of the National Security Institute at George Mason University. Russia has a history of employing malicious cyber operations in the region.

"The threat is significant because, even if multinationals are not targeted by the Russian government, there is the significant possibility of collateral damage as we saw during the NotPetya cyberattack in 2017," Jaffer said.

During the NotPetya attack, destructive malware spread across the globe after initially targeting organizations in the Ukraine. Multinational firms ranging from Mondelez International to Maersk and Federal Express suffered damages worth hundreds of millions of dollars.

There is also evidence of Ukranian point-of-sale terminal disruption, John Hultquist, vice president of intelligence analysis at Mandiant, said. He cited reports from Ukrainian police that consumers received fraudulent text messages saying ATMs were malfunctioning.

Teresa Walsh, global head of intelligence of the Financial Services-ISAC, said the organization was unaware of any direct threats against the U.S. financial community or infrastructure, however it was warning members to remain vigilant.

Ukrainian authorities linked an advanced persistent threat group known as Gamaredon or Primitive Bear to five Russian Federal Security Service officers based in Crimea, according to Palo Alto Networks Unit 42. The researchers released 500 additional indicators of compromise, on top of 700 previously released IOCs earlier this month.

Microsoft security researchers earlier this month unveiled information on this same threat actor, which it calls Actinium. The group has been observed since October 2021, using spear phishing attacks with remote templates against Ukrainian government organizations and groups coordinating humanitarian aid.

The Cybersecurity and Infrastructure Security Agency said while there was no specific, credible evidence of an attack, organizations should prepare for potentially destructive activity. The agency's recommendations included port access limits, multifactor authentication, backup procedures tests and ensuring software is updated.