Updated: May 16
In the days leading up to Russia’s invasion of Ukraine, the cyber security community braced for a campaign of electronic warfare and cyber attacks.
But that’s not what happened. At least, not yet.
There were some mild cyber attacks ahead of the invasion, including some DDoS on Ukrainian government and financial services in January and February. But until now we have yet to see anything substantial coming from Kremlin. The surprising lack of cyber-attacks in Putin’s invasion, has everyone perplexed. Current theories range from the Russians not trying all that hard on the offensive cyber front, the idea that they did — but that Ukrainian and western defenders proved too formidable, and the current favoured theory that Putin's has largely privatized Russia's cyber military capabilities to Russian cybercriminals groups the likes of FancyBear, CozyBear and Sandworm, and that they do not support the invasion.
Supporting that theory is recent ransomware source code releases from Ukrainian "contractors" of these gangs to the public. These have been called the „Conti leaks “. This is currently the immediate danger for the rest of us. The release of ransomware source code can have disastrous effects on corporate networks and consumers. This is because it is very common for other threat actors to use the released source code to create their own ransomware operations.
In the past, a researcher published the source code for a ransomware named 'Hidden Tear' that many threat actors quickly adopted to launch different operations. Tough Hidden Tear can be decrypted, it led to uprise of new ransomware attacks that terrorized consumers and companies for years. With the continued leaks of the Conti ransomware gang's source code, it is only a matter of time until other threat actors use it to launch their own operations.
There’s also the matter of military logistics. Russian forces would most likely be using radio handsets and Ukrainian telecommunications networks to co-ordinate movements and update commanders back in Russia. In this scenario, Moscow would keep networks operational for their own use. If they thought Ukrainians would fold in the face of a lightning strike on the capital, then they would have wanted to maintain critical infrastructure services for when they moved in. If you want to take over your neighbour’s apartment it makes little sense to trash it before you move in.
But the war isn’t over, not by a long shot. Western unity against Putin’s shown in the devastating sanctions, combined with international businesses self-sanctioning their Russian operations, has wrecked the economy, and cut off essential services and supplies. The preliminary economic outlook for Russia is grim, not just for the next few weeks, but possibly for years. Thus, there is still the danger that as political and economic conditions deteriorate, the escalation that "may have" kept Moscow’s most potent cyber capabilities in check may adjust.
With the Russian operations uncertainty and the recent releases of Russian based ransomware source code.The shipping conglomerate Maersk, was hit by the NotPetya ransomware in June 2017, estimated that it cost them as much as $300 million in lost revenue. „It is inevitable that you will be attacked. It is inevitable that one day, one will get through. And obviously, you should have a solid contingency plan in place in case of the worst. “Gavin Ashton IT Security guy working at Maersk.
Stop being afraid of ransomware, but start being afraid of your lack of investment in preparing for ransomware
When recovering from a Ransomware attack, speed and precision are critical. Companies and organizations need to be able to identify compromised data and restore it to a last known good state quickly and easily. Identifying the compromised data can be time consuming and difficult. Ideally, there would be a process that could intelligently identify the corrupted data and system that can provide the operator with options for recovery.That is what we at Cristie Nordic focus on.