Plant a tree. Now.
Geopolitics and the state of cyber.
“The best time to plant a tree was 20 years ago. The second best time is now.” — Chinese proverb.
Hello dear readers,
Although our next blog was supposed to be a short pun article on the importance of offensive forward security and training your forensic readiness with crisis simulations, I’ll go ahead and make this a bit more substantive in the light of the current situation in Ukraine and the cyber around it.
This will be a short analysis of the states of cyberwarfare, -espionage, -crime and -insurance. It will be about upping your cybersecurity posture in every way possible, with some concrete references at the end to help you on your way.
The state of cyberwarfare?
According to multiple sources, including this Wall Street Journal article, there are several reasons why digital offensive operations have played a relatively small part in the Ukraine invasion. Sure, there was wiper malware deployed, phishing campaigns were identified and there were satellite outages at ViaSat with a waterbed effect to Germany, but all of these have been far from decisively impactful in the overall conflict — so far. Among the reasons cited: this is far more a kinetic conflict than a cyber conflict.
This observation might lead to the preliminary conclusion that we are far away from the nightmare all-destructive cyberwarfare scenarios that we have expected over the years.
Without pretending to be an expert in this field, but with a pretty hefty bag of experience under our belts regarding offensive and defensive nation-state operations, we think this conclusion is too preliminary. There is no telling the future. See this excellent (Dutch) thread by Paul Ducheine as reference.
For one thing, the general assessment is that Putin likely thought the Ukraine invasion would be a Blitzkrieg. It turned out not to be.
The gist of offensive cyber-operations related to warfare is preparation for the disruption of a country’s critical infrastructure. This is also what the Dutch military intelligence and security agency MIVD has warned about for years in its annual reports. Offensive cyber operations as preparation for sabotage easily take years to plan and execute. Gaining initial access to critical infrastructure, securing a foothold, understanding the inner workings and weak points of the infrastructure, all the while evading evolving cybersecurity measures and attribution years ahead of an actual conflict just to be able to “flip switches” when the right time comes.
Not easy by far. But not undoable either. That is why counties in the United States prepare for attacks on e.g. their internet, transportation and energy infrastructure. That is why the FBI warned that over 50 US critical infrastructure orgs have been breached by ransomware actors.
And what lots of people already suspected (or knew), surfaced during the Ukraine conflict; criminal actors can be state sponsored or state affiliated. Remember, to ransom an organization is just one of the available options to a threat actor with such a level of access to an infrastructure. Staying under the radar and keeping this access only to act “when it counts”, is another.
So in our opinion it would be naive to think that the threat of digital warfare is overrated just because its role in the Ukraine invasion proved to be low. Offensive cyber operations as preparation for disruption of vital infrastructure is still a very real scenario.
Another offensive scenario would be to eavesdrop on crisis communications. We’re talking about digital communication between incident handlers and incident decision makers here, on which we will cover our thoughts in a next blog. Warfare communication (using military grade equipment and not Radio Shack walkie talkies) is far beyond the scope of this writing.
The state of cyberespionage?
Make no mistake — now that all eyes are on the ongoing conflict, other actors will ramp up their efforts in pursuit of less destructive but no less impactful operations: political and economical espionage.
I am not talking about Pegasus-like operations. I am talking about the same modus operandi as above, but for different actions on objectives.
Keep in mind that the actor interested in the information is not necessarily the same actor that gains the first foothold in a network. This “initial access” is sold (and bought) widely on underground markets. These actors are called Initial Access Brokers and the larger ransomware gangs have them tightly incorporated into their “business infrastructure”.
Regarding international political espionage: that initial foothold can be gained in several ways. An actor can target political parties’ own infrastructure. Most political parties have a strong web presence and are as such “vulnerable” to extensive open source research and infrastructure mapping. As parliament buildings are “mere” facilitators to the political process and most likely quite heavily secured, a political party’s own infrastructure will probably be an easier target.
A successful initial foothold in a single party’s infrastructure will provide an actor with party strategy, finance, contacts and communication and most likely access to credentials for other infrastructures. Access to multiple parties will provide the actor with inter-party communication, cooperation (or the opposite) and likely more credentials. This information can then be leveraged in several ways. For example, for disinformation / discrediting campaigns or for targeted HUMINT.
Second, the supply chain for both a political party and the facilitator of the political process can be quite large. We’ve seen supply chain attacks in plenty over the last two years. A successful supply chain attack would mean access to that vendor’s data (obviously) but in the worst case some kind of access to a party or parliament’s infrastructure.
Third, don’t rule out the human factor insider threat.
Short and sweet, as far as economic espionage is concerned the last two principles of gaining initial foothold mentioned above also apply here. Our experience tells us that a lot of companies with interesting proprietary knowledge also lack proper forensic readiness. The threat of digital espionage is, per our colleagues from Hunt&Hackett, very prevalent in the energy sector and the maritime and agricultural industry. We concur and will add that the Dutch Cyber Security Beeld Nederland 2021 lists more than 15 nation state actor targets, including science.
It would be wrong to think that other nation states will tone down their efforts because of the current geopolitical situation, especially those keen on political and economic espionage.
Given the opportunistic character of nation state actors, focusing on Russian cyberthreats is short-sighted. Expect to see a ramp-up in political and economical espionage attempts now that everyone is super busy looking elsewhere.
The state of cybercrime.
The state of cybercrime has not changed since mid 2020. It has been rampant for years, even more so since COVID-19 and this trend is anything but declining. Nation-state actors might infect networks for political or economic gain, but the regular crooks motivated by cash are likely to pull a double or triple extortion and are still heavily involved in the game.
And do not forget about the phishing campaigns aimed at civilians. Claiming to support Ukrainian humanitarian goals and such, but really are just attempts to empty your pockets. You need to stay vigilant for your own wallet as well.
The state of cyber insurance.
Most likely, the digital operations around the Ukraine conflict will have their influence on cyber insurance as well. For organizations that are experimenting with such insurances, it is to be expected that the costs of their insurance policy will rise further and the level of cybersecurity that an insurance company will demand in order to even issue the policy will be higher.
In short, to be able to have cyber insurance, organizations will have to have some level of cybersecurity maturity because otherwise the problem will become more and more uninsurable.
Also, it is expected that the ongoing invasion will have its effect on the war exclusions in the policies issued.
We believe cybercrime actors will leverage Ukraine as they did COVID-19 while insurance companies are likely to rise policy costs and pre-insurance demands.
Conclusion and tips
Right. So here we are. It might be easy to think about this blog as FUD4SALES to start upping your security measures as soon as possible — and use Advanced Purple Teaming preferably. But it is not.
The reality is that we’d like you to up your posture in any way possible:
- Focus your efforts on your crown jewels, not on the perimeter where you most likely have a few things in place already;
- Do NOT focus on technical solutions only. Invest in people and processes — your forensic readiness as you will.
- Use the NCSC guidelines — Dutch version here;
- Think about building a defensible network architecture from a strategic standpoint — Dutch only here;
- Get your logging up and running with the guidelines in this repo (for Windows) or in this article by our Hunter — or get a Managed Security Provider on board;
- If you find the time, stress-test your forensic readiness. And yes, Advanced Purple Teaming is in our opinion the best way to do that;
- For vital infrastructure, government and economic top sectors, we’d advise some pro-active hunting around those crown jewels. You can find some inspiration here.
In short — prepare yourself and your organization for digital incidents faster and better than you have been preparing so far.
Good luck and stay safe.
About the author: Pepijn has a MSc in criminology and over 22 years experience in cybersecurity. He has worked in commercial and nation-state environments, on both operational and strategic levels. In 2020 he co-founded Chapter8, which specializes in Advanced Purple Team cybersecurity. Besides being a family man and crossfit enthusiast, he is a cyber volunteer at the Dutch National Police.
