You are now part of the Russian-Ukrainian Cyberwar’s “Battlespace”

Posted on

It is 2022 and you are now part of the Russian-Ukrainian Cyberwar’s “Battlespace.” There is no escaping the “packets” flying through, at, and over your network. If you live on planet Earth, you are now part of the Russian-Ukrainian cyber-battle space.

What is a cyber warfarebattlespace?” A “battlespace” is the location of the warfighting. In geographical wars, the land, sea, air, and space define the battlespace boundaries. In a cyberbattle, there is no boundary. Cyberwarfare cannot be physically constrained. The Battlespace encompasses the entire Internet.

Collateral Cyber-Damage is a Risk! Your business, community and systems that connect on the Internet will be collaterally impacted as other systems are targeted. A company on the other side of the planet from a physical war could be damaged from miscreants using your network to attack others, getting infected with destructive ransomware/malware, being destructively targeted as part of a sanction retaliation, or any other “co-lateral” cyber-damage scenarios. Being on the Internet is being part of any cyber-conflicts battlespace. Unfortunately, organizations do not have “collateral cyber-damage” from being part of the battlespace in their DDoS, Ransomware, Malware, APT, and other Incident Response Playbooks.

Review and update your Incident Playbooks for “Battlespace Damage.” Take some extra time during this crisis to review your current incident playbooks. Have the teams walk through and update their incident playbooks for DDoS, Ransomware, Malware, APT, and Supply Chain. If you don’t have these incident playbooks, spend time building quick playbooks (see the APRICOT 2022 session on Playbooks for a quick tutorial – Session 6 – DDoS Runbook/Playbook). Here are some facts to consider during the week of (2022-02-28) and the Russian-Ukrainian conflict.

Fact: The conflict increased cyber-security risk will last months and years

The direct and indirect ramifications of the Russian-Ukrainian conflict are not going to be over anytime soon. The historical lessons from similar conflicts illustrate the long-term impact on the region and all interconnected parties. Given the nature of the hyper-interconnected world, we can expect long-term passive cyber-risk to turn into real cyber-risk.

Fact: Multiple Threat-Actors will be using the Internet as their battlespace to achieve their objectives and/or capitalize on the crisis

Attribution will claim one side or the other as a threat. The reality is that the “people” behind the cyber-actions are going to be a mix. The “threat actors” are the typical groups:

  • Involved Nation-State Threat Actors will instigate attacks that are coordinated with a national objective and agenda. They will be linked to the military, occupation control, and political interactions. There are NO barriers to what are viable targets. They have and will continue their activities to infiltrate systems/networks all over the world “just in case” they need to activate their APT resources to meet their objectives. The joint Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices is an example of these activities and illustrate how the non-action by industry to these warning have increased risk during the Russian-Ukrainian conflict.
  • Involved Corporate Contracted Affiliates will be commissioned to conduct parallel operations in support of the nation-state threat actors. They will be conducting operations that give the Nation-State “deniability” in case of investigative backtracking.
  • Passionate Allies to Both Sides Will Take Action. Individuals, small groups, and collectives on both sides will band together to support their side of the conflict. They will NOT be controlled by the Involved Nation-State threat actor but will be in a position to cause significant harm as they leverage risk throughout the Internet to target their passion on targets of opportunity.
  • Other Nation-State Threat Actors and their Affiliates with capitalizing on the global crisis to promote their objectives. Alert on Iran has already been published (see Alert (AA22-055A – Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks).
  • CyberCriminals will seek out the opportunity chaos provides to launch additional criminal operations. For example, a DDoS Extortion campaign can mask a Russian-Ukrainian linked group to obfuscate their purely criminal character. The same can be said for Ransomware, BEC, and other criminal activities.

Fact: “Taking out” and “Embargoing” the Internet is NOT in the Best Interest of the Attackers

Cyber Warfare needs the Internet as the Battlespace. If there is no Internet, then the ability to conduct cyber operations is impacted. DDoS, BGP Hijacks, and other damaging attacks are a risk, but they would not be intentionally designed to take out the “Internet battlespace.” There is more to gain by breaking into the target, conducting persistent infiltration (APT), deploying destructive malware, distracting targets with ransomware, exfiltrating data for normal espionage, conducting Information warfare, and many other attacks that require a functional Internet. Remember, these days the Internet is our means of interconnecting the communications of humanity. “Taking out the Internet, doing Internet embargos, and other destructive BGP hijacks removes the ability to “influence populations” with disinformation and propaganda.

Action: You can do something right now to decrease your security risk

National CSIRTs/CERT Teams throughout the world have been alerting to “activated” security risks. The advisories provide critical and simple mitigations that reduce the risk and put the organization in a heightened security posture. Pay Attention to the Threat Advisories from the national CSIRT/CERT Teams! National CSIRT/CERT organizations DO NOT push out advisories without purpose!

  • Each advisory has a public and confidential concern.
  • Each advisory is working to minimize risk.
  • Each advisory provides risk intelligence that would help an organization PAUSE, REFLECT, & TAKE APPROPRIATE ACTION to reduce their risk.

But, most National CSIRT/CERT advisories are crafted by committees that throw the “kitchen sink” of security actions that overwhelm their objective …. enticing their constituents to act in their self-interest! The result is decision paralysis because the most important security actions are lost in the noise. But, with a little effort these critical, multi-country security advisories can be dissected to pull out the core actions that reduce risk. The core Internet Operations meeting in Asia – APRICOT 2022 – provides two tutorial examples conducted during the DDoS Resiliency Workshop. The tutorial sessions use two advisories to walk through the risk, highlight the recommended actions, and focus on what can be done now while mapping a patch of improvement for the future.

Session 0 – “Shields Up! – Reading & Acting on the CSIRT/CERT Advisories

National CSIRT/CERT organizations push out alerts all the time. DO NOT IGNORE THESE ALERTS! They are provided intelligence that warrants an organization to minimize risk through action. The problem is many times these alerts are confusing, have a “kitchen sink” of advice, and paralyze their constituencies with the fog of “I don’t understand the “action ask.” We will use one example to help organizations read through and review the advice and then be able to take immediate and simple actions that step forward to minimize risk. This session uses Alert (AA21-287A) Ongoing Cyber Threats to U.S. Water and Wastewater Systems from October 2021 as an illustration of how an organization can pull the immediate actions, take action tomorrow, and map out the future actions to reduce security risk.

Session 4.1 – Protecting Routers, Switches, and Network Devices (Point Protection)

Router, switches, and network elements are getting broken into. They are used by miscreants of all types to control networks. They are being turned into powerful botnets. The irony is that the basics can mitigate the threat of network devices getting violated. This module helps organizations use simple tools to lock down their network and keep it safe from miscreant activities.

Action: Plug into the Major National CSIRT/CERT Team Advisories

The National CERT Teams from many countries send out alerts to their constituents. Most allow anyone to sign up for the email alerts. This is an easy “alert to action tool” to find out immediate risk. They are critical during a time of cyber-crisis. These organizations will have classified/TLP: RED intelligence they can now share, BUT WILL SHARE THE MEANS TO MINIMIZE THE RISK TO THE CLASSIFIED THREAT! Here is a small list to get started. A larger list can be found by looking at all the members from FIRST (Forum of Incident Response and Security Teams).

Are you looking for more practical, low-cost security Advice?

If you find your organization needs help and worry about the FUD from the industry, reach out and ask for help. You can reach me at bgreene@senki.org. The materials and guides posted on www.senki.org here are designed to help organizations leverage the talent around them to get started with their security activities. Start with the Operator’s Security Toolkit and Meaningful Security Conversations with your Vendors. Each is no-nonsense security for all Operators. It provides details to help them build more security resilient networks. In the meantime, stay connected to the Senki Community to get updates on new empowerment and security insights. You can sign up to the mailing list for updates here: Stay Connected with Senki’s Updates.