The potential for increased cyberattacks connected with the conflict between Russia and Ukraine is a very serious concern for organizations, governments and individuals around the world. Cyberattacks launched by either side or those with sympathetic leanings may affect parties far removed from the conflict.
On March 21, 2022, President Biden warned about “evolving intelligence” that the Russian government is “exploring options for potential cyberattacks.” (opens a new window) The White House also called upon critical infrastructure owners and operators to “accelerate efforts to lock their digital doors.”
For weeks, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and other experts have cautioned that critical infrastructure, banks, financial services firms and service providers are at increased risk. Spillover into other industries and organizations is also possible.
Given the heightened tensions and global ramifications of the conflict, all organizations should be prepared to recognize and defend against related cyberattacks.
Cyber conflict between Russia & Ukraine
Much has been reported about what could arguably be called Russian state-sponsored cyberattacks against Ukraine. The 2015 compromises of the Ukrainian power grid (opens a new window) were attributed to Russia, and the notorious NotPetya wiper malware was reportedly launched by officers of the Russian Main Intelligence Directorate (GRU) (opens a new window) on the eve of Ukraine’s Constitution Day in 2017.
With respect to attacks against Russia, more is known about the activities of third parties with sympathies for Ukraine. In 2016 and 2017, Ukrainian “hacktivists” released alleged emails of Russian officials into the public domain exposing Russia’s operations in Ukraine according to a report (opens a new window) by the Royal United Services Institute for Defence and Security Studies, a U.K.-based think tank. Those leaks, known as the Surkov Leaks, were attributed to a group called the Cyber Alliance.
In the current conflict, there is substantial information about various cyber threat actors with allegiances toward either Russia or Ukraine. (opens a new window)For example, on Feb. 24, 2022, the Anonymous collective announced that it was “officially in cyber war (opens a new window) against the Russian government.”
Shortly thereafter, news media reported that the Conti group — alleged to be responsible for millions of dollars in ransomware damage — announced its “full support” (opens a new window) for the Russian government and its actions in Ukraine.
Conti later proclaimed that it did not ally with any government and that it condemned the ongoing war. Commentators have opined (opens a new window)that Conti’s retraction may be due to leaks of its internal messages (opens a new window) and the potential for insurance issues that may preclude payment, including application of the war exclusion. There have also been reports (opens a new window) that before the military conflict began “hacktivists” called the Belarusian Cyber-Partisans launched attacks against the Belarusian railways. They reportedly demanded the release of 50 political prisoners and a commitment not to transport Russian troops for an invasion of Ukraine.
Cyber threat activity
The intelligence community and cybersecurity experts are working tirelessly to identify and communicate about the cyber threat activity resulting from the conflict.
The Council on Foreign Relations, a U.S.-based think tank, has tracked cyber operations and the threat actor involvement (opens a new window) in the conflict. It is clear that those with leanings toward either Russia or Ukraine have been active and/or vocal about their loyalties.
Much of the reported cyber threat activity has currently been confined to parties directly involved in the conflict, with some reports indicating that attacks on Ukraine have increased tenfold. (opens a new window)
However, there is the heightened possibility of widescale cyberattacks arising from the conflict and extending to parties elsewhere. Although a significant portion of the cyberattack activity has been limited to Russia and Ukraine, if attacks escalate globally, the losses could be devastating. Some have suggested that losses in the United States alone could be in the billions. (opens a new window)
Government guidance indicates that attacks sponsored by the Russian government may involve malware and cyber espionage. (opens a new window) Malware activity to date has included the deployment of wipers, which — as the name implies — erase targeted devices and/or systems. Some currently identified wipers include:
WHISPERGATE: malware that displays a fake ransomware note but wipes systems and has been used against organizations in Ukraine.
HERMETICWIPER: malware that manipulates a device’s master boot record, resulting in boot failure and has been used against organizations in Ukraine.
CADDYWIPER: malware that destroys user data and partition information and has been used against organizations in Ukraine.
RURANSOM WIPER: malware first considered a possible ransomware variant but now identified as a wiper targeting Russia.
In addition to malware, there have been numerous reports (opens a new window) of Russia launching distributed-denial-of service attacks (DDoS) against Ukraine. Such attacks could extend to organizations outside of Ukraine if geopolitical tensions continue to intensify.
We have received some reports that organizations outside of Russia and Ukraine are experiencing malicious cyber activity that could be attributed to the conflict. The healthcare industry has generally been a prime target for cyberattacks, and while there have not been reports of such attacks directly resulting from the conflict, government guidance indicates that the sector must remain vigilant. On March 1, 2022, the U.S. Department of Health & Human Services (HHS) issued a report (opens a new window)advising that the industry remain proactive.
Conti and LockBit are two ransomware variants with reported ties to Russia. Conti has historically targeted the U.S. healthcare industry. While LockBit operators have denounced any allegiances (opens a new window) and claimed that they do not attack healthcare, education, charitable organizations, and social services, HHS guidance (opens a new window)issued prior to the conflict indicated that organizations in the U.S. and European Union remain top targets for LockBit operators.
CISA and the Federal Bureau of Investigation (FBI) have advised that they are also aware of possible threats (opens a new window) to U.S. and international satellite communication (SATCOM) networks.
One area of potential threat activity — which may go unnoticed given the concentrated focus on the actual conflict — is the increased activity by threat actors to steal money. (opens a new window)While organizations are worried about the potential for nation-state threats and/or those posed by threat actors with sympathies for Russia or Ukraine, threat actors looking to steal money by electronic means are hopeful that potential targets will be sufficiently distracted that money can be stolen.
As geopolitical tensions began to increase late in 2021 and into 2022, government guidance called on organizations to understand and implement measures to mitigate against Russian state-sponsored (opens a new window)cyberattacks. CISA’s "Shields Up” (opens a new window) alert, the United Kingdom’s National Cyber Security Centre’s guidance (opens a new window), and the Australian Cyber Security Centre’s advisory (opens a new window)all provide excellent direction about mitigating potential risks and improving defense postures.
Many organizations are shutting down their Russian operations. As they do so, organizations should engage in a comprehensive analysis of endpoints and networks within Russia to ensure they are not vulnerable to compromise by threat actors.
Given that much of the current threat activity involves wiper malware that essentially erases all of the information and data on devices, particular attention should be given to:
Ensuring that malware protection is deployed as well as continuously monitored.
Considering a shorter window for scheduled backups and continued testing of those backups to ensure prompt restoration in the event of an incident.
Shortening the time frame for implementing all patches so that any known vulnerability can be addressed quickly to limit the possibility of intrusion.
Segmenting networks so that in the event of an intrusion, the malware does not have the ability to infiltrate and compromise all systems.
Reviewing, testing and revising incident response and business continuity plans.
Reducing incident reporting thresholds, as an event that may appear to be a small incident can develop into a large-scale compromise.
Revisiting invoice payment and wire transfer protocols to ensure that appropriate checks and balances, including callback verification, are implemented for payment and wire transfer requests.
Studying and evaluating networks traffic patterns, if not already done, so that any DDoS attack can be quickly recognized and addressed.
While these controls are crucial in light of the attacks observed so far, new and different attacks in the future are possible. Lockton therefore recommends that organizations review all current controls to strengthen defenses and ensure good cyber hygiene. Specifically, organizations should:
Ensure that remote access to their networks as well as privileged and administrative access require multifactor authentication (MFA).
Disable all ports and protocols that are not critical and audit controls on any cloud-based solutions.
Continue to emphasize identifying and quickly assessing abnormal network behavior, especially traffic originating from Russia and Ukraine.
Implement complete endpoint detection and response solutions.
Designate a crisis-response team specifically for cybersecurity incidents.
Isolate backups from networks and test backups to ensure that rapid restoration is feasible in the event of a cyberattack.
Empower CISOs to make necessary improvements to network security.
The conflict-related threat will be fluid and will require continuous monitoring. It emphasizes the need for increased board-level awareness regarding the existential threat of cyberattacks and the need to continually review cybersecurity posture and the robustness of an organization’s controls.
While widespread cyberattacks continue to be a concern for insurers, it remains to be seen what losses would and would not be covered. It is not possible to generalize about whether hypothetical attacks would be covered because coverage will depend on the unique facts of an individual cyber event.
A robust cyber insurance policy is designed to provide coverage for expenses incurred by a policyholder — with the insurer’s consent — that are associated with investigating, mitigating and remediating a covered security incident, such as malware. Those expenses can include fees and costs for retaining breach/privacy counsel, forensics firm(s), crisis communications, and potentially other reasonable and necessary vendors as agreed to by the insurer. A cyber policy can also potentially cover third-party liability claims asserted against a policyholder resulting from a covered incident as well as regulatory claims resulting from a covered incident.
Many organizations have questions regarding the applicability of war exclusions in cyber policies to cyberattacks resulting from the conflict between Ukraine and Russia. Lockton’s discussion of the applicability of the war exclusion in cyber policies as it relates to the ongoing conflict can be found here. (opens a new window)
Given the potential for increased cybercrime, it is important to ensure that organizations evaluate their crime policy(ies) if they sustain any type of monetary loss from a cyber event. The electronic loss of funds can potentially implicate both cyber and crime policies.
The current state of the cyber insurance market, coupled with the ongoing conflict, may result in insurers asking additional questions regarding an organization’s Russia-Ukraine footprint and its cyber risk controls. Insurers are being cautious about the conflict. We are aware of at least one insurer that is looking to preclude coverage via endorsement for any losses within Belarus and Russia. Other insurers may follow suit. Cyber insurance premiums continue to rise and the possibility of more cyber events could exacerbate the current rate increases.
If your organization becomes aware of malicious activity, malware deployment or compromise, it is always prudent to immediately call your insurer’s breach hotline and to communicate directly with Lockton and ensure proper reporting. These actions can provide immediate access to a suite of cyber response offerings from your insurer and avoid any potential coverage issues related to untimely reporting.
For more information, contact email@example.com.