Update 2/24/2022: Large-Scale Cyber Attacks
The day before its military attack on Ukraine in the early morning of February 24, 2022, Russia launched large-scale cyber attacks targeting the government, the military, and private companies. These included significant distributed denial of service (DDoS) attacks as well as the emergence of a new destructive malware named “HermeticWiper” by cyber security researchers at ESET.
As this crisis continues to unfold, there is also a continued cyber risk well beyond the physical conflict zone for private companies and governments – entities operating within Russia or Ukraine could be either directly targeted or suffer collateral damage. Aon’s Cyber Solutions continues to recommend a heightened proactive security posture at this time and will continue to provide updates to this article as the situation changes. 
Overview of Russian and Ukrainian Geopolitical Tensions
Global geopolitical tensions regarding Russia and Ukraine have continued to rise with a Russian invasion of Ukraine potentially just hours or days away and diplomatic tensions reaching a boiling point. Should Russia invade Ukraine, Russian and global cyber criminal activity will likely increase as attention and resources are diverted to Russian state sponsored and military activity. As evidenced by the October 2020 United States Department of Justice indictment of six Russian military cyber actors for globally disruptive cyber action to include over $1 billion in loss to three private companies, any malicious cyber activity will be very difficult to determine if the activity is opportunistic or hiding the hand of the Russian government.
While no one can say for certain what Russian Government plans and intentions might be, cyber security professionals can help ready their clients for the potential worst-case scenario and posture them proactively for both directed and errant cyber attacks with one idea in mind: cyberspace is not confined to a battlefield.
On February 12, 2022, the Cyber Security & Infrastructure Agency (CISA) issued a “Shields Up” warning to U.S. companies stating “Every organization in the United States is at risk from cyber threats that can disrupt essential services and potentially result in impacts to public safety. Over the past year, cyber incidents have impacted many companies, non-profits, and other organizations, large and small, across multiple sectors of the economy.” Much of the “Shields Up” warning stems from the CISA, FBI, and NSA joint Cybersecurity Advisory (CSA) advising and encouraging the cybersecurity community—especially critical infrastructure network defenders—to adopt a heightened state of awareness and to conduct proactive threat hunting (CISA Alert AA22-011A). 
In the event of an invasion, Russia may possibly use offensive cyber action as part of their order of battle and attack plans against Ukraine. The risk for Russian state-sponsored malware, such as the potentially Russian-linked destructive malware WhisperGate, to spiral out of control or be hijacked by predatory cyber criminal groups is very high.
Past industry-damaging examples of repurposing nation-state malware for criminal use include NotPetya, attributed to the Russian state-sponsored actors, and WannaCry, attributed to the Democratic People’s Republic of Korea (DPRK))., Furthermore, the potential for Russian-directed cyber criminal or nation-state activity retaliation towards U.S. and Western businesses remains high in the event the U.S. were to sanction Russia for military action against Ukraine. Russian cyber criminals have long been suspected of operating loosely at the behest of the Russian Security Services.
Russian State-Sponsored APT Behavior
According to CISA, Russian state-sponsored advanced persistent threat (APT) actors historically have used common but effective tactics including spearphishing, brute force, and exploiting known vulnerabilities against accounts and networks with weak security in order to gain initial access to target networks. Russian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware. The actors have also proven the ability to maintain persistent, undetected, long-term access in compromised environments, including cloud environments, by using legitimate credentials.
Aon advises all clients to adopt the same heightened state of awareness, proactive measures, and implement an up-to-date cyber incident response plan, particularly for clients engaged in business in the Russian/Ukrainian region or who supply critical infrastructure, supply chain, energy, or industrial sectors.
Aon stands ready to assist our clients in a suite of proactive security measures to include:
- Proactive Threat Hunts, Threat Assessments
- Incident Response Readiness Assessments
- Cyber Threat Exercises
- Business Continuity and Disaster Recovery Readiness Assessments
- CISO Advisor / vCISO consultations
- ICS/OT Resilience, Cybersecurity Risk Assessments
- Maturity & Gap Assessments
- Security Risk Assessments
- Third-party Risk Assessments
In cyber security, the best defense is a good offense. Aon stands ready to assist clients in a suite of proactive security measures meant to protect and defend our clients from both nation-state and cyber criminal activity.