Addressing Global Cyber Security Concerns Amidst Russian-Ukrainian Geopolitical Tensions: A Proactive Model

Update 2/24/2022: Large-Scale Cyber Attacks

The day before its military attack on Ukraine in the early morning of February 24, 2022,  Russia launched large-scale cyber attacks targeting the government, the military, and private companies. These included significant distributed denial of service (DDoS) attacks as well as the emergence of a new destructive malware named “HermeticWiper” by cyber security researchers at ESET.

As this crisis continues to unfold, there is also a continued cyber risk well beyond the physical conflict zone for private companies and governments – entities operating within Russia or Ukraine could be either directly targeted or suffer collateral damage. Aon’s Cyber Solutions continues to recommend a heightened proactive security posture at this time and will continue to provide updates to this article as the situation changes. _[1]

Overview of Russian and Ukrainian Geopolitical Tensions

Global geopolitical tensions regarding Russia and Ukraine have continued to rise with a Russian invasion of Ukraine potentially just hours or days away and diplomatic tensions reaching a boiling point. Should Russia invade Ukraine, Russian and global cyber criminal activity will likely increase as attention and resources are diverted to Russian state sponsored and military activity. As evidenced by the October 2020 United States Department of Justice indictment of six Russian military cyber actors for globally disruptive cyber action to include over $1 billion in loss to three private companies, any malicious cyber activity will be very difficult to determine if the activity is opportunistic or hiding the hand of the Russian government._[2]

While no one can say for certain what Russian Government plans and intentions might be, cyber security professionals can help ready their clients for the potential worst-case scenario and posture them proactively for both directed and errant cyber attacks with one idea in mind: cyberspace is not confined to a battlefield. 

On February 12, 2022, the Cyber Security & Infrastructure Agency (CISA) issued a “Shields Up” warning to U.S. companies stating “Every organization in the United States is at risk from cyber threats that can disrupt essential services and potentially result in impacts to public safety. Over the past year, cyber incidents have impacted many companies, non-profits, and other organizations, large and small, across multiple sectors of the economy.”_[3] Much of the “Shields Up” warning stems from the CISA, FBI, and NSA joint Cybersecurity Advisory (CSA) advising and encouraging the cybersecurity community—especially critical infrastructure network defenders—to adopt a heightened state of awareness and to conduct proactive threat hunting (CISA Alert AA22-011A). _[4]

In the event of an invasion, Russia may possibly use offensive cyber action as part of their order of battle and attack plans against Ukraine. The risk for Russian state-sponsored malware, such as the potentially Russian-linked destructive malware WhisperGate, to spiral out of control or be hijacked by predatory cyber criminal groups is very high.

Past industry-damaging examples of repurposing nation-state malware for criminal use include NotPetya, attributed to the Russian state-sponsored actors, and WannaCry, attributed to the Democratic People’s Republic of Korea (DPRK))._[5],[6]  Furthermore, the potential for Russian-directed cyber criminal or nation-state activity retaliation towards U.S. and Western businesses remains high in the event the U.S. were to sanction Russia for military action against Ukraine. Russian cyber criminals have long been suspected of operating loosely at the behest of the Russian Security Services._[7]

Russian State-Sponsored APT Behavior

According to CISA, Russian state-sponsored advanced persistent threat (APT) actors historically have used common but effective tactics including spearphishing, brute force, and exploiting known vulnerabilities against accounts and networks with weak security in order to gain initial access to target networks. Russian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware. The actors have also proven the ability to maintain persistent, undetected, long-term access in compromised environments, including cloud environments, by using legitimate credentials._[8]

Aon’s Recommendations

Aon advises all clients to adopt the same heightened state of awareness, proactive measures, and implement an up-to-date cyber incident response plan, particularly for clients engaged in business in the Russian/Ukrainian region or who supply critical infrastructure, supply chain, energy, or industrial sectors.

Aon stands ready to assist our clients in a suite of proactive security measures to include:

• Proactive Threat Hunts, Threat Assessments
• Incident Response Readiness Assessments
• Cyber Threat Exercises
• Business Continuity and Disaster Recovery Readiness Assessments
• CISO Advisor / vCISO consultations
• ICS/OT Resilience, Cybersecurity Risk Assessments
• Maturity & Gap Assessments
• Security Risk Assessments
• Third-party Risk Assessments

In cyber security, the best defense is a good offense. Aon stands ready to assist clients in a suite of proactive security measures meant to protect and defend our clients from both nation-state and cyber criminal activity.

AUTHORED BY:

Erin Whitmore, Director of Proactive Security Team, Aon’s Cyber Solutions

About Cyber Solutions: Aon’s Cyber Solutions offers holistic cyber risk management, unsurpassed investigative skills, and proprietary technologies to help clients uncover and quantify cyber risks, protect critical assets and recover from cyber incidents.

About Aon:  Aon plc (NYSE:AON) is a leading global professional services firm providing a broad range of risk, retirement and health solutions.     Our 50,000 colleagues in 120 countries empower results for clients by using proprietary data and analytics to deliver insights that reduce volatility and improve performance.

Cyber security services offered by Stroz Friedberg Inc. and its affiliates. Insurance products and services offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida and their licensed affiliates.

This material has been prepared for informational purposes only and should not be relied on for any other purpose. You should consult with your own professional advisors or IT specialists before implementing any recommendation or following the guidance provided herein. Further, the information provided and the statements expressed are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources that we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.

©Aon plc 2022

SOURCES

[1] HermeticWiper: New data‑wiping malware hits Ukraine | WeLiveSecurity

[2] Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace | OPA | Department of Justice

[3] Shields Up | CISA

[4] Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure | CISA

[5] NotPetya | CFR Interactives

[6] Cyber Operations Search | CFR Interactives

[7] Why the Russian Government Turns a Blind Eye to Cybercriminals – Carnegie Endowment for International Peace

[8] Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure | CISA