Geopolitical tensions and conflict between Russia and Ukraine | Preventive and protective measures

Russia’s military invasion of Ukraine and cyberattacks against Ukraine are targeting its critical infrastructures. In recent weeks, the number of reported cyber incidents against Ukrainian institutions, organizations and the population has increased considerably. Beyond the risks to critical infrastructure s and personal data, those cyber incidents spread inaccurate information and increases distrusts among people all over the world.

Russian cyberattacks against Ukraine

Since May 2014, Russia has been actively conducting cyber operations against Ukraine to weaken its government. The first confirmed cyberattack from Russia was the disturbance and manipulation of the 2014 Ukrainian presidential election. This attack was aimed at altering and rigging the votes to get elected a candidate from the extreme-right party.

Between 2015 and 2018, attacks targeting Ukraine’s energy sector, financial sector and sovereign institutions were carried out to disturb the system. These attacks were carried out by malicious actors allegedly supported by or by the Russian government itself: Power Grid Attack, NotPetya, VPNFilter.

Finally, since January 14, 2022, a series of cyberattacks carried out by Russia against Ukraine has been reported including: the defacement of the Ukrainian government website, DDoS attacks on political, financial, and military institutions websites, a misinformation campaign (SMS) targeting civilians and the destruction (HermeticWiper) of data belonging to financial organizations and government entities of Ukraine, Latvia, and Lithuania. (1, 2, 3, 4) (1, 2, 3, 4)

As the image on the left illustrates the threatening climate which perceived beyond Ukrainian borders, some sectors such as transport and logistics have started to take drastic security measures to limit contact with Ukrainian territory. A similar safety bubble can and should be considered when it comes to cybersecurity.

Cyberattacks hit the entire Ukrainian territory at the same time as the military strikes, therefore it is likely that these cyber operations will continue and intensify in the next coming days if not weeks.

As an example, the Ukrainian government’s CERT made statement today that a massive phishing campaign is currently targeting the private email addresses of Ukrainian military personnel and any related persons, with the intention of stealing victim’s emails and address book. This attack, however, without official proof of direct link to the current Russian invasion, was carried out by the threat group UNC1151 based in Belarus.

Impact of the conflict on the French and European cyber security ecosystem

European regulators (5, 6) have called on EU public and private sector organizations to improve their overall resilience to cyberattacks. CERT-FR and ANSSI are calling on French organizations to increase their cyber vigilance (7). Authorities warn that the following sectors would be more likely to be targeted by a Russian cyberattack in the near future: banking, defense, communications services and the energy sector.

Aside from the preparations for the conflict back in the end of January, we were able to observe cyberattacks against logistics sector, specifically attacks on port infrastructure.

Today, we believe that the impact of the conflict on organizations from countries other than China, Russia, Belarus, Venezuela, Northern Korea and Syria, could be the effect of indirect attacks on Eastern Europe or allied countries with which French entities have a technical, physical or human liaison (i.e., Northern European energy transit, major port terminals etc). As a reminder, NotPetya, originally designed and deployed to target Ukraine, had infected, and crippled a significant number of organizations outside Ukraine such as France, Germany, Italy, USA and United Kingdom among other countries.

Russia may support opportunistic malicious actors in order to weaken any entities belonging to countries adhered to NATO. These malicious actors could take advantage of Russian invasion of Ukraine to distribute and spread malware (e.g., through Ukrainian companies). Thus, it is necessary to prepare against significant increase in malicious campaigns on “Western” organizations and entities.

Several editors have furthermore observed an upsurge in cyberattacksagainst energy, aviation and media sectors in Europe since the beginning of February 2022 by threat actors allegedly geolocated in Russia (RansomExx, LockBit, Hive, BlackCat, BlackByte and Conti).

Our recommendations

We recommend that you increase your level of vigilance towards the security of your Information System particularly during this period and ensure continuous monitoring of your environment (SOC). If you have any contacts entities (subsidiaries, strategic partners, …) in Ukraine or in the Eastern European countries that are members of NATO, we strongly recommend that you assess the risks associated with the current geopolitical context and take necessary drastic measures to protect your Information System.

In particular, we draw your attention to the following preventive and protective measures:

Ensure that the security components (EDR, EPP, IPS, proxy, firewall, anti-spam…) are operational and up to date. Update your antivirus signature databases and indicators of compromise.
Ensure the proper application of security patches on the systems in-use, in priority on the assets that have direct access to the internet. Implement containment measures for unpatched systems.
Ensure that external connections (VPN, Citrix, UAG…) are limited to strict necessity and/or harden access, for example via multi-factor authentication. Banning IP ranges from the following countries is also an option to consider Russia, Belarus, Venezuela, North Korea and Syria, or even China if necessary.
Isolate golden copies pulled from backups of your critical infrastructure and ensure that the backup and recovery strategy works properly.

Finally, we advise you to prepare a business continuity and disaster recovery plan in order to have the tools and methodologies to deal with a potential ransomware threat or “wiper” (malware erasing data). The proper and operational strategy regarding data backup and restoration is essential.