CyberCube: Ukraine War Spiking Fundamental Shift in Cyber Risk Landscape
"We've never seen the potential for a cyber disaster like today," said William Altman, principal cybersecurity consultant at CyberCube.
Q: How has the war in the Ukraine impacted cyber threats?
Altman: The war in Ukraine today [and] cyber threats are deeply entwined in this conflict. I think we've seen a limited use of cyber today, some of the experts that had come out just as the invasion was underway had predicted that there'd be massive attacks on critical infrastructure. And we just haven't quite seen that yet. This limited use of cyber has been somewhat significant in that we've seen DDoS attacks or distributed denial of service attacks, website defacement, a lot of this standard misinformation campaigns. But most of these have been symbolic in nature — meant to shake the faith in one side or the other — that their government services or their critical IT services can't support that. We have yet to really see the bridge between those attacks, and the large scale, cyber physical attacks, and even the cyber disasters. We think those things are possible. They're in fact realistic probabilities today, given the reality on the ground, but we think several levels of escalation are needed before we start to see those really impactful events. Today, we're likely to see some targeted losses against very large companies, potentially in critical infrastructure sectors, mainly as retaliatory attacks for assisting the Ukrainians in their fight against Russia.
Q: What does a cyber disaster look like?
Altman: We've seen a number of large scale cyber events in the past five, six years, but none have quite amounted to a true cyber disaster. It's something we haven't quite yet seen today. But the writings on the wall, we can name several events in the past two years that have been really indicative of these types of events — SolarWinds, Microsoft Exchange, Log4j, Kaseya VSA — and the list really just goes on. And what we're looking at here is an attack on what we call a single point of failure technology, some type of technology that's deeply embedded across industries, and used by a lot of different institutions. And when that technology is taken advantage of, or shut down, thousands of businesses downstream from that technology suffer. These are the types of events that we're classifying as true cyber disasters. For that to take place, and for it to be directly linked to the situation in Ukraine, we would have to see some activity from the elite cyber forces of Russia, what we call advanced persistent threat actors. They have both the skills, the resources, and the time to focus on their targets indefinitely. They're very hard to defend against. They have been behind some of the most sophisticated cyber attacks in history. They're pretty much the only threat actors today that check all the boxes for intense motivation and capability that we need to satisfy a cyber disaster scenario being likely. And so we still think the frequency of one of these events is low. But given the reality, there's actually just never been a better time to pressure test your book of business against something like a cyber disaster.
Q: William, could you give us an example or two of a company that has been attacked?
Altman: It's difficult to say whether or not a particular company has been attacked today in direct connection with the invasion of Ukraine. The reason being that attribution in cyberspace is very difficult on a normal day when we have one threat actor versus a company.Today, like I mentioned earlier, there's 33 different threat actors, so attribution becomes very difficult. That being said, there are some attacks that have occurred that are simply too coincidental to ignore. The ones that I'm focusing on today are first, the attack on Toyota that shut down their manufacturing operations in Japan. This attack occurred very shortly after Japan agreed alongside Western allies to limit or to prevent Russia's access to the SWIFT banking system. Japan also pledged $100 million in aid to Ukraine shortly after one of their flagship enterprises was hit by a ransomware attack. Next we saw an attack on a company called Viasat, a global satellite communications company. It's widely believed that this attack was a Russian-born threat actor attacking this satellite company in order to take down Ukrainian cyber forces — what's called commanding control infrastructure, essentially, their ability to wage cyber attacks. And it's believed that some potential blowback or collateral damage in this attack included a company called Enercon in Germany, and Enercon, supplies wind turbine energy to Germany. And this is right as Germany is considering shutting off the Nord Stream pipeline, delivering oil from Russia to Germany. And we think that this attack on bias that may have had a dual purpose, it's unclear at this time, but we're looking into it. I know a lot of other folks are also looking into it. And then finally, we know that there was also a ransomware attack against McDonald's, the Snatch gang, a Russian allied cyber criminal gang, prolific ransomware outfit, has attack McDonald's. It's unclear the extent of the damage or the ransom today, but I honestly can't think of a more more symbolic entity of American culture globally than McDonald's $186 billion market cap. So quite the symbolic target to hit. Again, that one we know was probably most likely the Snatch gang, and they are loyal to the Russian government. But again, it's not directly attributable to the Russian state. So it again, really, it's interesting to note because it throws those war clauses into contention, and really makes attribution very difficult on a number of levels. And that's really what we're looking at today, when it comes to the threat landscape and the different threat actors involved.
Q: What types of companies would be the most risk for something like this?
A: When you think about the companies that are most immediately at risk, they are the companies and individuals inside Ukraine, and also in Russia and the surrounding countries. In Ukraine, we're seeing businesses get attacked with novel wiper malware that has self-propagating capabilities, similar to NotPetya where an entire industries who have seen their IT assets wiped out, namely defense contractors and financial institutions in the lead up to the invasion. That alongside a lot of website defacements. A lot of so supply chain compromises — sort of the tried and to true tactics for these threat actors. And that's happening in Ukraine today. Exposure to those businesses, you should basically assume they've been breached and that they need to start on their incident response protocols and their claims process. In Russia, we're also seeing a fair amount of attack activity, the Ukrainian Ministry of it has recruited a global cyber army to attack Russian targets. And they've been largely successful, at least shutting down the websites for many of these companies, including Gazprom, major banks in Russia, and more. So those companies are also at immediate risk. We also know that some attacks today emanating from the conflict in Ukraine have spilled over into neighboring countries like Poland, Belarus, Lithuania and even Latvia. We've seen groups aligned against the Russians in Belarus stage attacks on critical infrastructure such as railways, and more. So these companies in these regions are at risk as well. But it's largely in the surrounding countries, it's largely limited to your companies and enterprises that are going to help facilitate the war effort. So largely transportation, shipping, logistics, defense contractors, and more. The big thing on people's minds today is what could happen if Russia stages a retaliatory attack against the West, against Europe, against Japan, or these other countries that have provided material military support for Ukraine. That is where we're starting on some novel research today looking at the specific technologies, the tactics and the procedures of the known threat actors that are aligning with Russia, and equipping our clients to look in their books of business for pools of risks that are indicative of susceptibility to these particular threat actors known capabilities. That includes the prolific ransomware gangs that have pledged allegiance to the Russian government, as well as those state sponsored threats that we know to be highly capable. We're also encouraging clients today to pressure test their books of business against those known realistic disasters that we think are less likely but still probable.
Q: So who are these bad actors? Who are these hackers?
Altman: CyberCube is tracking 33 different threat actors that have pledged allegiance from the side of Ukraine, on the side of Russia. When it comes to the Ukrainian side, the Ministry of IT has recruited a global hacker army. I've seen the telegram channel and it's 4,000 strong. And these individuals have marching orders to attack targets inside Russia today to help the Ukrainians in their war effort and their struggle for freedom. We also know that the Russian government is contracting with some of the most prolific ransomware gangs in existence today. Alongside utilizing their own cyber forces in the FSB, the SVR and the GRU — the equivalent to their CIA. Those are the threat actors that we're primarily worried about today. Along the periphery, we also have anonymous hacking collective, Anonymous, that is also attacking in favor of Ukraine against Russia, shutting down key websites, engaging in data leaks and whatnot. And then around the periphery of some more we have the Belorussian cyber partisans I mentioned earlier have attacked some critical infrastructure in Belarus in favor of Ukraine. And then I do believe that US Cyber forces and the Five Eyes nations are also involved in this fight. They may not be directly attacking Russian assets, but they are certainly feeding intelligence to actors on the ground, and doing that through a mix of human and signals intelligence today. So I think this mix of threat actors creates a really complex threat landscape. And it's really complex, especially from the reinsurance viewpoint. I'm no expert on war clauses and exclusions. But this really, in my mind, makes it difficult to attribute these attacks to one actor or another. And we know that the Russian state sponsored actors are famous for staging attacks that are going to be known Russian — we know where they came from, we know who did this — but they're not technically attributable in a court of law that makes this situation far more difficult for reinsures. Today, and it really underscores the point that I'm trying to drive home here that we're facing a new threat landscape, that within the last 13 days, things have fundamentally shifted into a more active, more perilous state.
Q: Following up on that, what should insurers and reinsurers be doing?
Altman: I think the number one thing today is don't panic. I think you should encourage insureds if you have a direct line of communication to them to focus on threat modeling the advanced persistent threat actors and the tactics of the known criminal gangs and also turn to tried and true resources like the FBI, SISA, the MITRE ATT&CK framework for that type of threat modeling, look out for indicators of compromise coming from SISA that you can use to compare against your log files, so you can determine if a threat actor has been in your system. I also think there's no shortage of need to focus on the cybersecurity best practices, logging, monitoring, identity access management, multifactor authentication, ensuring that only the right individuals have access to the right data at the right time. This is what we're encouraging brokers and carriers to talk to their clients about. I think there's also a lot of room for insurers to recognize that they are in a new threat landscape today. And at no point in history has the situation around cyber activity been so dire. We've never seen the potential for a cyber disaster like we are today. We have all the boxes checked around the threat actors. We also are anticipating large scale losses. I've been speaking to some modeling experts that come from the NatCat industry lately, and they've said things like at this point, given the conflict and what we know about the intentions of our threat actors, and what we know about our own vulnerabilities. This is like saying that the warning signs for the hurricane being off the shore are blinking red, essentially. We may not be able to tell the exact wind speed or the temperature of the air right now. But we know something's coming. And it's on us to protect against the threats that we know and then to establish those best practices so we can defend against the threats that we don't know. And I think the insurance community — from brokers, carriers on up to reinsurers — have a tremendous role to play in helping to safeguard those underlying insurance and the services that we all rely on.