A Russian official threatened the West on 08 June 2022, asserting that a “direct military clash” could result if Western governments continue to mount cyberattacks against its infrastructure. “The militarization of the information space by the West and attempts to turn it into an arena of interstate confrontation, have greatly increased the threat of a direct military clash with unpredictable consequences,” the Russian foreign ministry’s head of international information security said in a statement first reported by media.
Russia’s housing ministry website was hacked over the weekend with traffic to it redirecting to a “Glory to Ukraine” sign. The foreign ministry’s statement blamed figures in the United States and Ukraine for the attacks on its critical infrastructure. “Rest assured, Russia will not leave aggressive actions unanswered,” the Russian statement said. “All our steps will be measured, targeted, in accordance with our legislation and international law.”
Cybersecurity and Russia experts said that while the threats sound sobering, they are typical of Russian bombast. “Threats are just part of the Russian diplomatic vocabulary: They make them all the time and you cannot take them too seriously,” said the director of the strategic technologies program at the Center for Strategic and International Studies (CSIS). “They threatened nuclear war, they threatened war with NATO, they threatened an invasion of Poland.” He said it is not surprising to see Russia intensifying its threatening language now, given that it has not swiftly won its war against Ukraine as some expected. The Russians likely feel “they have to escalate the threats because people kind of aren’t as afraid of Russia as they were, say, three months ago,” CSIS said.
During the same week, the top cyber expert at the Russian foreign ministry, told the Russian newspaper Kommersant that the US had allegedly “unleashed cyber aggression against Russia and its allies.” The Russian argued that Washington is leveraging Ukrainian President Volodymyr Zelensky’s IT Army to “carry out computer attacks against our country as a battering ram.” He told Kommersant that if the United States pushes Russia to retaliate, the outcome “could be catastrophic, because there will be no winners in a direct cyber clash of states.” These remarks appeared to be a response to Cyber Command and National Security Agency chief who confirmed offensive cyber operations against Russia, which the White House insisted did not violate President Joe Biden’s pledge not to use the military to attack Russia over Ukraine.
Russia sees itself as being stuck in a defensive posture fending off attacks from the West, said a Russia expert with the Center for Naval Analyses, a non-profit research and analysis organization focused on national security. He agreed with CSIS that the threats are neither surprising nor particularly worrying. “Every year the Ministry of Defense and other key government enterprises do sort of resentation on how much Russia is getting beaten in the cyber domain and how Russia is constantly under attack,” he said. “They don’t see themselves as on the offensive here.” The tendency is part of a larger Russian posture, pointing to Russia justifying the invasion of Ukraine with defensive language about Ukraine becoming a Nazi state intending to place missiles near Moscow. “Russia talks about cyberattacks in defensive terms,” the Navy said. “Russia isn’t the one that’s just randomly attacking countries. It’s actually defending itself from larger, more coordinated, more powerful attacks.
NATO Secretary General has warned Russia that a serious cyberattack could trigger Article 5 of NATO's founding treaty, in which “an attack against one ally is treated as an attack against all.” Businesses and governmental agencies responsible for critical infrastructure and high-profile targets should ensure they are adequately prepared with best practice prevention, detection and incident response measures to deal with Russian advanced persistent threats.
10 steps to take to avert a Russian cyber attack:
- Address Assumptions: Assume sophisticated cyber attackers are already inside your environment and are positioned to disrupt businesses at any time. Additionally, leverage credible cyber threat intelligence to determine if your organization would typically be targeted by Russian adversaries and for what reasons.
- Rally Communications: Ensure all relevant cyber and resilience teams are on high alert. This includes providing notice to corporate communications, legal, senior leadership and key third parties that everyone should be prepared to act as well as alerting employees to remain vigilant, especially for phishing and other social engineering attacks.
- Confirm Restoration: Take any immediate steps available to confirm key restoration and recovery activities, including a review of the completeness and integrity of key backups and ensuring recovery processes are accurate, known to all necessary parties and ready for action.
- Review Third-Party Engagement: Review existing agreements with key third parties, such as forensics and response partners, law firms and insurers.
- Stay Informed: Stay current on latest news. Leverage existing threat intelligence and information sharing sources as much as possible (e.g., CISA’s “Shields Up” site, industry ISACs and Red Sky Alliance). Additional resource links are shared at the end of this article.
- Reinforce and Secure Environments: Reinforce key controls and secure high-risk areas. This includes a review of current patching levels (and likely short-term increase in scanning frequency), validation of your Internet-facing attack surface, and ensuring MFA and other dual-path access verification controls are active and appropriately configured.
- Evaluate Capabilities: Test, simulate and confirm all crisis management and incident response capabilities. Crisis management extends beyond incident response and includes confirming all key personnel understand their role.
- Review Current Recovery Playbooks: Perform a comprehensive review of existing continuity and recovery plans to confirm they are complete and up to date. Specific focus should be given to internal and external resource availability, dependencies on key third parties that provide business services, and communication protocols for external stakeholders (e.g., employees, regulators, customers).
- Assess Technologies: Increase focus on and revisit all technologies supporting any hybrid workforce. Confirm all remote or external access points are hardened and covered with current versions of end-point detection technologies.
- Set Expectations: Set – or reset – expectations with senior leaders and board members on the potential for disruption of services due to a cyberattack, and the current steps taken to manage those risks.
While the actions outlined above help manage risks around the current situation with Russia, forward-looking organizations should consider these actions a long-term investment against extreme events occurring in an increasingly volatile world environmental, pandemic, cyber or otherwise. In addition, diligent organizations need to ensure their current strategies position their cyber programs to better repel adversaries, increase detection and response agility and expand existing resilience capabilities. Proper funding, leadership and vision are all key to ensuring your cyber program is both business and threat-aligned and ready to face the challenges that are ahead.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings