The conflict in Ukraine has global implications and like any global conflict-related event, it creates the perfect circumstances to carry out cyber attacks.
Hendrik Schless, Senior Manager of Security Solutions at Lookout, comments on cyber threats in the context of the current Russia-Ukraine crisis:
With eyes and ears on the epicenter of the event, attackers will either use this as a distraction to covertly compromise resources or exploit the news flow to run social engineering campaigns. Regardless of the attackers’ tactics, everyone—businesses, consumers, and government organizations—should exercise extreme caution during these major global events. Now is the time to be extra vigilant about the sharing of data, access to it, and the identity of those you connect with online.
It is very likely that phishing campaigns will pop up, as is typically the case with major global events, especially when people are looking for the latest news and updates or want to find a way to help those in need. Attackers exploit our innate need for information by running phishing campaigns via SMS, email, third party messaging platforms and especially social media apps. These campaigns usually have very enticing headlines and lead to malicious websites.
Malware and Trojans
Another common tactic is for attackers to pretend to be media sources. In this case, they may try to send journalists malicious, malware-infected documents or trick them into downloading a trojanized version of a legitimate application. On the other hand, the attacker can also impersonate a journalist and target people with the same malicious intent.
Data from Lookout shows that between the second half of 2021 and 2022, there was a 150 percent increase in mobile phishing attacks targeting enterprise users. The massive increase in exposure to mobile phishing makes it clear that phishing campaigns are more likely to take place on mobile platforms. Individuals and businesses should therefore ensure that their mobile users are protected from phishing attacks.
Ransomware and Supply Chain Attacks
There is also a significant risk for companies with heavily integrated third-party systems. Attackers could use this as an opportunity to perform the first steps of a supply chain attack, a ransomware attack, or proliferate malware with widespread collateral damage. In 2017, the NotPetya ransomware attack crippled the operations of a large handful of global companies. This was a perfect example of the far-reaching effects of collateral damage. In recent times, the Solarwinds incident was one of the most devastating attacks on the software supply chain. This was of particular concern because Solarwinds is known to be used in federal agencies and other highly secure infrastructures with valuable data.
In both cases, the attackers were able to compromise a source of truth that fed hundreds of organizations. The attackers managed to compromise infrastructures by exploiting the implicit trust that systems have in each other when performing processes such as standard updates. Attacks on critical infrastructures (KRITIS) can also be carried out in this way. The ransomware attack on Colonial Pipeline in 2021 should serve as an incentive for all critical infrastructure operators to secure their systems against this type of modern attack.
Organizations should also review the security practices of any third-party software they have integrated into their infrastructure – particularly when teams operate in the currently vulnerable parts of the world. There are so many connections and implicit trust between systems that a successful attack on a third party could leave your organization the victim of collateral damage. Attackers could also intentionally target a third party they know to be affiliated with certain companies in order to gain backdoor access to corporate infrastructure.
Current events in Ukraine show how incredibly important it is to have visibility into how all users, devices and networks are interacting with corporate infrastructure and data. It can be assumed that attackers will find more and more ways to secretly penetrate the infrastructure. This can be done by using phishing attacks to steal credentials, exploiting vulnerabilities, or finding a credential via an integrated third-party system.