A Mandiant report in November explaining new activity from the infamous Sandworm APT targeting operational technology in Ukraine should introduce a new reality for chief information security officers (CISOs) and other security leaders. Kinetic attacks will, going forward, be complemented by disruptive and potentially cyber activity.
Sandworm is a notorious advanced persistent threat group linked to Russian intelligence, and according to Mandiant, they’ve been enhancing their capabilities to target OT and industrial control systems.
The report cites novel attacks and living-off-the-land (LoTL) techniques used against a Ukrainian critical infrastructure organization. The LotL attacks were pointed at substation circuit breakers and caused a power outage that was coupled with a barrage of missile strikes on key targets across Ukraine. Sandworm is then alleged to have deployed a wiper in the victim’s IT environment, perhaps as a means of cleaning up its forensic tracks.
With fighting now happening in Europe and the Middle East simultaneously, we’re likely to see an expansion of the battlefield into cyberspace as a means of disrupting an adversary’s capabilities, with everything from communications to power potentially in the crosshairs. And as we’ve seen in the past with other cyberattacks targeting critical infrastructure, collateral damage to innocent parties is always in the cards.
Stuxnet, it’s believed, was never meant to have left the air-gapped systems it targeted inside the Nantanz power station, but we quickly saw samples pop up elsewhere leading to its analysis and ultimate neutralization. NotPetya targeted a popular Ukrainian business application called MeDoc. That campaign, however, quickly turned into a global incident with organizations across Europe and Asia impacted by its wiper capabilities.
The point is that while today’s kinetic fronts may be contained to Ukraine, Gaza, and Israel for now, such may not be the case tomorrow, nor can the same promise be made for any future cyber incidents in a time of conflict or crisis.
CISOs must understand that their organizations cannot hide in obscurity, and more importantly, that it’s not only their IT environment that is at risk, but also any cyber-physical systems that are connected and managed online. The Mandiant report should put every critical infrastructure sector on its toes, not just utilities and communications. Malware can and does “leave the lab” so to speak, and the intended targets are usually not the only victims in such a conflict.
To that end, let’s discuss a few things you should be doing today in order to prepare for tomorrow.
Most if not all of the critical infrastructure sectors have information sharing and analysis centers (ISACs). In times of conflict, ISACs can be important clearinghouses of indicators of compromise associated with particular cyber activity. They’re also excellent sources of intelligence and activities, not only in the affected regions, but also locally. It’s crucial to remember that cyberattacks like these are not spur of the moment campaigns. Months of reconnaissance often go into identifying targets, potential exploitable vulnerabilities, and more.
Living off the land techniques are not a new threat-actor TTP, but it’s one we’re seeing more often. Microsoft, in May, reported on the activities of the Volt Typhoon APT, a group linked to China whose charter is espionage and intelligence gathering. Volt Typhoon has made effective use of LotL techniques to target U.S. organizations in Guam and on the mainland U.S. Microsoft said the group’s objective is to spy quietly and maintain persistence while gathering information.
Some of the techniques used by Volt Typhoon once initial access is obtained is to issue commands via the command line to collect credentials and systems data that can be used at a later time. The information is exfiltrated via local channels in order to look like legitimate traffic and stay under the radar.
This is the type of information an ISAC, law enforcement, and security companies can disseminate, along with mitigation advice, and observations about initial compromises.
Basic security hygiene is never a bad strategy. Just some reminders:
Ensure vulnerable systems are at current patching levels, especially for web-facing systems and applications.
Enforce multi factor authentication is enabled for access to every system. Determined attackers will target people first, and while a second form of authentication isn’t always a perfect deterrent, it is essential.
Segment critical portions of your network; this is especially important for cyber-physical systems in industries that do not tolerate downtime. Legacy systems are a beacon to threat actors scanning networks for soft spots; keep these systems at arm’s length from a direct connection to the internet.
Logging and monitoring must be turned on and reviewed during conflicts. Anomalies cannot be ignored.
Test your incident response plans and ensure you have backup communication channels to staff, customers, law enforcement, and the government in the event an incident causes a disruption to your organization.
Finally, rely on what you do well. For organizations in most critical infrastructure sectors, response activities are like breathing—accomplished without a second thought. Look at the good work utilities accomplish in relatively short order during blizzards, hurricanes, earthquakes, and other natural disasters. There are tested processes and routines that are immediately put into effect; third parties are enabled, and fixes for weak spots are identified and applied in short order.
This strategy applies in cybersecurity. Rely on—or obtain—available cybersecurity expertise to roll out similar activities in the event of a disruptive or damaging incident. Stand up and test a response plan, work closely with peers in the industry, law enforcement, and the government, and be determined to restore services in short order.
The key for security leadership in a time of conflict is not to rely on obscurity. Sure you’re one company, one team, among hundreds or thousands in your industry. The odds are against you being hacked and impacted during a kinetic conflict. History, however, has taught us that’s a foolhardy approach. You cannot hope to dodge every raindrop in a hurricane; you should take the same approach in a time of conflict. Be prepared, because the consequences of not being ready can be costly.
U.S. Navy Adm. (Ret.) Michael Rogers served as the 17th Director of the National Security Agency and the 2nd Commander of U.S. Cyber Command. Adm. Rogers presided over the activation of the Pentagon's Cyber Mission Forces and the elevation of U.S. Cyber Command to unified combatant command status. He is currently the chairman of Claroty’s Board of Advisors.