Join today’s leading executives online at the Data Summit on March 9th. Register here.
Stiff sanctions against Russia and Vladimir Putin over Ukraine means a wave of cyberattacks may be headed for the U.S. and other western nations as retaliation, cyber experts say, as part of what could become an escalating “cyberwar.”
Security teams, of course, are perpetually on guard for Russian attacks — but the threat this time could be especially difficult to see coming, experts told VentureBeat.
That’s because Russia is believed to have been saving up some of its best options for a moment like this one. Russian threat actors are widely believed to have gained footholds into corporate and government systems — via SolarWinds-like software supply chain breaches, the Log4j vulnerability, or even the SolarWinds hack itself — which just haven’t come to light yet.
But they might soon. Cyber experts are warning of an increased risk of cyberattacks from Russia, following sanctions that booted major Russian banks from the SWIFT financial system. The move essentially prevents the Russian banks from carrying out international transactions, and followed other rounds of sanctions over Russia’s invasion of Ukraine, including some that’ve hit Putin himself.
Breaching supply chains
The SWIFT sanctions had previously been described as the “nuclear option,” and are exactly the sort of thing that Putin had vowed to retaliate against. And cyberattacks are his preferred method for hitting back against the west.
In assessing the size and scope of Russia’s military campaign in Ukraine, “this attack has been in the planning for years,” said Eric Byres, CTO of cyber firm aDolus Technology. “Efforts to prepare their cyber campaign will have matched the efforts on the ground, so you know that Russia will have cyberattack resources that match their military ones.”
Russian threat actors — whether in government agencies such as the GRU and SVR, or in sympathetic groups such as Conti — have almost certainly compromised software supply chains that we don’t know about yet, according to cyber experts. And in any cyberwar maneuvers targeting the west, they might opt to utilize this access.
“I’m willing to bet that the Russians haven’t used even a fraction of the bullets in their cyber arsenal,” Byres said in an email.
Uncovered in December 2020, the attack on SolarWinds and customers of its Orion network monitoring platform has been linked to the Russian intelligence agency SVR. The attackers managed to breach the software supply chain and insert malicious code into the application, which was then distributed as an update to thousands of customers.
As a result, the attackers are believed to have gained access for as much as nine months to numerous companies and government agencies, including FireEye, Microsoft and the Departments of Defense, State and Treasury.
Notably, however, SolarWinds was not the first major software supply chain attack attributed to Russia, or even the most damaging.
The 2017 NotPetya attack is believed to have originated through a compromise of an accounting application, MeDoc, which was made by a Ukrainian company and widely used in the country. The malware delivered through updating to the compromised software ended up spreading worldwide. And it remains the costliest cyberattack to date, with damages of $10 billion.
Other high-profile supply chain breaches have included Kaseya and CodeCov — and according to data from Aqua Security, software supply chain attacks surged by more than 300% overall in 2021.
Russian threat actors have likely carried out many such breaches that remain unknown, for now. “Supply chain penetrations don’t show up on satellite photos like tanks do, so we don’t really know where the Russian cyber implants are lurking,” Byres said.
In the wake of Russia’s unprovoked attack on Ukraine, the country has most likely been holding off on using its attack capability in the U.S. to see how hard the west would hit back with sanctions and support for Ukraine, Byres said.
Researchers at Cisco Talos have similarly been warning about the heightened risk of Russian attacks originating in the software supply chain in connection with Russia’s aggressions in Ukraine.
“We assess that these actors would likely abuse elements of complex systems to achieve their objectives on targeted environments,” Talos researchers wrote in a blog post. “Past examples of this include the use of Ukrainian tax software to distribute NotPetya malware in 2017 and, more recently, the abuse of SolarWinds to gain access to high-priority targets.”
In all likelihood, the Russian threat actors behind the SolarWinds attack still have access from the breach in many companies that has so far gone unused, experts say.
The SolarWinds attack was “unique in that the threat actor targeted and gained persistent, invasive access to select organizations’ enterprise networks, their federated identity solutions, and their Active Directory and Microsoft 365 environments,” said James Turgal, a former 22-year veteran of the FBI, and now a vice president at cybersecurity consulting firm Optiv. “The actor used that privileged access to collect and exfiltrate sensitive data and created backdoors to enable their return.”
Turgal, whose time at the FBI included serving as executive assistant director for the Information and Technology Branch, said the risk is from the threat actor’s “deep penetration into the compromised networks.”
“Unless each and every server, drive or compromised device was replaced or re-baselined, the probability of complete eviction of the malicious code would be low, due to the high cost and complexity of such a remediation,” he said. “Absent complete replacement or re-baseline remediation actions, those victims’ enterprise networks and cloud environments will be exposed to substantial risk for repeat and long-term undetected Russian threat actor activity, and those compromised organizations could be re-victimized when the threat actor desires to do so.”
Ultimately — with SolarWinds, and even NotPetya — “there may be victims that have been compromised by those attacks, and they just don’t know it yet,” Turgal said.
Byres agreed, saying he’s “certain” Russia has access to victims of the SolarWinds campaign that we aren’t aware of yet.
“Back in February 2021, I listened to a briefing by a G7 security agency where the director commented that critical infrastructure companies were still reporting to the agency that they had just discovered compromised SolarWinds software in their systems. This was three months after the malware was uncovered,” Byres said. “Three months is a lifetime in the cyber world and the Russians would have had more than enough time to hide deep inside a system and cover their tracks.”
Today, Reuters reported that U.S. banks are making preparations for potential cyberattacks in retaliation for sanctions on Russia such as SWIFT. The report specifically mentions that for banks, the SolarWinds breach “is top of mind.”
And SolarWinds is “just one campaign that we know about,” Byres said.
For instance, the Apache Log4j vulnerability uncovered in December “was a Christmas gift to the Russians,” he said. “The vulnerable software is widespread, and the exploit was easy and powerful.”
Russian agencies almost certainly used the vulnerability, which is believed to have appeared in logging software used by practically every company, to gain footholds into critical systems in the U.S. that they haven’t leveraged yet, Byres said. (Researchers have noted that major attacks utilizing Log4j have been lower than expected so far.)
In the current threat situation overall, Western companies that have commercial connections to Ukraine are at an especially high risk, according to Byres.
For instance, Maersk reported it lost as much as $300 million in the NotPetya attack. While the shipping firm is based in Denmark, it reportedly used the MeDoc accounting software — “which implied they had business dealings with Ukraine, a fact that was unpopular in Moscow,” Byres said.
And notably, while NotPetya did coincide with a Russia-backed separatist movement in Ukraine, “there wasn’t a full-blown war occurring,” he said. “So anyone in the west dealing with Ukrainian businesses today is facing a much bigger risk than Maersk did in 2017.”
That being said, Russia will likely be looking to bring cyberwarfare against companies that don’t directly deal with Ukraine, as well, Byres said. Putin has made it clear that the entire western world is his enemy and all options are on the table, he said.
“Any country and its infrastructure is fair game for a cyberattack” if Putin perceives it is interfering with his goals, Byres said.
If the Russians had managed to subdue all of Ukraine in just a few days, they probably would’ve kept cyber weapons in the U.S. infrastructure under wraps for a rainy day in the future, he noted. But after the sanctions of recent days and stiffer resistance from Ukraine’s forces than expected, that calculus may have changed.
For cyber defenders in the west, “our job is to uncover these attacks quickly and put them out before they spread and do serious damage,” Byres said. “It is a lot like fighting forest fires – the effective response is to spot little fires quickly and extinguish them before they become big fires.”
That can only happen when you have visibility of “both the overall forest and the trees within that forest,” he said. “Governments and company management need to be able to see the forest and the trees in our software supply chain.”