Capitalizing on a Crisis: What Global Events Mean for Cybersecurity

Written by

The advancement of Russian forces into neighboring Ukraine has been met with significant international condemnation. While stopping short of military intervention, many Western nations and corporations have responded by imposing extensive sanctions, cutting off the country and its citizens from assets, services and vital revenue streams.

While the impact of these sanctions on the outcome of the conflict remains to be seen, they are already causing widespread disruption across Russia and beyond. US and UK officials have since warned that retaliation will come in the form of increased cyber-attacks against Western businesses and government bodies.

This should not come as a surprise. Russia has a long history of cyber warfare. However, this type of nation-state attack is not the whole picture. As with any mass disruption, the Russia-Ukraine conflict has been seized upon by opportunist cyber-criminals, tailoring and targeting their lures to capitalize on confusion and disinformation.

It doesn’t stop here. We’re also seeing unusual ‘reverse’ style attacks. Hacker groups such as Anonymous claim they are targeting Western organizations that are still operating in Russia. This again illustrates that the cyber-threat landscape during major global conflicts can evolve in many ways, some we haven’t seen before.

An Escalating Cyber Conflict

As the most recent tensions intensified, so too did suspected state-sponsored cyber threats. In one recent attack, possibly compromised Ukrainian armed service personnel’s email accounts targeted European government workers involved in managing the logistics of refugees fleeing Ukraine.

A similar threat, identified as originating from China, targeted European diplomatic entities using spoofed UN email addresses. This time, the group used web bugs to profile victims before sending various malware payloads via malicious URLs.

Both are indicative of modern hybrid warfare – and just like traditional warfare, collateral damage is to be expected. While the campaigns above targeted specific governmental organizations, many attacks during conflict are much broader.

It’s no secret that Russia has a strong history of nation-state cyber-attacks. We continue to monitor activity from a related APT group and have recently published a timeline on activity from the group we track as TA422, publicly known as APT28.

Then there is another type of attack to consider. One that is not launched as an act of war or in retaliation and not perpetrated by any nation-state. Instead, it is the work of the opportunist cyber-criminal, looking to take advantage of a time of high pressure, misinformation and disruption.

This threat is far more widespread and indiscriminate, hitting victims across various countries and industries and putting all of us in the firing line.

Cyber-Criminals – Ever the Opportunists

Cyber-criminals are not fussy when pinning their attacks to a significant event to increase their chances of success. With the pandemic barely underway in 2020, hundreds of COVID 19-related lures were detected, offering cures, vaccines and medical advice to panicked victims in search of answers. Of course, the malicious messaging offered none of the above, instead siphoning data, seizing systems and demanding ransoms.

"Cyber-criminals are not fussy when pinning their attacks to a significant event to increase their chances of success"

We’re already seeing the same during this major global event. Cyber-criminals have launched phishing campaigns and crypto donation scams impersonating organizations, including the Ukrainian government, UNICEF and the Red Cross.

Advance fee fraud is another common tactic at times like these. In this instance, scammers may pretend to be a sanctioned Russian or a Ukrainian citizen struggling to access significant funds. The victim is asked to forward a fee to help unlock the funds. Once released, a portion of the proceeds is promised to the victim as a thank you for their help. Cyber-criminals are also using cryptocurrency-related lures to trick people into sending their donations to the threat actor, as opposed to the Ukrainian military.

Like the COVID 19-themed lures of two years ago, these attacks play on the victim’s emotions. Fatigued by the 24-hour news cycle and the looming concern of a European or even world war, many of us are looking for clear information or a way to help. Potential victims likely feel powerless, like all they can do is sign a petition or send funds. They do so in good faith.

Unfortunately, there is no such faith on behalf of cyber-criminals. They are masters at manipulating these feelings for their ill-gotten gain. They won’t hesitate to leverage even the worst crises and conflicts to get what they want.

Building a Defense for Every Day

During the last major increase in theme-specific attacks, at the height of the pandemic, many organizations implemented COVID 19-specific security awareness training modules. Designed to help users spot common lures circulating at the time, they proved to be a success. Some 80% of organizations said that increased training reduced phishing susceptibility. 

Security teams must do the same again now. We know that relevant, targeted and in-context security awareness training works. So, training should always be tailored to the current threats that users are likely to face.

However, cyber-criminals are relentless and indiscriminate. While they may up their efforts during times of disruption, they are attacking our people all year round. So, keeping them at bay requires a comprehensive, multi-layered defense at all times – not just when the risk is elevated.

From a technical point of view at this time, and throughout any ongoing global conflict, organizations must pay close attention to which threat actors could be in their data and should be taking further, more aggressive and proactive security measures. Organizations must pay even closer attention to their data logs, monitoring their network traffic more stringently. Stricter management of data access when it comes to third parties is even more critical now, too.

What’s hot on Infosecurity Magazine?