The ongoing Russian invasion attempt of Ukraine has changed priorities on the global cyberattack surface. Experts talk about the necessity of putting forward a renewed cyber security strategy, both at the country, organization, and sector levels. Of course, North America, the focal point of global capital, is where this necessity is most crucial. Everyone is wondering what kind of cyberattacks the war might cause in the region. In this article, we’ve discussed potential cybersecurity risks in North America, with causes and consequences.
Before the war, there was a global collaboration or an understanding of the prevention of ransomware attacks on critical infrastructure. The US brought many like-minded countries together to go after threat actors in response to the crippling attack on the Colonial Pipeline in May 2021. The servers belonging to the Revil ransomware gang went offline on 21 October 2021. REvil was being held responsible for the attacks. VMWare head of cybersecurity strategy Tom Kellermann said, “The FBI, in conjunction with Cyber Command, the Secret Service, and like-minded countries, has truly engaged in significant disruptive actions against these groups, REvil was top of the list” (1). Later on, some individuals were arrested in Romania and Russia. Russia’s intelligence bureau FSB released the operation footage and said the group had “ceased to exist.”
These developments created a hopeful expectation of further collaboration between western countries and Russia, which had denied accusations of harboring ransomware gangs for years to attack western countries. However, Russia started an attack on Ukraine on many fronts, including cyberspace. Now, western countries are preparing for potential attacks from Russian harbored Ransomware gangs and threat actors.
Cyber Gangs Choosing Sides
One of the developments that no one saw coming was ransomware gangs and threat actors choosing sides openly. Most of the time, people assumed ransomware gangs were only interested in money; cyberpiracy is just a means to make money. However, the Conti ransomware group announced its support of Russia and threatened to deploy “retaliatory measures” if cyberattacks were launched against Russia (2). As a response to this warning, a Ukrainian security researcher leaked around 60K internal chat messages and source code, and other files used by the group. Other ransomware gangs and the members of the hacktivist group Anonymous also announced their involvement in the conflict between Ukraine and Russia. Most of the new involvement was against Russia, and there were defacements of the Russian government and banking websites as well as leaks from the ministries of Russia (3).
A new threat actor, a hacker gang rather than a ransomware one, has breached many companies, including the world’s biggest tech companies like Microsoft, Samsung, and Okta. Then, the gang known as Lapsus$ has dumped the stolen code all over the internet. The gang’s trademark is going after the biggest, shiniest target it can find, breaching it, then bragging about the breach to extort money. Even though the researchers assumed they were another ransomware group, Lapsus$ does not encrypt the victim’s data. It shares pieces of breached data and demands payment. If their demands are not met, it threatens to dump all the data.
So far, the most dangerous and impactful of the gang’s breaches is the identity verification firm Okta. Lapsus$ shared screenshots of having access to multiple company systems. Since Okta’s security software is used to secure thousands of organizations, this breach created serious security concerns. Okta confirmed that it was hacked and admitted that “approximately 2.5%” (more than 350 companies) of its customers had been affected.
What to Expect in North America?
The US and Canadian governments and many public agencies issued many warnings against Russian-backed cyber threat activity even before the conflict in Eastern Europe(4,5). In a recent announcement, the White House published a fact sheet advising companies to mandate multi-factor authentication on IT systems to make it harder for attackers to get onto the system.
In light of the previous cyberattacks, it is possible to estimate what kind of attack could occur.
1. DDoS Attacks
DDoS attacks are a widespread weapon used against government and commerce websites. The attacked websites stop responding to regular traffic. In the current conflict, both sides use DDoS attacks against each other to disrupt government and banking websites. In 2007, Estonia was attacked repeatedly with DDoS, and those attacks disrupted government communications and services of many businesses like financial institutions.
2. Attacking Critical Infrastructure
In 2021, a ransomware attack on the Colonial Pipeline caused all East Coast of the US a shortage of oil. In a cyberattack on the power grid of Ukraine in 2015, the power system operators were hacked and lost access to their own systems. More than 200K houses lost electricity. Therefore, cyberattacks against critical infrastructure can create confusion and damage commerce, hospitals, and government institutions.
3. Cyber Espionage
Cyber espionage collects data for many purposes, from gauging a reaction to a particular event to collecting critical political and military information. Russian, Indian, or Iranian hackers employed many phishing campaigns to access critical information in the past years.
How to Prevent Risks?
There are general guidelines to improve your company’s security posture and minimize the attack surface. If you are not already using one, you should use a security architecture like the NIST Cybersecurity framework or MITRE ATT&CK framework.
Some precautions could be taken to protect your network. You might want to consider the following recommendations:
1. Keeping Track of the Vulnerabilities of Digital Assets
There are significant vulnerabilities, and sometimes 0-days that threat actors exploit. SOCRadar discovers almost all of your digital assets and their vulnerabilities. SOCRadar’s External Attack Surface Mapper tracks your digital assets, the software versions installed on the assets, and their vulnerabilities. Therefore, you stop attacks before they start.
2. Phishing Control
Social engineering and phishing are still the most common attack vectors for many cyberattacks. In addition to your employee’s training for not clicking untrusted links and email attachments without verifying, SOCRadar can discover impersonating and typo-squatting domains used for phishing campaigns against your customers and employees.
3. Identifying and Monitoring Threat Actors
Many organized threat actors like APTs have signature Tactics, Techniques, and Procedures (TTPs). Some of them are focused on specific regions and industries. Constant monitoring of the threat landscape and actors will strengthen your cybersecurity posture. SOCRadar’s threat intelligence feeds, IOCs and IOAs will give you the proactive readiness you need.
4. Dark Web and Deep Web Awareness
Threat actors sometimes find their way into systems by purchasing credentials and other sensitive data or intelligence from dark & deep web forums and chatter channels. SOCRadar monitors these channels and creates alarms and incidents for anything related to your business.
In addition to these steps, you can use the methods below:
- You could create strict ID and access management policies by utilizing your employees’ multi-factor authentication (MFA) and one-time-password (OTP) technologies.
- You must have backup policies and practices. You should have multiple recent copies (preferably at least one offline) of your critical data and settings and configurations of your security devices.
With SOCRadar® Free Edition, you’ll be able to:
- Discover your unknown hacker-exposed assets
- Check if your IP addresses tagged as malicious
- Monitor your domain name on hacked websites and phishing databases
- Get notified when a critical zero-day vulnerability is disclosed
Free for 12 months for 1 corporate domain and 100 auto-discovered digital assets. Get free access.