The ongoing conflict in Ukraine has resulted in a tremendous loss of life, and property, and caused massive upheavals in the global supply chain and economy. Few are aware, however, that the Russian government appears to have also conducted a systematic series of cyber-attacks alongside its military assault in Ukraine.
In recent weeks, many Ukrainian banks and government organizations have found themselves targeted by a series of cyber-attacks including DDoS attacks, disinformation campaigns, and wiper malware. U.S. and U.K. officials believe that at least one of these attacks resulted in the crash of four Ukrainian government department websites and was carried out by the GRU, the Russian military intelligence agency. Cyber experts fear that attacks of this kind could have a spillover effect on the network infrastructure of other countries, potentially escalating to a full-out cyberwar.
Remember the colonial pipeline ransomware attack that grabbed headlines last year in the US? That single attack had the entire East coast in a disarray with people fearing significant fuel shortages. It impacted critical infrastructure and civilian populations at a scale we had not witnessed before. It forced the federal government to step in and try to rescue a private corporation’s network from what appeared to be long-standing vulnerabilities that the hackers had exploited. While the US government continues to deny Russia's involvement in the attack, the group that claimed responsibility, Dark-side, was based in Russia. That attack was carried out by a few individuals at a private organization. It stands to reason that a specifically targeted state-sponsored cyber-attack could have an even more devastating impact.
While the Kremlin has maintained that it “has never conducted and does not conduct any ‘malicious’ operations in cyberspace”, Western governments have asked businesses to be on the alert for suspicious activities. An online conflict between Russia and the West seems very likely, even though experts differ on their opinions of how such a conflict will play out and its impact. Many point out that despite the rhetoric, most cyber-attacks that we have witnessed have largely been non-violent with no lasting damage. Russia initially seemed focused on laying claim to physical territory rather than damaging infrastructure or the economy through cyber-attacks. But that stance may be changing as Russia is repositioning the action in Ukraine as a broader conflict with the west in an attempt to bolster morale in the face of mounting losses.
Recently, researchers at cyber security organization Symantec have pointed out that the recent wiper malware attack that targeted Ukrainian organizations also impacted Ukrainian government contractors in Latvia and Lithuania. Such spillovers and collateral damage can impact global supply chains and other Western countries reliant on these service providers.
The intensely integrated nature of the global supply chain for both computer software and hardware makes attacks very easy to execute and difficult to trace. If any part of the chain is compromised (hackers love to target small suppliers), it can be very easy for hackers to insert ‘backdoors’ or malicious code into the software or make use of zero-day exploits in hardware attacks. As the Saudi Aramco attack in 2018 showed us, the Shamoon virus managed to lodge itself into the firmware level and all the infected systems had to be destroyed.
The most famous example of such a large-scale impact on hardware is the Maersk container systems that were impacted by the Russian malware NotPetya in 2017 (targeted at Ukraine). Although Maersk was not the primary target, the company ended up having to destroy all end-user systems including 49,000 laptops and lost 1000 of their 1200 enterprise applications even though they had backups. And therein lies the biggest danger for companies, especially those that run their core applications on cloud services (i.e., pretty much everyone).
The oligarchic nature of the cloud service providers makes it inevitable that their data centres may be targeted in an attack. And even though cloud service providers implement the best possible defensive measures in the industry and have backups for all client data, it can be meaningless if backups were compromised months in advance of an attack. Recovering from an attack can take an average of 22 days. This delay can become a real headache when critical public infrastructure and the lifeline of hundreds of thousands of businesses depend on the unerring uptime and availability of individual public clouds. The 2017 NotPetya attack ended up disabling radiation monitoring systems at Ukraine's Chernobyl power plant and taking down major public departments, banks, transport systems (metro), and a variety of state-owned enterprises.
To start with, companies need to be cognizant of the reality that if a nation-state wants to compromise public infrastructure, public clouds, and private organizations (especially in the case of indirect attacks), it will most likely succeed. The only thing that companies can do is to be prepared for such attacks and emergencies with rapid detection and response systems, updated systems, and establish quick vulnerability mitigation and security culture as a practice. Companies should invest in simulation exercises and cyber emergency drills, so people know how to respond to attacks. Companies also need to mitigate vulnerabilities in their supply chains and ensure that suppliers, contract manufacturers, and logistics service providers all adhere to minimum security standards and disaster recovery plans.
Most importantly, companies need to learn both the importance of backing up critical data and not relying solely on backups for protection.
Asigra TigrisTM can help companies safeguard not just their systems, but also their backups with the most advanced backup solution against ransomware attack loops. The bi-directional malware scanning, and AI and ML heuristic detection used by Tigris can help companies detect and block attacks at pre-execution before each backup and restore. Tigris also offers password-less authentication with deep MFA, soft deletes, and AES 256-bit data encryption. It meets a critical need for companies to simplify backup management with true agentless management. It also enables variable repository naming to prevent attackers from targeting a static target.
If your company needs a single scalable repository with central, multi-tenanted oversight, TigrisTM could be the solution you need to consistently match the most demanding RPO and RTO with granular recovery controls, and 'self-healing' capabilities to prevent backup pauses and corrupted files restoration, easy restoration validation and more. With automated backup management and recovery, Tigris enables companies to take advantage of the truly optimized recovery.