Canada's federal cyber security authority has been warning operators of critical infrastructure to harden their defences against cyber attacks stemming from the current conflict in Ukraine. Since the notice was issued in late-February, we have seen the hazards alluded to by the Canadian Centre for Cyber Security (CCCS) increasingly crystallize.
For instance, we have already seen the first known attack on Canadian infrastructure—Rio Tinto's smelter in Quebec—by Russian cyber criminals, with the presumed intention to send a message to countries supporting Ukraine. As the conflict draws on and western businesses are required to pick sides, they may find themselves singled out for retaliation by threat actors on both sides of the conflict.
Unsurprisingly, the bulk of reported cyber activities from Russia have been directed at Ukraine, with reports of attacks on government websites, a major internet provider, banks, and possibly even a satellite network. As of early March it was already estimated that that cyber attack attempts on Ukraine had increased tenfold. However, with Russia now effectively cut off from SWIFT and facing unprecedented levels of sanctions and opprobrium, western governments are warning of imminent reprisals. Infrastructure targets, both public and private, are likely to be specifically targeted, including financial institutions and utilities.
For its part, the Ukrainian government has also linked with private hackers to use their talents to attack Russian and Belarusian companies, banks and government organizations. Recruits from around the world are purportedly flocking to assist Ukraine in defensive and offensive cyber operations. Naturally, as Ukraine seeks allies around the world, its cyber activities have been confined to Russia and Belarus.
The threat to both critical infrastructure and private business more generally is not limited to attacks by the actual states in this dispute, or even their nation-state allies. Private third parties have intervened since the beginning of the conflict as well, creating an even less predictable and more dangerous state of affairs. We have seen, and expect to see more, activity from criminal organizations such as Conti, which publicly announced its support for the Russian government and threatened to target the critical infrastructure of anyone who was a threat to Russia. While Conti is effectively a profit-driven 'ransomware-as-a-service' (RAAS) operation with over 400 ransomware attacks in the United States and abroad, its reported connections to Russian intelligence and its public support for Vladimir Putin may lead to it targeting foreign targets in sympathetic campaigns to Russian initiatives. Conti has not hesitated to attack Western infrastructure in the past, and recently took credit for shutting down an Australian electric utility.
Among those answering the call to retaliate against Russia are Anonymous, the mysterious hacktivist collective, and the Cyber Partisans, who collectively launched successful attacks against Russian banks and its state broadcaster, the Russian state space agency, and a Belarusian rail network used to move Russian troops into Ukraine. Additionally, on March 19, 2022, Anonymous put Western companies still doing business in Russia (many of which it called out by name) on notice that if they did not withdraw within 48 hours, they would become targets of the collective. Thus, even the hacktivists supporting Ukraine now pose a threat to western business.
The unprecedented alignment of state-initiated and 'private' organizations such as Conti means organizations of all types should be reviewing their cyber security readiness and response contingencies. There is also a strong likelihood that geopolitically-agnostic, profit-driven, criminal entities may take this as an opportunity to attack soft targets while the world's attention is fixed on the events in Ukraine.
The CCCS has provided a basic roadmap for organizations to prepare themselves for this new environment. While the bulletin focused on those responsible for critical infrastructure sectors (which include food and water supply, energy and utilities, government, information and communications, manufacturing, health, transportation and finance), all businesses and organizations should be mindful of the prescriptive advice the CCCS provided:
- Be prepared to isolate critical infrastructure components and services from the internet and corporate/internal networks if those components would be considered attractive to a hostile threat actor to disrupt. Test manual controls (if applicable) to ensure that critical functions remain operable if the organization's network is unavailable or untrusted.
- Increase organizational vigilance.
- Monitor proprietary networks with a focus on the tactics, techniques, and procedures (TTPs) reported in the recent American Cybersecurity & Infrastructure Security Agency (CISA advisory).
- Ensure that cyber security/IT personnel are focused on identifying and quickly assessing any unexpected or unusual network behavior.
- Enable logging in order to better investigate issues or events.
- Enhance your security posture.
- Patch proprietary systems with a focus on the vulnerabilities in the recent CISA advisory.
- Enable logging and backup.
- Deploy network and endpoint monitoring (such as anti-virus software), and implement multifactor authentication where appropriate.
- Create and test offline backups.
- Have a cyber incident response plan, a continuity of operations and a communications plan and be prepared to use them.
- Inform the CCCS of suspicious or malicious cyber activity (reports can be made here).
IT personnel for these organizations should also be monitoring the CCCS' technical alerts, which identify specific technical threats being deployed against organizations in concert with the conflict.
This is not a cyberwar between two countries, but a multi-faceted conflict also involving digital vigilantes, operating beyond the control of nations, with (as the New York Times describes it) "no one in charge." This is a recipe for risk and unpredictability for companies worldwide, including Canada. Canadian businesses should monitor the situation carefully, take the precautionary measures recommended by the CCCS, and engage experts if they are unsure about their cyber security posture.
Should you have any questions or seek guidance on these developing issues, please reach out to the authors.