Cyber-attacks have played an increasingly significant role in the tense relationship between Russia and Ukraine since the collapse of the Soviet Union. In the last decade particularly, cyber-attacks have targeted Ukrainian infrastructure including state institutions, government websites and power grids. A ‘cyber conflict’ has been bubbling between the two states for years and since the conflict has majorly escalated in 2022, the number of notable cyber-attacks has steeply risen. Following the reported cyber-attacks taking place towards Ukraine from 2013 onwards, multiple malware attacks and distributed denial of service (DDoS) incidents have hit Ukraine this year, although Russia generally denies involvement. In particular, malware packages WhisperGate, HermeticWipe and IsaacWiper have been used to disrupt organisations in Ukraine.

Prominent attacks on Ukrainian infrastructure allegedly began with a 2013 operation, followed by incidents including the compromise of the primary servers of the Central Election Commission. The attack on Ukraine’s election system has been claimed by CyberBerkut. Attackers also successfully ‘hacked’ Ukrainian power grids in December 2015 and 2016. This was followed by a vast supply chain attack using Petya malware. Following the breakdown of negotiations about Ukraine’s prospective membership in NATO, cyber-attacks on Ukrainian government websites and banks dramatically increased. Whilst it is common to see in the news that these attacks are by the Russian Government, it is important to keep that it is tricky to say for certain if an attack has come from a state actor.

It is reported that Ukraine has previously responded to alleged Russian cyber-attacks. In May 2016 websites belonging to the Donetsk People’s Republic were attacked. This was followed by the ‘Surkov Leaks’, allegedly carried out by Ukrainian group CyberHunta. Since the conflict between Russia and Ukraine has escalated in 2022, reportedly thousands have joined the Ukrainian ‘IT Army’, which allegedly aims to launch counterattacks towards Russia.

Cyber is undoubtedly a key component of the conflict between Russia and Ukraine and will continue to play a role in both countries’ strategies moving forward. Since the conflict escalated in 2022, the cyber threat landscape has changed. The effects of cyber-attacks towards Ukrainian organisations have spilled across to other states through business partnerships and supply chains. Although we are hearing a lot more about cyber attacks in the media than we usually do, currently there is a lack of evidence to suggest there are specific threats to UK organisations in relation to the situation in Ukraine. Positively, the tech and cyber community has really come together to offer resources and knowledge to deal with malware and share remediation steps to limit the damage. From individual researchers to corporations such as Microsoft, the community is providing support wherever possible.

Interestingly, the large role that cyber is playing in the conflict between Russia and Ukraine means that non-state actors are becoming significant stakeholders. As mentioned briefly above, independent ‘hacking groups’ (who may or may not be affiliated with a nation-state) are responsible for a lot of substantial attacks that are disrupting valuable websites and infrastructure.

Perhaps the most notable group to get involved in the conflict is Anonymous. Originating in 2003, the group of ‘hacktivists’ tend to act as the ‘robin hoods’ of the internet, conducting newsworthy cyber-attacks against governments, international institutions and corporations. As a group, their actions are intended to combat oppression from ‘the powers that be’. Previously members of the group have shown support for causes such as the Occupy movement and Wikileaks. Following Russia’s invasion of Ukraine, in February 2022 Twitter accounts linked to the Anonymous group claimed that they had successfully attacked Russian TV channels and had broadcasted war footage from Ukraine. It is also claimed that the group was able to broadcast the infamous ‘troll face’ meme on Russian military radio networks. It should be noted that when it comes to hacktivist groups, it is almost impossible to completely validate exactly what has taken place due to the way that they operate.  

Should businesses be worried about cyber-attacks?

Naturally, businesses are concerned about the situation in Ukraine and the effect that a heightened threat landscape could have on them. Our advice is not to panic. Whilst it is true that there has been a steep increase in cyber-attacks between Russia and Ukraine this year, currently, there is very little data to support the perception that UK businesses are experiencing increased cyber incidents. The National Cyber Security Centre (NCSC) has informed that it hasn’t yet seen evidence of the UK being targeted as a result of the conflict in Ukraine. Moreover, our Security Operations Centre (SOC) which monitors our clients’ systems for potential security incidents, has actually seen a decrease in attacks originating from locations within Russia. Although there isn’t enough data to assume that UK businesses will suffer more attacks, given the heightened global threat, we do advise that businesses take measures to ensure their cyber security posture is as strong as possible.

What steps can businesses take to strengthen their cyber security posture?

There are several measures that businesses can take to secure their infrastructure as much as possible. In this specific situation, you should start by assessing if you have people at risk. You can then move on to assessing if you have any business partners, operations or supply chains that may be disrupted. The following action points would also be beneficial to your business:

• Now would be a good time to review your risk assessment and make any necessary adjustments. Once you have identified and understood the risks that your business faces, you are better prepared to protect your systems and data.  

• Be extra vigilant when looking out for phishing attacks. The majority of successful attacks start with a phishing campaign, and it only takes one user to give a malicious actor access to your systems. Make sure to train your users on how to spot and report phishing emails by running regular simulations.

• Make sure your operating systems, software and applications are all running the latest version available. This can be easily managed by ensuring that you have a robust patching policy.

• Make sure all critical data is securely backed up. It’s beneficial to have a separate backup that is stored in a different location.

• Make sure you understand the terms and conditions of your cyber insurance. Most cyber insurance policies do not cover attacks that are considered ‘acts of war’. Confirming where a cyber attack has come from is difficult, meaning it is possible you could find yourself in a situation where your insurance provider will not payout. The Mondelez/Zurich case is a prime example of this happening. Be sure to account for this in your approach to disaster recovery.

• Ensure that you have a clear procedure for staff to follow so that they can quickly report any suspected compromised accounts or breaches.

• Review your disaster recovery and business continuity policies, make sure everything is up to date so that your processes work in an emergency.

  
  If you do feel concerned about anything that you feel could leave your business vulnerable to a cyber-attack, please feel free to get in touch with Wolfberry.

If you need further advice on how to protect your business from malware, please read our tips here: Protecting Against Malware — WOLFBERRY (wolfberrycs.com)

If you are hit with a ransomware attack and you need help, please contact us. We will step in and help as much as possible; from attempting to recover vital data, to reporting the incident in a timely manner to the Information Commissioners Office (ICO). As we don’t believe in kicking someone when they’re down, this service is completely free of charge, regardless of if you are an existing client of ours or not: SurvivingRansomWare

The NCSC has published useful guidance on what do you when cyber threat is heightened: Actions to take when the cyber threat is heightened - NCSC.GOV.UK

Microsoft has issued recommended customer actions to mitigate WhisperGate malware attacks: Destructive malware targeting Ukrainian organizations - Microsoft Security Blog