The conflict between Russia and Ukraine raises an important cybersecurity issue.

For a month, Ukraine has been under attack by Russia, without any forecast of a ceasefire or an agreement between the parties. Meanwhile, several countries have applied sanctions against Russia, companies have stopped operating in the country in retaliation, and hacktivist groups that do not support the Russian actions led by Putin are trying, in various ways, to retaliate against the country and the companies that still have businesses operating there.

What is hacktivism?

Hacktivism is a combination of two words, Hack and Activism. It is the act of using hacking skills with political, social, and/or ideological motivations to hack into systems, leak confidential information, or hack into the websites of companies that are targets of a group or individual's movements or causes. Common targets of hacktivist groups are government agencies, multinational corporations, or any other entity or person of power perceived as bad, wrong, or unjust. 

Most hacktivist groups want to remain anonymous. Some of them are globally recognized and have adopted an acronym as their name, such as the groups Cult of the Dead Cow, Anonymous, WikiLeaks, LulzSec, DkD[|| and Syrian Electronic Army.

Russia and Ukraine - hybrid war

When we think of war, we immediately imagine tanks, planes dropping bombs, and soldiers rushing into combat. In hybrid warfare, a new component becomes part of the combat: the coordinated cyber attack.

Cyber warfare attacks the critical infrastructure of a nation and all those who do not oppose the attacker, the targets being computers or information networks that, when attacked, disrupt the flow of information or communication.

In the current war, one segment is the retaliation of hacktivist groups against companies still operating in the invading country. The group Anonymous stands out in this scenario, sharing on its various social network accounts campaigns against these companies. Many around the world have joined the movement and made lists of organizations threatening to attack them. The idea is to cause disruption of services, leak confidential data, among other methods.

ANONYMOUS

Anonymous operates in two distinct ways. The most common technique in their attacks is identified as DDoS, which stands for Denial of Service Attack (MITRE - T1499.002). In practice, this means that Anonymous infects several devices around the world with a botnet and, after having a considerable number of "zombie devices", they redirect an extremely high traffic load with the aim of taking the target platform offline, thus performing a denial of service, since users will not be able to access that resource. For example, in the case of Minnesota, the local police website was taken down by this very technique.

Another move of the activists is to leak information from their targets (MITRE - TA0010). They take advantage of known vulnerabilities, exploit the security f law, and make the lateral move (MITRE - TA0008) on the victim's network in order to detectan asset that contains sensitive data, so that they can accomplish their tactical objective.

Anonymous uses the internet to recruit and train new recruits, perform passive new recruits, passively reconnoiter potential targets, and exploit vulnerabilities found in systems exposed to the Internet in order to then re-run the technique of denying access to resources. In addition, it is now commonly known to alter information presented by organizations on their websites. This technique is known as Defacement (MITRE - T1491). And, after announcing that their objectives have been completed, they carry out the publication of confidential information.

Despite the little publication of the forensic artifacts left behind by Anonymous, its success in executing its operations and gaining media attention to date is an indicator that the group is on par with high complexity incidents, and because of these characteristics,

we can assume the involvement of sophisticated threats, commonly called "Advanced Persistent Threats" (APT) (APT Group Catalogby MITRE).

These are threats that contain almost infinite resources, because they assume that they contain the support of their Nation, and are usually catalogued as Nation-State Threats. And because they have this amount of resources, they can spend months or even years persistently planning their attack until they can achieve their goals.

Anonymous and its associated groups pride themselves on being "social media" savvy and routinely use forums such as Twitter, Facebook , and public web pages to announce intended targets, results of ongoing attacks, and post files stolen from victims' networks. These announcements can offer those charged with defending their organizations the opportunity to proactively supplement their defenses and raise awareness among managers, employees, and partners. For example, it is noted that there has been a significant amount of reconnaissance techniques (MITRE - TA0043) prior to the actual exploitation. It is also recommended that public and private sector entities follow the same steps that adversaries would take to determine the extent of the attack surface available to an adversary.

When using Twitter as a source of information, some hashtags are recommended:

#OpRussia	#FreeUkraine	#Anonymous	#StopFundingRussia
#PullOutOfRussia	#StandWithUkraine	#UkraineRussianWar	#BloodyTrade

Conclusions

Regardless of wars or political situations that trigger cyber attacks, it is of utmost importance for organizations to be aware of their respective attack surfaces. Being aware of their perimeter, their potential vulnerabilities, and their exposure of data and information assists in a fundamental way in building action plans to mitigate any possible failure. In addition, incident response and disaster recovery plans must be constantly tested and must be up to date, in case of any unmitigated incident detected in the infrastructure.

Given the current scenario, it is recommended that companies with relationships and business in Russia redouble their attention to their infrastructure. It is possible that retaliations will be made, so being protected in a critical moment like this is fundamental.

The following recommendations are an important addition in combating possible attacks, and the lessons learned from previous incidents that have occurred globally should also be taken into consideration.

Recommendations

Keep encrypted, offline data backups and test them frequently. Backup procedures should be performed regularly. It is important that they are kept offline, as many ransomware variants try to locate and delete or encrypt accessible backups.

2. Create, maintain, and execute a basic cyber incident response plan, a recovery plan, and an associated communications plan:

• The cyber incident response plan should include response and notification procedures for ransomware incidents. We recommend the CISA and Multi-State Information and Sharing Center (MS-ISAC) Joint Ransomware Guide for more details on creating a cyber incident response plan.
• The recovery plan should address how to operate if you lose access to or control of critical functions. CISA offers no-cost, non-technical cyber resilience assessments to help organisations assess their operational resilience and cyber security practices.

3. Mitigate vulnerabilities and misconfigurations of Internet-facing services to reduce the risk of actors exploiting this attack surface:

• Employ best practices for using Remote Desktop Protocol (RDP) and other remote desktop services. Threat actors often gain initial access to a network through exposed and poorly secured remote services and later propagate the ransomware;
• Audit the network for systems using RDP, close unused RDP ports, apply account locks after a specified number of attempts, apply multi-factor authentication (MFA), and log RDP login attempts;
• Perform regular vulnerability scans to identify and address vulnerabilities, especially those in Internet-facing devices. CISA offers a variety of free cyber hygiene services, including vulnerability scanning, to help critical infrastructure organizations assess, identify and reduce their exposure to cyber threats such as ransomware. By taking advantage of these services, organizations of any size will receive recommendations on ways to reduce their risk and mitigate attack vectors;
• Update software, including operating systems, applications and firmware, in a timely manner. Prioritize timely remediation of critical vulnerabilities and vulnerabilities in Internet-facing servers - as well as Internet data processing software, web browsers, browser plug-ins, and document readers. If rapid remediation is not feasible, implement vendor-provided mitigations;
• Make sure that the devices are configured correctly and security features are enabled; for example, disable ports and protocols that are not being used for a business purpose;
• Disable or block the incoming and outgoingServer Message Block (SMB) protocol and remove or disable outdated SMB versions.

4. Reduce the risk of phishing e-mails reaching end users:

• Enabling spam filters;
• Implementing a cybersecurity user awareness and training program that includes guidance on how to identify and report suspicious activity (e.g., phishing) or incidents.

5. Use the best available cybersecurity practices:

• Make sure all anti-virus, anti-malware and signature software is up-to-date;
• Implementapplication allowlisting;
• Ensure that user accounts and privileges are limited through account usage policies, user account control and privileged account management;
• Employ MFA for as many services as possible, especially for webmail, virtual private networks (VPNs), and accounts that access critical systems.

References

1. Mitre Att&ck
2. Twitter
3. Checkpoint
4. Norton