What Business Leaders Can Learn from Russia's Cyber Offensive Against Ukraine

Originally published by Google Cloud.

Written by Phil Venables, VP/CISO, Google Cloud.

Threat actors are taking tactics from Russia's cyber operations against Ukraine. Businesses and organizations should evaluate their countermeasures accordingly.

• A new Google report finds the offensive against Ukraine is “the first time that cyber operations have played such a prominent role in a world conflict."
• Russia’s tactics, techniques, and procedures that support their invasion of Ukraine are regularly used by other threat actors across the globe.
• Executive leaders need to understand these threats to be better positioned to help their organization reduce security risks.

Over the past year since Russia invaded Ukraine, we have observed a level of cyberattack operations in support of a real-world conflict unlike anything we have seen before. They have reached beyond the battlefield and have damaged organizations that are often not directly involved in the conflict.

Google’s Threat Analysis Group (TAG), along with the support of Mandiant and our Trust and Safety team, just published a report, entitled Fog of War, that takes a close look at some of Russia’s cyber operations against Ukraine. The report highlights three trends in particular, which are equally important for executive leaders to understand:

1. Russia is using destructive and disruptive cyberattacks to gain a wartime advantage.
2. Moscow is engaging in information operations to shape the perception of the war in Russia’s favor.
3. Eastern European cybercriminals are divided over political allegiances, affecting coordination and scale of cybercrime worldwide.

Russia’s focus has primarily been on making gains on the physical battlefield, but the large-scale operations occurring in cyberspace are noteworthy, and could even have impacts on companies and organizations globally.

As the report notes, there has been “a significant shift in various threat actor groups’ focus towards Ukraine, a dramatic increase in the use of destructive attacks on Ukrainian government, military and civilian infrastructure, a spike in spear-phishing activity targeting NATO countries, and an uptick in cyber operations designed to further multiple Russian objectives. For example, we’ve observed threat actors hack-and-leak sensitive information to further a specific narrative.”

The tactics, techniques, and procedures deployed by Russia in support of their invasion of Ukraine are regularly used by other threat actors targeting entities in many sectors and industries across the globe. Executive leaders who understand these threats are better positioned to help their organization reduce risk.

Here’s what leaders need to know to be ready for the threats discussed in our report.

Prepare to defend against destructive and disruptive attacks

The report shows increased use of destructive attacks on Ukrainian government, military, and civilian infrastructure. These types of attacks are aimed at shutting down systems and damaging data and other digital resources. The scale of these threats are a big part of the reason Google continues to provide vital cybersecurity and technical infrastructure support in Ukraine through our donation of Google Workspace licenses to the Ukrainian government, expanded eligibility for Project Shield, automatic increasing of user account security protection in the region, and security offerings such as threat intelligence and incident response services.

For many businesses and organizations, downtime is not an option. Distributed denial-of-service (DDoS) attacks are a classic disruptive attack that can force an entire organization offline. Ransomware can also be considered a disruptive and destructive threat, one that cybercriminals have used to extort organizations and for destruction of data. Attackers are known to use many other forms of malware to destroy data, eliminate evidence, and leave systems inoperable.

Leaders should encourage their security teams to take measures to defend against these attacks. Security teams can take pre-emptive actions including system and network hardening so their organization is better prepared to defend against these threats. One place you could start is this white paper, published by Mandiant, with extensive guidance on how to shore up security against destructive attacks. We also offer Linux hardening guidance, and DDoS protection recommendations.

Use threat intelligence to combat information operations

Russia is engaged in information operations primarily to undermine the Ukrainian government, fracture international support for Ukraine, and maintain domestic support within Russia, according to our report.

Russian threat actors often accomplish this by spreading targeted narratives, including disinformation, across multiple channels (such as social media) to manipulate people and influence real-world decisions. We often observe organizations being directly and indirectly affected by these types of campaigns. In some cases, this has led to reputational damage and caused businesses to lose customers.

"Tactics, techniques, and procedures deployed by Russia against Ukraine are regularly used by other threat actors targeting many sectors and industries. Executive leaders should understand these threats to help their organization reduce risk."

Accurate and timely threat intelligence can help organizations stay informed on where they stand in the confusing world of information operations, and how best to minimize business impacts when they are targeted by those attacks. Threat intelligence can be one of the best tools for understanding the threats that matter most to your organization, but many organizations struggle with how to adjust their security posture to incorporate threat intelligence.

Applying intelligence throughout the organization is considered by many security leaders to be a big challenge, according to our Perspectives on Threat Intelligence report published on Feb. 13. Partnering with a trusted threat intelligence provider is one way to help ensure you’re making the most of your threat intelligence.

Be ready for ransomware, extortion, and other financially motivated attacks

Our Fog of War report highlights various activities occurring in the Eastern European cybercrime ecosystem that could have a downstream impact on financially-motivated cyberattacks worldwide. Importantly, threat actors are divided by political allegiances and geopolitics, and some have shut down operations altogether. Threat actors’ tactics, techniques, and procedures continue to change rapidly, meaning security teams need to be ready to adapt to new threats as they emerge.

Ransomware and extortion are still top global threats, and threat actors are not expected to change their goal of profiting from this illicit activity. Cybercriminals know that organizations can be extorted to recover from high-impact ransomware attacks, and will go after high-value data and systems.

Executive leaders can help prioritize and identify an organization’s most valuable assets. Backups are key so that systems can be restored in the event data and files are encrypted or destroyed. Using threat intelligence and tools that detect indicators of compromise can help identify the activity that typically precedes ransomware deployment, and having risk mitigation strategies in place can help reduce impact or prevent compromise.

Actions you can guide your security teams towards include endpoint hardening (such as firewall protections), proper management of credentials (such as identity and access tools), and recovery planning. If possible, make it a requirement to regularly test your ability to prevent, detect, and respond to threats with a ransomware defense assessment.

Stay vigilant against phishing

Phishing is one of the most common tricks that attackers use to get into an organization, and phishing is a crucial tool for Russian cyber operations. Threat actors will put a lot of thought into their phishing emails, and often use personal information gleaned from social media and other social engineering to deceive their targets.

Organizations should have phishing awareness training and encourage employees to report suspicious emails. Security conscious organizations will tend to use services such as Google Accounts that have multiple layers of protection, including two-factor authentication keys, which can help stop suspicious emails from reaching inboxes. Web browsers including Chrome offer safe browsing features and enterprise security integrations that can help protect against malicious websites and phishing emails.

To better protect your organization, stay on top of the evolving threat landscape

The steps an organization takes immediately after discovering a breach can have a meaningful impact on remediation, so regularly testing your organization’s ability to respond to a breach is essential.

Red teams test an organization’s defenses using relevant, real-world attacks, and tabletop exercises ensure all involved parties know how to best support their organization’s response to security incidents. If possible, consider having an incident response retainer. And remember, it’s not just technical teams that need to be ready to act: Incident response preparations should include the chief information security officer, executive leadership, public relations and corporate communications, and general counsel.

Our report shows how cyber operations can have a profound effect on real-world conflict, with direct and indirect impacts to governments, businesses, and other entities around the globe. Malicious cyber activity will only ramp up in the coming years, so we all must be ready to prevent, detect, and respond.