Are Russian cyber-attacks inevitable?

With the Russian invasion of Ukraine still ongoing, how big a security threat is this to the UK and how can businesses help protect themselves from potential cyber-attacks?

Russia’s cyber-attack past

Cyberwarfare carried out by Russia likely goes as far back as the 1990’s – most notably during the Second Chechen War. Although Cyberwarfare around that time consisted mostly of spreading misinformation to help manage its domestic populace and influence rival states.

As the 21st century advanced, the more technical developments there were and therefore the more varied types of cyber-attacks that were carried out; attacks more common nowadays such as denial of service attacks, man-in-the-middle attacks, password hacks and zero-day exploits.

Examples of such attacks include:

• Estonia (2007) – Russia initiated a distributed denial of service (DDoS) attack on Estonia’s government offices and financial institutions in response to the Baltic nation planning to move a Russian WWII memorial.
• Georgia (2009) – Russian hackers shut down Facebook and Twitter in Georgia to commemorate the first anniversary of the Russian invasion.
• Ukraine (2014) – Prior to Ukraine’s presidential election, a Russia-based hacking group tried to sabotage and influence the country’s election commission. Fortunately, Ukrainian computer experts were able to prevent this from happening.
• USA (2015-2016) – Hackers from Russia gained access to Democratic officials’ emails and spread the information to media outlets. It is believed this was done to harm Hillary Clinton’s chances of election success, in favour of Donald Trump.

Additionally, In 2012, Putin wrote an article called ‘Russia in a Changing World’ which suggested the country would use a “complex of tools and methods for achieving foreign policy goals without deploying weapons” – which goes some way in explaining Russia’s penchant for carrying out cyber-attacks.

With Russia still at war with Ukraine (and therefore essentially at war with other nations), experts believe more cyber-attacks initiated by Russia are very likely – with UK businesses amongst those expected to be targeted.

Why would Russia target UK companies?

There isn’t an exact reason why Russia would target specifically UK companies in this war, but as the UK has made clear it is strongly against Russia’s invasion of Ukraine (along with many other western states), Russia are picking out whichever country gets in its way of invading Ukraine – which is currently in the form of cyber-attacks.

The UK’s National Cyber Security Centre (NCSC), which provides expert advice on all things cyber-security related, has already warned businesses to better prepare themselves for attacks by Russian criminals. This warning was later justified after it was discovered the UK Foreign Office had been hacked by Russians.

The UK has since increased the level of sanctions and restrictions on Russia, which could in turn put it in the firing line even further.

So far, DDoS attacks have been the most common type of attack during this conflict – reason being its goal is to not steal data, but flood an adversary's website or system until it goes offline.

What should you do as a business?

The NCSC has made clear that businesses in the UK should act fast to bolster their online defences.

Whilst there have not been many specific instances of Russian cyber-attacks on UK companies, history suggests that such international incidents will inevitably lead to an increase in attacks on states that oppose Russia’s invasion on Ukraine.

Therefore, some of the steps you should take to tighten your security, include:

Ensure systems are up to date

• Ensure all user devices, network hardware and software are patched and running on latest recommended software/firmware
• Review all systems and applications to see if anything is out of date and therefore poses a threat to your security.

Verify Access Controls

• Ensure passwords are unique and complex
• Review user accounts and remove any old or unused accounts
• If you have multi-factor authentication (MFA) enabled, check it is properly configured. Make sure it is enabled on systems and user accounts according to your policies.

Ensure defences are working

• Ensure antivirus software is installed and confirm it is actively functioning correctly
• Check your firewall rules are configured as expected – specifically check for temporary rules that may have been left in place beyond their expected lifetime.

Logging and Monitoring

• Understand what logging you have in place, where logs are stored, how long they are retained for and monitor them regularly.

Review backups

• Confirm that your backups are running correctly. Perform test restorations from your backups to ensure that the restoration process is understood and familiar
• Check that there is an offline copy of your backup - and that it is always recent enough to be useful if an attack results in loss of data or system configuration.
• Ensure machine state and any critical external credentials (such as private keys, access tokens) are also backed up, not just data.

Incident Plan

• Check your incident response plan is up to date
• Confirm that escalation routes and contact details are all up to date
• Ensure that the incident response plan contains clarity on who has the authority to make key decisions, especially out of normal office hours
• Ensure your incident response plan and the communication mechanisms it uses will be available, even if your systems are not.

Phishing Response

• Ensure there is a process in place to deal with any reported phishing emails.

Brief your organisation

• Ensure all departments in your organisation understand the situation and the heightened threat and that there is a clear process for reporting suspected security related incidents.

Conclusion