As a result of Russia’s invasion of Ukraine, it has been widely reported that cyber-attacks are likely to increase. The National Cyber Security Centre has said that the UK’s cyber risk has heightened in recent weeks and all organisations should be aware of this increased risk as it has both legal and reputational consequences.
In order to understand what steps all Data Controllers should be taking to assess their level of preparedness for an attack we have posed a number of key questions to our partners at Cysiam , specialists in cyber security and critical incident response. We asked Cysiam, who work with us under our BB Solutions service, to explore why cyber-risks are on the rise and what steps organisations need to be considering.
Why does the conflict in Ukraine increase cyber risks in the UK?
Russia has been carrying out cyber-attacks on Ukraine for over a decade and so even if boots on the ground are removed, it is unlikely that Russia will stop their technical operations. Any sanctions or actions by the UK government could lead to specific retaliatory attacks against UK targets and so companies with an interest in Russia or Ukraine are at increased risk of being caught up in any cyber crossfire or being targeted themselves by Russian or Ukrainian cyber operatives.
An added complexity to cyber warfare is that so long as there is access to a computer and the internet, anyone can get involved in a war. We have recently seen Anonymous with a call to arms, encouraging activists to attack Russia to protect Ukraine. There is no reason why a counterattack from activists supporting Russia couldn’t be mounted.
What might attacks look like or be designed to achieve?
Russia understands the power of using cyber-attacks alongside or in place of conventional attacks. Evidence suggests they have previously used cyber-attacks to send messages such as their attack on Estonia in 2007 or their conflict with Georgia in 2008. Russia also know that attribution of attacks can be near impossible to confirm, therefore it is a method of attack that Russia could use without risking a wider conflict.
Based on previous examples (Wannacry, NotPetya, Black Energy etc.), attacks are likely to be destructive in nature. Now, it feels unlikely that Russia would attack the UK directly however, as we have seen recently, things escalate quickly so this can’t be ruled out. If there are online elements that support the Russian objective but aren’t official Russian state actors, then we can’t predict what their targets would be. Microsoft identified evidence of a destructive malware operation targeting multiple organisations in Ukraine in the run up to the conflict. This malware is designed to destroy or encrypt systems without offering the usual ransom note to decrypt. This suggests threat actors who are not interested in money rather, their objective is disruption. Any likely attack on UK organisations would likely follow a similar pattern.
Are there any particular sectors more at risk?
Any large organisation with complex supply chains could be particularly vulnerable due to the difficulty in assuring the whole supply chain.
Critical National Infrastructure (CNI) such as healthcare, power and transport could be targets and would have a significant impact on the UK if attacked. However, in order to obfuscate the origin of the attack, it is common for criminal groups and state threat actors to hack into vulnerable organisations and use them as a staging post for their attacks.
Phishing still seems to be the most common initial attack vector; threat actors are leveraging different ways of dropping payloads such as via office DDE (Dynamic Data Exchange) and even ISO’s files (Microsoft Edge will load ISO images automatically) but they still require a human interaction of some sort. Organisations that have a high staff turnover or have staff that deal with a high volume of external emails are at a particular risk from phishing.
What should organisations be doing in response to the increased risk?
Review the NCSC guidance in relation to the current situation in Ukraine. Carry out a threat model / Risk assessment of your organisation and ask yourself these key questions from the below 7 areas:
- Governance – Is cyber security risk acknowledged and managed at Board level?
- Policy and Process – Are they up to date and fit for purpose?
- Technology – Is it secured, updated, tested, and monitored?
- Data Handling – Is it compliant at rest and in transit?
- Culture – Are you a cyber-aware organisation?
- Physical Security – Is access controlled and restricted in critical areas?
- Supply Chain – Is supply chain cyber risk managed?
- Identify the risks in your current cyber resilience
- Prepare a plan to mitigate the risks
- Implement the protections required and
- Monitor your networks for threats.
Within your supply chain, look for any technology with links to Russia/Ukraine. Russian software doesn’t immediately indicate a security issue, but it is something to be reviewed.
Any recommendations on simple things they can be doing to increase preparedness?
Focus on operational resilience rather than total security:
Email defences – filtering, disable macros, raise awareness. Phishing is still the number 1 initial attack vector.
Multi Factor Authentication – on all accounts, especially on privileged accounts. Also increase controls on processes and implement checks on transactions or changes. Extend this recommendation to personal devices and accounts.
Incident Response (IR) planning and back-ups – Know what you have and your crown jewels, what do you need to protect most and how would you prioritise reestablishing business operations. Check backups are up to date and identify where they are stored. How long would it take to do a full restore? If in the cloud or on old
media, this can take days to weeks to restore. As it’s impossible to be 100% secure, incident response will be key. If you suffer an attack it will likely be from an unknown
risk and so being able to respond effectively, as a business, will be critical to your operational resilience and timely recovery from a breach.
Vulnerability Assessment – Use scanning software to identify commonly exploited vulnerabilities and perform manual assessments or business critical assets. Update
all that you can however, we recognise that some business-critical systems can’t be patched, these need to be identified quickly and a robust risk mitigation plan implemented.
Awareness – most people are aware of the conflict but not necessarily the potential impact on cyber security, use this document and NCSC guidance to bring awareness levels up to the required level.
What are the legal risks?
The heightened cyber-risks also increase the associated legal risks. All organisations who process personal data must ensure that they have appropriate organisation and technical measures in place to protect personal data to comply with requirements of the UK GDPR. The Increased risks of a cyber attack and the ongoing invasion should prompt a consideration as to whether appropriate measures are in place.
The Information Commissioner’s Office has also recommended that action is taken to “bolster your online defences” in light of the situation in Ukraine and has published
guidance aimed at small to medium sized enterprises to identify practical ways to protect against online attacks. This guidance is available here: 11 practical ways to keep your IT systems safe and secure | ICO