Russian Invasion with Ukraine: It Finally Happened

After weeks and months of speculation, the Russian government finally did it.  In the dawn hours of February 24, 2022, Russia’s military invaded Ukraine, and started targeting specific infrastructure, one of them being Ukraine’s Antonov International Airport. So, what should we expect?  As US officials have been warning, there could be a potential onslaught of Cyberattacks, not only focused on Ukraine, but we are also at risk as are our allies around the world.

What Will Be the Intended Targets?

The expected Russian cyberattacks could range from targeting major Cloud Service providers and their corresponding infrastructure to on premise infrastructure of corporate organizations. An additional potential target with the highest tangible impact is Industrial control systems (ICS) environments.

Although most organizations now have the people, processes, and technology to protect, detect, and recover from an attack against their IT infrastructure, the same cannot always be said of ICS environments.  The primary reason for this is that these systems were not designed or developed with cybersecurity controls in mind.  In addition, many of these systems and their supporting infrastructure have been in operation for many years and are sensitive to the introduction of security technologies.

Many industrial control systems cannot be hardened, secured, or patched due to the age, sensitivity, and/or lack of support from the manufacturers of those systems. One cannot simply replace these systems with updated or more secure devices without replacing the software that supports them and the equipment that these systems automate and operate. This results in unpatched outdated systems, insecure industrial protocols, and vulnerable network infrastructure.

ICS Attacks within the United States

Attacks targeting critical infrastructure and industrial control systems have increased exponentially over the past decade. Over the past year, the United States alone has experienced multiple attacks, with the most notable being the breach of the Colonial Gas Pipeline. Because the company could not recover the impacted systems quickly, the organization was forced to pay a large ransom.  In addition to Colonial Pipeline there where targeted attacks against Critical Infrastructure Sectors which included water/ waste water, energy, and food and agriculture.

A Known History

What makes Russia such a powerful nation state actor as it relates to industrial control system targets is their understanding, capabilities, and history of exploiting these systems successfully.  A few examples of successful attack campaigns include:

• The 2015 attack on Ukraine’s electrical power grid
• Another attack against the same Ukrainian targets in 2016
• A Cyberattack targeting Ukrainian organizations in 2017, infamously known as “NotPetya”

Where To Go from Here

With the information provided above, some questions you have may include:

How does my organization protect itself against targeted attacks associated with the current Russia/Ukraine conflict?

1. Understand your attack surface: Identify your perimeter. This includes both inbound and outbound access from both your corporate IT environment and your OT, or industrial control, systems environment. It’s important to understand access to your organization, security controls associated with that access, and current threats and threat actors that could target and compromise systems or infrastructure providing that access.

2. Asset Identification: To understand your attack surface, vulnerabilities in your environment, and threats applicable to your organization, you must understand what you have within your industrial control systems environment that represents the largest tangible impact to your organization and their critical operations.

3. Existing vulnerabilities: Once the perimeter and assets within the industrial control systems environment are identified, it is important to find gaps in hardening, risks, and vulnerabilities to systems and infrastructure supporting critical operations. Red Trident can assist in performing assessments that identify known vulnerabilities, insecure configurations, and risks introduced within critical operating environments.

How can my organization detect if it has been compromised?

Red Trident recommends active threat monitoring, intelligence feeds, logging and monitoring capabilities, compromise assessments, and subject matter experts monitoring critical environments within the organization.

If my company is compromised, how do we recover, and who will support us in recovery?

Incident response should start before being compromised. Having the ability to Contain, Eradicate, and Recover is helpful in the ability to recover quickly with minimal losses. However, many organizations we work with do not have mature Incident Response Plans for their ICS/OT environments. This is where Red Trident can support you today with a proactive assessment to help you understand what capabilities your organization does have to recover from a compromise and ensure you have a partner if something happens in the future.

Conclusions

As the Russia/Ukraine conflict evolves, the threat of nation state attacks on critical infrastructure will continue. This can severely impact operations and safety within your organization.

Red Trident can support the identification of critical assets, vulnerabilities, and risks within your environment as well as the implementation of protection and detection technologies as part of the remediation recommended within assessments services we provide. We also specialize in detection and response of compromises and incidents within Operational Technologies (OT) and industrial control systems environments.

If you need help or have questions, please contact Red Trident