Expect 'long tail of cyber retaliation' from Russia for sanctions, says ExtraHop CEO
'We have this small moment in time where we can make improvements in our defensive posture'
The US and its NATO allies should expect a "long tail of retaliation," in the form of cyberattacks, for the sanctions imposed on Russia, says cloud security shop ExtraHop's CEO Patrick Dennis.
But only about half of the organizations the threat detection and response company works with are heeding security warnings from the US government's Cybersecurity and Infrastructure Security Agency (CISA) and others, he says. CISA's Shields Up alert about the Russian invasion of Ukraine potentially spilling over into cyber-offensives against the US should have served as a wake-up call to organizations to improve their security posture, Dennis said in an interview with The Register.
"I've not seen [CISA] take a position as clinical and strong as they've taken" with the Russian threat, he said. "We have this small moment in time where we can make some improvements in our defensive posture, and we should be capitalizing on it."
Historically, Russia uses cyberattacks to bookend kinetic or physical warfare, he said. In the current conflict, this included distributed denial of service attacks against Ukrainian banking and defense websites in early February before the ground and air invasion started, not to mention the bricking of Viasat internet modems.
"Once Russia decided to go kinetic, cyber is not the thing that's going to necessarily fall to the top of the pile," Dennis said, adding that tanks and missiles are more effective in mass destruction. "So there could be a stockpile of cyberattacks that's left to happen that the Russians have queued up to execute after this campaign finishes."
Plus, this threat of Russian cyberattacks provides a big cover under which other nation states and cybercriminal groups can perform nefarious acts and not get caught — or at least have their actions attributed to Russia. Case in point: the flurry of extortion attacks and data-leaks, now attributed to Lapsus$, were originally thought to be linked to Russian cybercriminals.
"It would not surprise me to see an increase in the general level of cyber activity because there's going to be an umbrella there for people to hide underneath," Dennis said.
Cyberattacks increase one month into the war
According to Check Point Research's latest numbers, one month into the war, both Russia and Ukraine have seen an increase in cyberattacks: 10 percent and 17 percent, respectively.
Globally, the security shop has observed a 16 percent increase in cyberattacks since the invasion began. That reflects an 18 percent jump in weekly attacks in Europe, and a 16 percent increase in the Asia-Pacific region. In North America, the average weekly attacks per organization is 14 percent higher than before the war started.
While Russian cyberattacks to this point have largely targeted Ukrainian government agencies and organizations, as the US and NATO allies ramp up sanctions and a growing number of private companies pull out of Russia, Dennis believes the West will see a growing cyber retaliation.
He pointed to the US ban on Russian energy imports, the partial SWIFT sanctions against Russian banks, and a slew of private companies from McDonald's to Microsoft stopping or at least limiting their business in Russia.
"I think this certainly has risen to the level of feeling like economic warfare if you are Russia," Dennis said. "And so I think it's reasonable to expect a proportional response to this. It's hard to see a future where Russia and Russian sympathizers don't retaliate."
- Viasat spills on the Russian attack, warns of continued risks
- UK Cyber Security Centre advises review of risk posed by Russian tech
- China APT group using Russia invasion, COVID-19 in phishing attacks
- CISOs face 'perfect storm' of ransomware and state-supported cybercrime
As to what these attacks might look like, Dennis said organizations should prepare for sophisticated, destructive attacks from Russia and its well-funded sympathizers.
Perhaps unsurprisingly (he does lead a threat detection and response firm) Dennis said network visibility is the first step. Organizations should be on the lookout for any activity that they haven't seen before, and have the security tools and playbooks to respond quickly.
"Ransomware and malware attacks have all been pretty standard over the last several years, but I do think we should generally expect attacks that are more advanced," he said. "If this is going to be a coordinated response, it's going to have more help from people that are more sophisticated."
He said he's been tracking the price of zero-days sold to cybercriminal groups: "$10 million to $15 million for an iOS zero day," Dennis said, adding that these kinds of price tag also indicates the deep-pocketed nature of the threat actors that can afford to buy and use these exploits.
ExtraHop's customers largely fall into two groups: one that took CISA's warning to heart and one that didn't.
"I was talking to a CISO from a large health care provider who knew what CISA said, word for word, and had an action plan" he said. "They still had a ton of work to do, but they were taking action." He calls the second group the "this-is-pretty-far-from-home cluster."
"Those are the folks saying, 'Can I really be held to the standard of addressing a nation state attack?' Answer: You can. 'Will I ever even be exposed to that type of attack?' Answer: It's much more likely than you have been historically," Dennis said. "There's going to be an increase in cyber activity, and it's probably going to land on all of our doorsteps. It's not going to remain in Europe."
Dennis said an organization's size or even its industry doesn't play a determining role in which category they fall into — this despite recent warnings specific to government agencies, the energy sector, and critical infrastructure owners and operators.
The FBI on Tuesday told [PDF] US election and other state and local government officials to be on the lookout for invoice-themed phishing emails that criminals could use to steal login credentials.
As of October, US election officials in at least nine states received these phony emails, and the feds warn that these types of campaigns will likely ramp up before the midterm elections. While this alert doesn't name Russia, it does bring to mind the Russian meddling in the previous two US presidential elections.
"Should every critical infrastructure organization be in cluster one?" Dennis asked, referring to the group that's prepping for a cyberattack. "Yes. Are they currently? No."
"It's important to go back, and on a risk-adjusted basis, look at the facts and circumstances around them and reach a conclusion as to whether or not things are have worsened for them" threat wise, he added.
"That's a very practical, reasonable thing for any company to be doing right now. I'm just not sure enough companies have done that." ®