Ukraine's secret cyber-defense that blunts Russian attacks: Excellent backups

This is why Viasat attack – rated one of the biggest ever of its kind – had relatively little impact

RSA Conference The Kremlin-backed cyberattack against satellite communications provider Viasat, which happened an hour before Russia invaded Ukraine, was "one of the biggest cyber events that we have seen, perhaps ever, and certainly in warfare," according to Dmitri Alperovitch, a co-founder and former CTO of CrowdStrike and chair of security-centric think tank Silverado Policy Accelerator.

Alperovitch shared that opinion during a global threat briefing he delivered with Sandra Joyce, EVP of Mandiant Intelligence, at the RSA Conference on Tuesday.

The two suggested that the primary purpose of the attack on satellite comms provider Viasat was to disrupt Ukrainian communications during the invasion, by wiping the modems' firmware remotely, it also disabled thousands of small-aperture terminals in Ukraine and across Europe. The attack therefore disrupted satellite connectivity for thousands, and disabled remote monitoring of 5,800 wind turbines in Germany.  

The Russians are horrible at combined arms

This attack – along with several other destructive data-wiping malware infections in Ukrainian government and private-sector networks – illustrates a couple of key cyber security takeaways about Russian cyber goons. 

"The Russians are horrible at combined arms," Alperovitch said, noting this holds true for air and ground military invasion. 

"And that's what we've seen in cyber as well," he added. "Even though they've been able to achieve tactical successes on a number of occasions, including in the case of Viasat, they've not been able to leverage it to actually prosecute a campaign. The best tactics, even in cyber, don't compensate for a really, really bad plan."

Perhaps the more important lesson learned, however, comes from the Ukrainian security operations teams.

Practice Resiliency

"One thing that the Ukrainians have taught us so well – and they certainly have had eight years of practice and suffered from Russian cyber operations – is the importance of resiliency," Alperovitch said. "The reality is that a number of these Russian attacks are successful." 

The Russians have seen success worldwide penetrating networks and dropping malware, he added. "However, the Ukrainians are able to rebuild the networks within hours," Alperovitch said. 

This is because Ukraine has had years of practice repairing networks after Russia deployed NotPetya – which wiped data from energy firms and banks – and the related Bad Rabbit malware.

"So it's really not a big deal to see a network wiped out because they are ready for it," Alperovitch said. "They've got backups ready to go, and they can rebuild it very quickly and very efficiently. And that's something we don't practice here."

In the US, recovering from a major attack can take an organization weeks and "be truly devastating," he added. "We have to spend a lot more effort on resiliency."

Don't fear influence operations

Another cyber-lesson learned from the Russian invasion is to not be afraid of influence operations, or IOs, Mandiant's Joyce added.

Mandiant has tracked several of these disinformation campaigns during the war, including some spread by a group that the threat intel shop calls "Secondary Infektion." Mandiant linked the gang to false claims, spread in March, that Ukrainian president Volodymyr Zelenskyy had died by suicide in a Kyiv military bunker. Another Secondary Infektion influence operation that circulated in both Ukrainian and Russian falsely claimed that the Ukraine and Polish governments sought to enable Polish troops to deploy in western Ukraine.

Neither influence operation had much impact on Ukrainian battlefields, Joyce said. Although Russian deep fake technology has become more sophisticated, "the audience too, is maturing along with them," she said. 

Ukraine has also provided an on-the-ground view of how to do incident response amid falling bombs, blackout conditions and blocked IP addresses.

"It's stressful enough to do an incident response – let alone do one during a war," Joyce said. "The type of resilience that the Ukrainian defenders are showing right now in the cyber domain is incredible. And it's something that, for our position in Mandiant, supporting these incident responses is something that we frankly, have never seen." ®

Send us news

UK Cyber Security Centre's scary new story: One phish, two phish, Russia phish, Iran phish

Nice people on LinkedIn want to harvest logins from politicians, boffins, and defense types

Uncle Sam slaps $10m bounty on Hive while Russia ban-hammers FBI, CIA

New meaning to sweetening the pot

Gee, tanks: Russian hackers DDoS Germany for aiding Ukraine

Also: a week of leaks; Riot Games says 'LoL' to source code ransom demands; and Yandex source also appears online

Memory safety is the new black, fashionable and fit for any occasion

Calls to avoid C/C++ and embrace Rust grow louder

Gootloader malware updated with PowerShell, sneaky JavaScript

Perhaps a good time to check for unwelcome visitors

Months after NSA disclosed Microsoft cert bug, datacenters remain unpatched

You know when we all said quit using MD5? We really meant it

Microsoft sweeps up after breaking .NET with December security updates

XPS doc display issues fixed – until the next patch, at least

Smart ovens do really dumb stuff to check for Wi-Fi

Pinging search services in the US, China, Russia perhaps not ideal for privacy

Ukraine slides closer to NATO with buckets of experience fending off Moscow's cyberattacks

'Now Russia will have to play defense'

Apple emits emergency patch for older iPhones after snoops pounce on WebKit hole

Also: Yay for Data Privacy Day!

LockBit brags it pumped ION full of ransomware

Crims put a February 4 deadline for software slinger to pay up

Google boosts bounties for open source flaws found via fuzzing

Max reward per project integration is now $30k