Ukraine's secret cyber-defense that blunts Russian attacks: Excellent backups

RSA Conference The Kremlin-backed cyberattack against satellite communications provider Viasat, which happened an hour before Russia invaded Ukraine, was "one of the biggest cyber events that we have seen, perhaps ever, and certainly in warfare," according to Dmitri Alperovitch, a co-founder and former CTO of CrowdStrike and chair of security-centric think tank Silverado Policy Accelerator.

Alperovitch shared that opinion during a global threat briefing he delivered with Sandra Joyce, EVP of Mandiant Intelligence, at the RSA Conference on Tuesday.

The two suggested that the primary purpose of the attack on satellite comms provider Viasat was to disrupt Ukrainian communications during the invasion, by wiping the modems' firmware remotely, it also disabled thousands of small-aperture terminals in Ukraine and across Europe. The attack therefore disrupted satellite connectivity for thousands, and disabled remote monitoring of 5,800 wind turbines in Germany.  

The Russians are horrible at combined arms

This attack – along with several other destructive data-wiping malware infections in Ukrainian government and private-sector networks – illustrates a couple of key cyber security takeaways about Russian cyber goons. 

"The Russians are horrible at combined arms," Alperovitch said, noting this holds true for air and ground military invasion. 

"And that's what we've seen in cyber as well," he added. "Even though they've been able to achieve tactical successes on a number of occasions, including in the case of Viasat, they've not been able to leverage it to actually prosecute a campaign. The best tactics, even in cyber, don't compensate for a really, really bad plan."

Perhaps the more important lesson learned, however, comes from the Ukrainian security operations teams.

Practice Resiliency

"One thing that the Ukrainians have taught us so well – and they certainly have had eight years of practice and suffered from Russian cyber operations – is the importance of resiliency," Alperovitch said. "The reality is that a number of these Russian attacks are successful." 

The Russians have seen success worldwide penetrating networks and dropping malware, he added. "However, the Ukrainians are able to rebuild the networks within hours," Alperovitch said. 

This is because Ukraine has had years of practice repairing networks after Russia deployed NotPetya – which wiped data from energy firms and banks – and the related Bad Rabbit malware.

"So it's really not a big deal to see a network wiped out because they are ready for it," Alperovitch said. "They've got backups ready to go, and they can rebuild it very quickly and very efficiently. And that's something we don't practice here."

In the US, recovering from a major attack can take an organization weeks and "be truly devastating," he added. "We have to spend a lot more effort on resiliency."

Don't fear influence operations

Another cyber-lesson learned from the Russian invasion is to not be afraid of influence operations, or IOs, Mandiant's Joyce added.

Mandiant has tracked several of these disinformation campaigns during the war, including some spread by a group that the threat intel shop calls "Secondary Infektion." Mandiant linked the gang to false claims, spread in March, that Ukrainian president Volodymyr Zelenskyy had died by suicide in a Kyiv military bunker. Another Secondary Infektion influence operation that circulated in both Ukrainian and Russian falsely claimed that the Ukraine and Polish governments sought to enable Polish troops to deploy in western Ukraine.

• US, Europe formally blame Russia for data wiper attacks against Ukraine, Viasat
• Iran, China-linked gangs join Putin's disinformation war online
• Cisco EVP: We need to lift everyone above the cybersecurity poverty line
• IBM buys Randori to address multicloud security messes

Neither influence operation had much impact on Ukrainian battlefields, Joyce said. Although Russian deep fake technology has become more sophisticated, "the audience too, is maturing along with them," she said. 

Ukraine has also provided an on-the-ground view of how to do incident response amid falling bombs, blackout conditions and blocked IP addresses.

"It's stressful enough to do an incident response – let alone do one during a war," Joyce said. "The type of resilience that the Ukrainian defenders are showing right now in the cyber domain is incredible. And it's something that, for our position in Mandiant, supporting these incident responses is something that we frankly, have never seen." ®