Security

Ukraine's secret cyber-defense that blunts Russian attacks: Excellent backups

This is why Viasat attack – rated one of the biggest ever of its kind – had relatively little impact


RSA Conference The Kremlin-backed cyberattack against satellite communications provider Viasat, which happened an hour before Russia invaded Ukraine, was "one of the biggest cyber events that we have seen, perhaps ever, and certainly in warfare," according to Dmitri Alperovitch, a co-founder and former CTO of CrowdStrike and chair of security-centric think tank Silverado Policy Accelerator.

Alperovitch shared that opinion during a global threat briefing he delivered with Sandra Joyce, EVP of Mandiant Intelligence, at the RSA Conference on Tuesday.

The two suggested that the primary purpose of the attack on satellite comms provider Viasat was to disrupt Ukrainian communications during the invasion, by wiping the modems' firmware remotely, it also disabled thousands of small-aperture terminals in Ukraine and across Europe. The attack therefore disrupted satellite connectivity for thousands, and disabled remote monitoring of 5,800 wind turbines in Germany.  

The Russians are horrible at combined arms

This attack – along with several other destructive data-wiping malware infections in Ukrainian government and private-sector networks – illustrates a couple of key cyber security takeaways about Russian cyber goons. 

"The Russians are horrible at combined arms," Alperovitch said, noting this holds true for air and ground military invasion. 

"And that's what we've seen in cyber as well," he added. "Even though they've been able to achieve tactical successes on a number of occasions, including in the case of Viasat, they've not been able to leverage it to actually prosecute a campaign. The best tactics, even in cyber, don't compensate for a really, really bad plan."

Perhaps the more important lesson learned, however, comes from the Ukrainian security operations teams.

Practice Resiliency

"One thing that the Ukrainians have taught us so well – and they certainly have had eight years of practice and suffered from Russian cyber operations – is the importance of resiliency," Alperovitch said. "The reality is that a number of these Russian attacks are successful." 

The Russians have seen success worldwide penetrating networks and dropping malware, he added. "However, the Ukrainians are able to rebuild the networks within hours," Alperovitch said. 

This is because Ukraine has had years of practice repairing networks after Russia deployed NotPetya – which wiped data from energy firms and banks – and the related Bad Rabbit malware.

"So it's really not a big deal to see a network wiped out because they are ready for it," Alperovitch said. "They've got backups ready to go, and they can rebuild it very quickly and very efficiently. And that's something we don't practice here."

In the US, recovering from a major attack can take an organization weeks and "be truly devastating," he added. "We have to spend a lot more effort on resiliency."

Don't fear influence operations

Another cyber-lesson learned from the Russian invasion is to not be afraid of influence operations, or IOs, Mandiant's Joyce added.

Mandiant has tracked several of these disinformation campaigns during the war, including some spread by a group that the threat intel shop calls "Secondary Infektion." Mandiant linked the gang to false claims, spread in March, that Ukrainian president Volodymyr Zelenskyy had died by suicide in a Kyiv military bunker. Another Secondary Infektion influence operation that circulated in both Ukrainian and Russian falsely claimed that the Ukraine and Polish governments sought to enable Polish troops to deploy in western Ukraine.

Neither influence operation had much impact on Ukrainian battlefields, Joyce said. Although Russian deep fake technology has become more sophisticated, "the audience too, is maturing along with them," she said. 

Ukraine has also provided an on-the-ground view of how to do incident response amid falling bombs, blackout conditions and blocked IP addresses.

"It's stressful enough to do an incident response – let alone do one during a war," Joyce said. "The type of resilience that the Ukrainian defenders are showing right now in the cyber domain is incredible. And it's something that, for our position in Mandiant, supporting these incident responses is something that we frankly, have never seen." ®

Send us news
21 Comments

Russia's Cozy Bear caught phishing German politicos with phony dinner invites

Forget the Riesling, bring on the WINELOADER

Chinese snoops use F5, ConnectWise bugs to sell access into top US, UK networks

Crew may well be working under contract for Beijing

Microsoft Copilot for Security prepares for April liftoff

Automated AI helper intended to make security more manageable

In the rush to build AI apps, please, please don't leave security behind

Supply-chain attacks are definitely possible and could lead to data theft, system hijacking, and more

Kremlin accuses America of plotting cyberattack on Russian voting systems

Don't worry, we have a strong suspicion Putin's still gonna win

Microsoft confirms Russian spies stole source code, accessed internal systems

Still 'no evidence' of any compromised customer-facing systems, we're told

March Patch Tuesday sees Hyper-V join the guest-host escape club

Critical bugs galore among 61 Microsoft fixes, 56 from Adobe, a dozen from SAP, and a fistful from Fortinet

Infosec teams must be allowed to fail, argues Gartner

But failing to recover from incidents is unforgivable because 'adrenalin does not scale'

US sanctions spree continues with 15 more for Russian entities

Financial firms that help evade existing restrictions in crosshairs

FreeBSD Foundation hands out Beacon gongs for safer software

Multiple CHERI-related projects win money for important research that prizes safety over speed

Row breaks out over true severity of two DNSSEC flaws

Some of us would be happy being rated 7.5 out of 10, just sayin'

Truck-to-truck worm could infect – and disrupt – entire US commercial fleet

The device that makes it possible is required in all American big rigs, and has poor security