Ukraine's secret cyber-defense that blunts Russian attacks: Excellent backups

This is why Viasat attack – rated one of the biggest ever of its kind – had relatively little impact

RSA Conference The Kremlin-backed cyberattack against satellite communications provider Viasat, which happened an hour before Russia invaded Ukraine, was "one of the biggest cyber events that we have seen, perhaps ever, and certainly in warfare," according to Dmitri Alperovitch, a co-founder and former CTO of CrowdStrike and chair of security-centric think tank Silverado Policy Accelerator.

Alperovitch shared that opinion during a global threat briefing he delivered with Sandra Joyce, EVP of Mandiant Intelligence, at the RSA Conference on Tuesday.

The two suggested that the primary purpose of the attack on satellite comms provider Viasat was to disrupt Ukrainian communications during the invasion, by wiping the modems' firmware remotely, it also disabled thousands of small-aperture terminals in Ukraine and across Europe. The attack therefore disrupted satellite connectivity for thousands, and disabled remote monitoring of 5,800 wind turbines in Germany.  

The Russians are horrible at combined arms

This attack – along with several other destructive data-wiping malware infections in Ukrainian government and private-sector networks – illustrates a couple of key cyber security takeaways about Russian cyber goons. 

"The Russians are horrible at combined arms," Alperovitch said, noting this holds true for air and ground military invasion. 

"And that's what we've seen in cyber as well," he added. "Even though they've been able to achieve tactical successes on a number of occasions, including in the case of Viasat, they've not been able to leverage it to actually prosecute a campaign. The best tactics, even in cyber, don't compensate for a really, really bad plan."

Perhaps the more important lesson learned, however, comes from the Ukrainian security operations teams.

Practice Resiliency

"One thing that the Ukrainians have taught us so well – and they certainly have had eight years of practice and suffered from Russian cyber operations – is the importance of resiliency," Alperovitch said. "The reality is that a number of these Russian attacks are successful." 

The Russians have seen success worldwide penetrating networks and dropping malware, he added. "However, the Ukrainians are able to rebuild the networks within hours," Alperovitch said. 

This is because Ukraine has had years of practice repairing networks after Russia deployed NotPetya – which wiped data from energy firms and banks – and the related Bad Rabbit malware.

"So it's really not a big deal to see a network wiped out because they are ready for it," Alperovitch said. "They've got backups ready to go, and they can rebuild it very quickly and very efficiently. And that's something we don't practice here."

In the US, recovering from a major attack can take an organization weeks and "be truly devastating," he added. "We have to spend a lot more effort on resiliency."

Don't fear influence operations

Another cyber-lesson learned from the Russian invasion is to not be afraid of influence operations, or IOs, Mandiant's Joyce added.

Mandiant has tracked several of these disinformation campaigns during the war, including some spread by a group that the threat intel shop calls "Secondary Infektion." Mandiant linked the gang to false claims, spread in March, that Ukrainian president Volodymyr Zelenskyy had died by suicide in a Kyiv military bunker. Another Secondary Infektion influence operation that circulated in both Ukrainian and Russian falsely claimed that the Ukraine and Polish governments sought to enable Polish troops to deploy in western Ukraine.

Neither influence operation had much impact on Ukrainian battlefields, Joyce said. Although Russian deep fake technology has become more sophisticated, "the audience too, is maturing along with them," she said. 

Ukraine has also provided an on-the-ground view of how to do incident response amid falling bombs, blackout conditions and blocked IP addresses.

"It's stressful enough to do an incident response – let alone do one during a war," Joyce said. "The type of resilience that the Ukrainian defenders are showing right now in the cyber domain is incredible. And it's something that, for our position in Mandiant, supporting these incident responses is something that we frankly, have never seen." ®

Send us news

Five Eyes nations warn Moscow's mates at the Star Blizzard gang have new phishing targets

The Russians are coming! Err, they've already infiltrated UK, US inboxes

Ukraine cyber spies claim Putin's planes are in peril as sanctions bite

Aeroflot fleet still has a smoking section, but not for tobacco

Fancy Bear goes phishing in US, European high-value networks

GRU-linked crew going after our code warns Microsoft - Outlook not good

Hollywood plays unwitting Cameo in Kremlin plot to discredit Zelensky

Microsoft spots surge in pro-Russia exploits of video platform to spread propaganda

Dump C++ and in Rust you should trust, Five Eyes agencies urge

Memory safety vulnerabilities need to be crushed with better code

Uncle Sam probes cyberattack on Pennsylvania water system by suspected Iranian crew

CISA calls for stronger IT defenses as Texas district also hit by ransomware crew

Belgian man charged with smuggling sanctioned military tech to Russia and China

Indictments allege plot to shift FPGAs, accelerometers, and spycams

Cisco intros AI to find firewall flaws, warns this sort of thing can't be free

Predicts cyber crims will find binary brainboxes harder to battle

UK government denies China/Russia nuke plant hack claim

Report suggests Sellafield compromised since 2015, response seems worryingly ignorant of Stuxnet

Weak session keys let snoops take a byte out of your Bluetooth traffic

BLUFFS spying flaw present in iPhones, ThinkPad, plenty of chipsets

Polish train maker denies claims its software bricked rolling stock maintained by competitor

Says it was probably hacked, which isn't good news either

Attacks abuse Microsoft DHCP to spoof DNS records and steal secrets

Akamai says it reported the flaws to Microsoft. Redmond shrugged