secion's assessment of the security threats to companies following the outbreak of the war in Ukraine
by Tina Siering
How does the Ukraine war affect cybersecurity in Germany, Austria and Switzerland?
The Russian attack on Ukraine on Feb. 24, 2022, marks a turning point, according to German Chancellor Olaf Scholz. News of cyber attacks and a "war on the Net" are also causing uncertainty and concern in other parts of Europe. Due to the war in Ukraine, we are currently being asked in many customer conversations whether we are increasingly recognizing Russian attacks on companies in Germany, Austria as well as Switzerland and how we assess the situation.
In the following, we therefore share our current assessment and evaluation of the situation, also based on the results of our globally operating early attack detection with Active Cyber Defense (ACD).
Has the threat situation for companies become more acute since the outbreak of war?
No, the threat has not changed fundamentally since the start of the war. We currently have no knowledge of any acutely increased threat from Russian state actors in Western Europe. However, we have noticed a heightened public awareness of cyberattacks, particularly with regard to our own security.
This heightened risk awareness will not only lead to potential phishing campaigns being identified and reported much earlier than critical, but also to previously undetected compromises being uncovered that already existed before the outbreak of war.
Why a cyber defense strategy is now more important than ever
The majority of attacks detected on our part by potentially state or semi-state actors occur from an intelligence perspective and serve to gather information. This threat is not fundamentally new; it existed in the past, triggered by the political changes of the Euromaidan protests in 2014, but it intensified as a result of preparatory actions before the war began.
Involved "third-party actors" provide a new dynamic, e.g., through public calls for "hacktivism" or the positioning of criminal groups that previously had a primarily financial motivation. While these do not operate at the same level as intelligence actors, they may feel emboldened to engage in risky activities on a large scale.
From a cybersecurity perspective, this suggests that geopolitical considerations are becoming more important for these third-party actors in addition to ideological or financial motivations, which should be factored into future risk assessments for relevant industries and government institutions. For example, Cybergang Conti has officially taken a position in favor of the Russian side. A disgruntled member then published internal chats and data from previous years.
However, large-scale open sabotage scenarios require months or years of preparation. The threat level in this context therefore remains undiminished - as it was before the war began. Companies that are now compromised were probably already compromised before February 24, 2022, without knowing it.
This preparation aspect is particularly important because the often propagated image of simultaneity of attack and damaging effect in IT attacks is a fallacy: infiltration takes place with a long time lag before a visible damaging effect (such as STUXNET in 2010 or the Ukraine Grid blackout in 2015) - or, in the case of covert espionage, even remains completely undetected.
Conclusion on the threat situation for companies
Enterprises should remain vigilant and provide the necessary awareness and targeted monitoring of their environment. Test your detection strategies and response processes. Review and update your IT contingency plans, back-up regularly and keep your systems current. Raise your employees' awareness of phishing emails and disinformation, social engineering and fake news - not just Ukraine-related. It is not only in this dynamic situation that it is advisable to opt for a successful cyber defense strategy. If you have not yet dealt with the topic, now is a good time to start!
Need help upgrading your IT security for 2022? Contact us!
Related articles
For several days now, there has been a strong accumulation of successful compromises by the "QakBot" malware (also known as "QBot" and "QuackBot") worldwide. We have also already identified successful attacks as part of our ACD monitoring. After infection, criminals can gain access to online banking accounts, leak user data, and reload further malware. As one measure to mitigate the risk, we urgently recommend adjustments to the Group Policy Objects (GPO).
Cybercriminals are true masters at constantly adapting their attack mechanisms to effective IT security measures. New tools and iterative changes to existing malware are used to mercilessly exploit security vulnerabilities. Among the numerous threats, ransomware stands out as one of the biggest. More and more companies have to face extortion Trojans. A completely new threat called LockFile now relies on intermittent encryption. LockFile not only encrypts much faster than previous ransomware, but also bypasses security solutions that work reliably. This article shows why criminals are increasingly relying on intermittent encryption and how companies should react to the new threat.
Read more … New ransomware trend: Why criminals increasingly rely on intermittent encryption
In a blog post on 19.10.2022, Microsoft confirmed that sensitive customer data had been exposed!
The reason was a misconfigured Microsoft endpoint server that was publicly accessible via the internet. In total, it can be assumed that sensitive data from approx. 65,000 companies in 111 countries was publicly accessible.
Read more … Ad Hoc News: Warning of "BlueBleed" data leak at Microsoft