Cyber is Integral to the Offensive Armoury
Cyberattacks have been used in the Ukraine as an integral part of the offensive armoury—not a casual afterthought. Since mid-January, government and financial websites in the Ukraine have been subject to sustained cyberattack including multiple instances of Distributed Denial of Service (DDoS) attacks on public facing websites and the widespread use of Wiper malware. The wiper malware used to infect workstations inside the Ukraine is a textbook example of how a cleverly crafted piece of malware can be used to wreak havoc. The attack is delivered via a macro-enabled Word document using a technique called template injection. Once the macro runs, a digitally signed binary is installed. Because the binary has been signed, it can escape detection even in environment such as operational technology (OT) networks where only signed binaries are allowed. The binary then rewrites the whole of the master boot record on the workstation, corrupting the entire disk and destroying any data it contains. It is only reasonable to assume that this type of malware will be deployed regularly as the war continues. Governments and critical infrastructure providers outside the immediate conflict zone need to assume that they too could be subject to similar attacks in retaliation for their financial and military support of the Ukraine. For this reason alone, it is necessary to strengthen defences now.
Mainstream Criminal Activity
A further reason for reviewing defences right now, goes to the very heart of how the world of cybercrime works. Wiper malware is not about extracting monetary gain since by definition, it merely wipes data. So, aside from targeted nation-state activity, you might think that this type of wiper malware would only be of interest to cyber terrorists such as "issue-focused" pressure groups. In fact, nothing could be further from the truth. Attacks and techniques that start out as the sole preserve of nation state intelligence agencies become part of the everyday toolkit for financially motivated cyber criminals in matter of weeks and even days. As we speak, the malware used to attack Ukraine’s critical national infrastructure is being analyzed and re-engineered to serve more mainstream, financially motivated criminal activity.
A Prime Target
The truth is that critical national infrastructure is firmly in the crosshairs across the world. With the convergence of IT and OT, critical infrastructure is now a prime target for attackers. The use of networked machines, automation and IoT devices continues to grow but many of these devices were not designed with security as a key characteristic. Cybercriminals are keenly aware of this. Indeed, by 2025, Gartner predicts that cybercriminals will be able to weaponize OT environments to successfully harm or even kill people.
Traditionally, attacks on critical infrastructure and specifically on industrial control systems were delivered via removable media such as USB drives, in acknowledgement of the fact that most of these environments were “air gapped” from IT networks. IT/OT convergence has changed the rules of engagement. Malware delivered into the IT network via Office documents, PDFs and images in email or Web downloads is designed to compromise not only enterprise workstations but to move laterally and “jump” the IT/OT boundary. So what steps can we take right now to respond to the elevated threat level?
Time for Zero Trust
In general, military and national government institutions are some of the most targeted organizations in the world. They have had to learn to defend themselves from this type of attack over many years and Forcepoint has a proven track record in helping them. Now we are helping providers of critical national infrastructure to do likewise with technologies like Zero Trust Content Disarm and Reconstruction (CDR). This innovative technology is designed to deliver malware-free files and data without using detection and therefore without the accompanying risk that the incoming file or data contains some new piece of malware that hasn’t been detected before. It works by extracting the valid business information from files, verifying the extracted information is well-structured and then building brand new files to carry the information to its destination. This unique zero trust approach is applied to all files and data from Office files and images to Web application data, irrespective of whether it contains a threat or not.
We live in uncertain times. First and foremost, our thoughts are with those caught up in the conflict in Ukraine, but beyond the immediate conflict zone providers of critical national infrastructure are under increasing levels of cyberattack. It’s time to review and act now.