Amid the war in Ukraine and escalating global geopolitical tensions, the threat from Russian cyber adversaries has never been greater. So much so that the UK’s National Cyber Security Centre (NCSC) has issued a warning to firms to buckle up for online attacks by Russia's Foreign Intelligence Service (SVR).
According to a joint advisory of US security agencies, the nation is targeting unpatched vulnerabilities to infiltrate organizations. More than 20 publicly disclosed vulnerabilities are at risk at being exploited by the hacking group APT29 – also known as Midnight Blizzard and Cozy Bear, the advisory said.
In late November, a UK minister warned that Russia is ready to carry out cyber-attacks on the West in a bid to weaken support for Ukraine, which he said could leave millions without power. And in December Britain’s new cyber security chief warned that Russia is among the hostile adversaries exploiting the UK’s dependence on technology to cause “maximum disruption and destruction”.
As the threat from Russia ramps up, what should businesses be doing to protect themselves?
Russia’s cyber activity
Experts concur that Russian cyber-activity is increasing, with the nation targeting critical national infrastructure (CNI) as it continues its war with Ukraine.
Over the last two years, Russia has been performing “relentless attacks” targeting CNI, as well as organizations linked to supporting Ukraine’s war effort, says Philip Ingram, MBE, a former colonel in British military intelligence.
Russian cyber forces focus on four primary activities, says Ian Thornton-Trump, CISO for Inversion6 UK. The first is to “disrupt and demoralize” Western nations through disinformation and misinformation. Secondly, it wants to “ruthlessly pursue internal dissension within Russia and its allies”, he says.
Then, there are “overt cyber-attacks” such as ransomware and “covert espionage operations”, says Thornton-Trump. “Russia has developed considerable expertise in all these areas and its cyber forces are fully integrated into foreign policy objectives and battlefield support for kinetic operations.”
Russia generally sticks to a playbook. This has resulted in “limited cyber success against Western allies”, says Thornton-Trump. “Although clumsy and operational security mistakes have occurred, the Russians are persistent and continue to leverage their capability.”
Over the last few years, Russia’s methods became “much stealthier and more sophisticated”, says Sergey Shykevich, threat intelligence group manager at Check Point Software. The country is evolving towards “intense targeting of the supply chain”, especially focusing on technology vendors, he says.
Mitigating the Russia threat
To help prevent attacks, businesses should "threat model" appropriately against Russian groups, says Thornton-Trump. “Invest in proactive and detective cyber security controls that are effective against a highly skilled adversary who will unleash bespoke and targeted attacks. When facing Russia, robust defenses are required, but threat hunting and anomaly detection, as well as sophisticated honeypots, are essential to detect compromise before the damage is done.”
At the same time, Organizations must adopt a "not if, but when" mindset regarding cyber-attacks, says Dan Lattimer, AVP, EMEA West at Semperis. To mitigate the risks, businesses must implement comprehensive cybersecurity frameworks and invest in tools and processes to harden environments, he says.
Mitigation isn’t easy because of the volume of attacks, but it comes down to getting the basics right, says Ingram. Given that Russia is targeting unpatched software flaws, this includes patching and ensuring operating system updates are done on time.
Russian threats often strike at areas of cyber hygiene that can be defended using industry-standard best practices, says Ken Dunham, director of cyber threat at Qualys threat research unit. He emphasizes the importance of strong patch management, anti-phishing solutions, and identity access management. “By shoring up overall cyber hygiene in a framework-driven SecOps environment, businesses have a much better chance at mitigating the risk of a Russian attack.”
Notable Russian groups
There are multiple known adversarial groups linked with Russia, some of which are backed by the GRU – the “oldest and most powerful” of the nation’s intelligence agencies, says Ingram.
He says GRU-related cyber groups include Fancy Bear and Sandworm, as well as new groups designated with the names Cadet Blizzard and Ember Bear. The campaigns from the well-known government-backed group, Cozy Bear “align with the goals and tasks” expected from a Russian foreign intelligence agency, says Kennet Harpsøe, lead security researcher at Logpoint. This includes espionage against Russian opponents such as Ukraine, Europe, the US, and central Asia, he adds.
Many Russian attacks focus on the supply chain to gain backdoor access to the main targets. The SolarWinds attack is the primary example of this, Harpsøe says.
APT28, APT29, Turla, and APT44 (Sandworm) seem to be the most prominent Russian government-affiliated groups, says Harpsøe. APT28 and APT44 focus on “destructive cyber-attacks”, while APT29 and Turla lean towards “traditional espionage”, he says.
The Russian government-backed threat groups are regarded as some of the most capable of all the state-sponsored attackers, says Harpsøe. “They are well-funded, and work at the level of a specialist who does this as their salaried day job.”
He explains the defining characteristic of Russia-backed groups is patience. “They have the time to develop their own malware and maintain it. And they have the resources to set up clandestine infrastructure to increase their operational security, as well as the patience to be stealthy and run operations for a very long time.”
Compared to other CRINK nations such as China, Iran, and North Korea, Russia’s investments reveal “significant investments in cyber warfare”, with groups such as APT29 posing “a persistent and evolving threat,” says Lattimer.
Russia has “very advanced cyberwar capabilities”, adds Dunham. “When compared to China, Iran, and North Korea, Russia is seeking to challenge Western influence and gain support from CRINK nations as part of a means to an end, such as receiving weapons and ammunition.”
Shykevich describes Russian hackers as “top-notch”, with “very high technical capabilities and sophisticated methods to get into sensitive networks and critical infrastructure”.
Yet the challenge of attribution complicates the landscape, says Lattimer. “As cyber operations become increasingly complex, distinguishing between state-sponsored actors and independent groups is difficult. This ambiguity reduces the likelihood of clear repercussions and emboldens malicious actors.”
