The Russia-Ukraine Conflict and the Mounting Cyber-Threat to the Homeland

As Russia’s invasion of Ukraine moves into its second week, the cyber threat to Western countries supporting Ukraine grows as Russian forces get bogged down.  I have had several friends ask, “How did we get here?’ or “Why is the Russian affiliated cyber threat so big?”  The answer begins with a story (like many conversations).  

 A History Lesson in Cyber-Security

Fifteen to eighteen years ago when the FBI formally established Cyber squads to counter aggressive nation-states, Russia and China were at the top of that list.  The activities were somewhat confined to the defense sector or critical infrastructure and we in the FBI were not even allowed to say that we were engaged in cyber investigations against those countries.  “We cannot confirm or deny” being a common catchphrase.  Iranian cyberthreats began to grow approximately 10 years ago, and it remained a relatively high-level engagement between these cyber “Super-powers”.  

Then it changed.  I use the Target attack of 2013 as the beginning of this change.  Criminals started realizing that they could use the Internet to connect to and exploit businesses all over the world.  They started spending money, building data centers, and developing code.  The bigger change came when three distinct forces emerged in 2014 and 2015 and began to dominate cyber-crime.  One was the dark marketplaces which allowed software and personal information to be sold.  These sorts of places had already existed, but they became even more prolific with the rise of the second force: cryptocurrency allowed for these dark marketplaces to grow.  Lastly, we say the creation of what we today call ransomware gangs.  These groups are highly organized, well-funded, and often work in countries where they are protected or at a minimum can operate with relative impunity.  This is where the story of the suspected Russian cyber-threats comes in. 

 Russian Based Cyber-Threats Up 800% 

Suspected Russian affiliated cyber threats have always been advanced, and their suspected state-sponsored hackers are some of the best in the world.  But where does a suspected former state sponsored hacker go after they are done serving their country?  To make money of course. But what if the best way to make money in a country like Russia was to work with cyber-crime organizations?  This is what appears to have happened to many of these individuals because cyber-crime pays very well indeed. Many of these criminal organizations have long been suspected of having ties to Russian intelligence and, recently, these ties appear to be confirmed with the leakage of hundreds of pages of internal communications inside the Conti ransomware gang. Conti has made more than $30 million in ransomware payments in the last couple of years, and they are just one of the groups suspected to have these ties to miscellaneous Russian intelligence agencies. With the start of the Russian invasion, we started to see where the true allegiances of these criminal groups lay.  The number of ransomware attacks rose more than 800% in just the first week of the war and most of this is attributable to Russian-homed criminal groups. In fact, Conti is purported to have issued a statement that they would defend their homeland against all aggressors and supposedly pledged their full support for President Putin.   

 Bad “Guys” Can’t Win 

The threat is rising and not just for large companies. In 2021, 43% of ransomware victims were small businesses and when we roll in mid-size companies, that number rises over 60%.  Statistically, any (note ANY) business in the United States has a 1-in-4 chance of being successfully hit with ransomware and/or a data breach.  That  ransomware attack will take down the infected corporate network for 20-25 days on average.  And we are not even talking about E-Mail Account Compromise which affected more than 70% of businesses in 2021.  So, let’s talk security before this happens to you.  I hate seeing the “bad guys” win.  During my time in the Bureau, I too often saw a company get victimized and all they were trying to do was run their business. The threats will continue to evolve, and the criminal actors are awake 24 hours a day looking for ways to make everyone a victim.  This is why you need a comprehensive managed security partner in your corner to manage the “entirety” of your security perimeter, watch your environment 24/7, and take decisive actions to keep it secure. Let our 3 US-based SOCs, and our talented security engineers take care of security from beginning to end while you concentrate on what you do best.  

Security in a Non-Secure Environment

As a newly minted CISO, I have been injecting myself into the Ntirety environment, talking security at every corner of the company.  I come from a deep IT/security background where I have seen many companies fall prey to the ever-increasing cyber threat landscape.   

 Sad Tales Abound 

In my previous roles with Hewlett Packard Enterprise and the FBI, I would often speak with companies before and after they had been breached.  One of my saddest experiences was with a prospective SMB customer who was concerned about security in his environment but wasn’t sure where to start.  We discussed various options including the deployment of a Firewall or maybe a security assessment to help him determine where the “right place to start” was.   

 He was non-committal, and we departed the meeting agreeing to meet again in a few months to see where he was in his decision.  I was concerned because I felt his corporate network was exposed and the threats against his company were rising as his company became more successful and lucrative.  

 You can imagine my horror when his company was hit with a ransomware attack six weeks after our conversation.  I sent my corporate contact an email expressing my desire to help in any way. Could I have done more?  Could I have been more convincing?  I don’t know, but my desire is to assist every customer in any way possible. I want every customer’s environment to be more secure than when I first met them.   

 Basic Security First 

What is the proper order to assist a customer in an insecure environment?  It feels like a “Chicken-or-the-Egg” conversation – do we secure the environment and then do a security assessment, or do we start with a security assessment and then see what we need to secure.  I feel like I have come down in the camp of basic security first, then let’s assess.   

 One of the first conversations I have with any customer is a request for the customer to assess their  security on a scale from 1-5 with a 1 being almost completely insecure.  If a company rates themselves as a 1 or 2, that means they know they are not secure or very easy to compromise.  I feel like we should immediately discuss how to get them some form of security before talking about a security assessment:  At a minimum some firewall protection and maybe multi-factor authentication but in this case, my experience has shown that the low-hanging fruit security gaps become easy targets.   

 This may go against conventional wisdom, and I have often been the champion of the security assessment first, but I worry that by delaying any action on securing an environment, we may leave the door open too long for an enterprising criminal to exploit another company.  The thought of another company being victimized while I am trying to help them is too much.  Let’s move the minimum security bar higher in all of our environments and make the criminals’ job that much harder.