Threat Advisory. Escalating geopolitical tensions between Russia, Ukraine and NATO members: Impacts for Australian and New Zealand organisations
Key Points
- Direct targeting of Australian and New Zealand organisations by Russian state actors is highly unlikely. However, regional organisations face heightened risks from:
- destructive cyber attacks against Ukraine which spread via supply chains or commonly used systems,
- increased targeting of all western organisations by Russia-linked cyber extortion groups.
- CyberCX is urging Australian and New Zealand organisations to adopt a posture of heightened cyber readiness and awareness.
- The cyber threat to all Australian and New Zealand organisations has materially increased due to geopolitical tension between Russia, Ukraine and NATO countries.
Background
On 22 February local time, President Putin recognised the ‘independence’ of the Luhansk and Donetsk regions of Eastern Ukraine. Hours later, he ordered the deployment of Russian military forces to the two regions. A wider conflict between Russia and Ukraine is now more likely than not.
Regardless of whether a military invasion of Ukraine occurs, it is almost certain that Russia will continue offensive cyber attacks against Ukraine and NATO members in the near term. It is also increasingly likely that these attacks will escalate from mostly low-sophistication and temporarily disruptive to sophisticated and destructive, as part of a broader hybrid warfare strategy against Ukraine by Russia.
In the event of an increased scale of cyber attacks against Ukraine, we assess the most likely targets will be domestic industrial and military assets, as well as organisations in the government, financial services, media and telecommunications sectors.
Impacts for Australian and New Zealand organisations
It is highly unlikely that Russian intelligence or military actors will directly target Australian or New Zealand organisations.
- We assess Russia is unlikely to meet Australian and New Zealand diplomatic responses to the unfolding crisis with equal weight as NATO and other European countries’ support of Ukraine. This is based on Australia and New Zealand’s generally lower strategic relevance to Russia and our assessment that they will be involved to a lesser extent than NATO/European countries.
There is a real chance that destructive attacks against Ukrainian or NATO targets could ‘spill over’ to affect Australian and New Zealand organisations. This risk is elevated for regional organisations with a large global footprint, particularly those with operations in NATO countries or Ukraine.
- Russian state-sponsored actors are using cyber attacks against Ukraine and NATO targets. Currently, these are predominantly ‘low-sophistication’ attacks like website defacements and DDoS attacks, but have included more sophisticated attacks such as wiper-malware masquerading as ransomware.
- Russia has a history of reckless use of cyber weapons – in 2017, Russia’s NotPetya attack against Ukraine inadvertently spread and disrupted organisations around the world, including in Australia.
- Regional organisations that do not have offices in Ukraine or NATO countries could feasibly be impacted if global third- and fourth-party suppliers and vendors are impacted by Russia-Ukraine cyber crossfire. Downstream impacts could affect business continuity and/or cyber security.
- We assess that the region’s financial services sector and industries with reliance on operational technology face an especially elevated risk. Russia has demonstrated a protracted interest in achieving strategic objectives through the disruption of critical infrastructure, including power grids, with destructive malware.1
- There is a real chance that Russia will target power grids or gas pipelines supplying Ukraine and NATO countries in response to new economic sanctions, including Germany’s shutting down of the Nord Stream 2 pipeline project.
Australian and New Zealand organisations are likely to face an increased tempo and scale of ransomware and other forms of cyber extortion in coming months.
- Observed cyber extortion attacks on Australian and New Zealand targets have already doubled month-on-month between January and February and are back to levels observed in Q4 2021.
- We assess there is a real chance that Russian-linked ransomware actors will increase targeting of all western assets, further exacerbating the recent rise in cyber extortion.
- We have moderate confidence that Russian intelligence services are able to influence the targeting of cyber extortion groups, as part of broader Russian strategy of destabilising and disrupting western governments and democracies.
Recommendations
Adopt a position of heightened readiness and awareness
CyberCX urges customers to be alert to any anomalies in their environment and ensure they are prepared to respond to incidents. This could include:
- Performing threat hunts aligned to tradecraft used by Russian threat actors,2
- Triaging high quality IOCs related to Russia-based cyber threats,
- Implementing any ‘quick win’ cyber mitigations not already in place,3
- Empowering emergency patch management for new vendor patches,
- Ensuring any surge capacity operational teams are on stand-by,
- Maintaining situational awareness of latest cyber threat intelligence.
This threat advisory has been prepared by the CyberCX Cyber Intelligence Team.
Read more about our practices and insights:
If you need assistance responding to a cyber incident, please contact our investigation and response team here.
Guide to CyberCX Cyber Intelligence reporting language
CyberCX Cyber Intelligence uses probability estimates and confidence indicators to enable readers to take appropriate action based on our intelligence and assessments.
| Probability estimates – reflect our estimate of the likelihood an event or development occurs | ||||||
| Remote chance | Highly unlikely | Unlikely | Real chance | Likely | Highly likely | Almost certain |
| Less than 5% | 5-20% | 20-40% | 40-55% | 55-80% | 80-95% | 95% or higher |
Note, if we are unable to fully assess the likelihood of an event (for example, where information does not exist or is low-quality) we may use language like “may be” or “suggest”.
| Confidence levels – reflect the validity and accuracy of our assessments | ||
| Low confidence | Moderate confidence | High confidence |
| Assessment based on information that is not from a trusted source and/or that our analysts are unable to corroborate. | Assessment based on credible information that is not sufficiently corroborated, or that could be interpreted in various ways. | Assessment based on high-quality information that our analysts can corroborate from multiple, different sources. |
1]https://media.defense.gov/2022/Jan/11/2002919950/-1/-1/0/JOINT_CSA_UNDERSTANDING_MITIGATING_RUSSIAN_CYBER_THREATS_TO_US_CRITICAL_INFRASTRUCTURE_20220111.PDF
2] See Detection section https://www.cisa.gov/uscert/ncas/alerts/aa22-011a
3] See Enhance Your Organization’s Cyber Posture section https://www.cisa.gov/uscert/ncas/alerts/aa22-011a; https://www.cisa.gov/sites/default/files/publications/CISA_Insights-Implement_Cybersecurity_
Measures_Now_to_Protect_Against_Critical_Threats_508C.pdf
