Threat Advisory. Russian travel sanctions against an additional 32 New Zealanders: Impacts for New Zealand organisations’ cyber risk

CyberCX Intelligence actively monitors cyber implications of the Russia-Ukraine war for Australian and New Zealand organisations. This Threat Advisory advises on cyber risk for New Zealanders sanctioned by Russia on 30 July and the organisations directly connected to them.

Key Points 

  • The Russian government sanctioned 32 New Zealanders on 30 July, indicating a focus on defence, local government, higher education and media sectors.

  • We assess that this development materially increases cyber risk in the immediate to medium term for the sanctioned individuals and organisations directly connected to them. Key risks include:

    • cyber extortion by pro-Russia cyber criminals, including ransomware and data theft extortion

    • publicity-focused and/or disruptive cyber attacks, including website defacement and DDoS attacks by pro-Russia cyber criminals

    • information operations by Russian nation-state actors, including ‘hack and leak’ attacks

    • cyber-enabled intimidation of named individuals by pro-Russia groups, especially those involved in public commentary.

  • This development is consistent with CyberCX’s Intelligence Update of 1 March 2022 that assessed that New Zealand organisations have a higher threat profile if they adopt a public view on the conflict, or are in sectors equivalent to those targeted in Russia by western sanctions.

The sanctions

  • On 30 July, the Russian Foreign Ministry announced sanctions against 32 New Zealanders working across the defence, local government, higher education and media sectors.1

    • The new additions bring the list of New Zealanders on Russia’s ‘stop list’2 to a total of 162 and expands the scope from the first round of sanctions in April which primarily covered New Zealand Members of Parliament.

    • The sanctions are targeted at high profile individuals associated with major New Zealand private and public sector organisations, including those in sectors equivalent to those targeted by western sanctions, or who have engaged in public commentary about the Russia-Ukraine war.

  • The Russian Foreign Ministry has indicated the latest sanctions are in response to the New Zealand Government’s “anti-Russian course”.

 

Impact on cyber risk

  • CyberCX Intelligence assesses that the public listing of these individuals—and organisations they are affiliated with—will increase their attractiveness as a target to Russian-based threat actors.  

  • CyberCX Intelligence assesses that impacted individuals and organisations face the following changes in the immediate term through to at least September 2022: 

    • Materially increased risk of publicity-focused and/or disruptive cyber attacks, including website defacement and DDoS attacks by pro-Russia cyber criminals. 

    • Materially increased risk of ransomware and data theft extortion by Russian-based cyber extortion groups.3  

    • Materially increased risk of cyber-enabled intimidation against named individuals, for example via social media ‘trolling’ or doxing by pro-Russia cyber criminals.4 

    • Increased risk of information operations (particularly hack and leak operations) against organisations and employees by Russian nation-state or other pro-Russia cyber criminals. Hack and leak operations could target enterprise and/or personal accounts and devices.  

  • CyberCX Intelligence continues to assess that it is highly unlikely that Russian nation-state actors would directly target New Zealand organisations with destructive cyber attacks, per our March Intelligence Update.

    • There is a real chance that destructive attacks against Ukrainian or NATO targets could ‘spill over’ to affect New Zealand organisations. Organisations with operations in these countries and/or in sectors which rely on operational technology face increased risk.

 

Recent Russian and pro-Russia cyber activity related to the Russia-Ukraine war 

  • Based on reported activity, the cyber dimension of the Russia-Ukraine war decreased in tempo and impact in May through July compared to March and April.

  • As of May through July, the majority of reported cyber activity related to the Russia-Ukraine war is publicity-focused and/or disruptive attacks being conducted by pro-Russia cyber criminals.

    • Pro-Russia cyber criminals continue to target organisations outside Ukraine with short-term disruptive attacks, primarily DDoS attacks.

  • In June, Russian nation-state actors conducted a phishing campaign against Ukrainian media organisations that involved the Microsoft “Follina” zero-day vulnerability (CVE-2022-30190).5

  • In May, Russian nation-state actors targeted UK government officials and other public figures in an information operation facilitated by email compromises.

    • A disinformation website called "Very English Coop [sic] d'Etat", registered on 19 April 2022, posted data stolen from the ProtonMail email accounts of several UK public and political figures. These figures include former head of the British Secret Intelligence Service, Richard Dearlove, and pro-Brexit individuals.

    • The website alleges that the targeted UK individuals were part of a conspiracy to interfere in Brexit-related decisions. The authenticity of the emails has not been verified.

    • Two victims, including Dearlove, stated they had been targeted by Russian nation-state actors. Security researchers have attributed both the information operation and the actual email compromises to Russian nation-state actors. These victims have not been sanctioned by Russia.

 

Recommendations 

  • CyberCX Intelligence recommends organisations linked to the sanctioned individuals take a ‘high alert’ stance for the next month and then reassess based on any further activity/inactivity. This could involve:

    • Lowering thresholds for alerts on accounts and devices specific to sanctioned individuals.

    • Applying additional security controls that do not impact the organisations’ ability to do business (e.g. filtering out email attachments that wouldn’t normally be sent to users).

  • We recommend organisations prioritise applying Microsoft updates, particularly to fix CVE-2022-30190.

  • We further recommend that organisations consider providing additional support to sanctioned individuals, as well as similarly high-profile employees who may not have been named. This could involve:

    • Conducting an open source exposure assessment to understand individuals’ digital footprint and identify any cyber hygiene concerns.

    • Implementing open source monitoring and alerting (across social media, deep and dark web sources) to proactively detect threats to individuals.

 


 

This Threat Advisory has been prepared by the CyberCX Intelligence Team.

Read more about our practices and insights:

If you need assistance responding to a cyber incident, please contact our investigation and response team here.

 


 

Guide to CyberCX Cyber Intelligence reporting language 

CyberCX Cyber Intelligence uses probability estimates and confidence indicators to enable readers to take appropriate action based on our intelligence and assessments. 

Probability estimates – reflect our estimate of the likelihood an event or development occurs 

Remote chance 

Highly unlikely 

Unlikely 

Real chance 

Likely 

Highly likely 

Almost certain 

Less than 5% 

5-20% 

20-40% 

40-55% 

55-80% 

80-95% 

95% or higher 

Note, if we are unable to fully assess the likelihood of an event (for example, where information does not exist or is low-quality) we may use language like “may be” or “suggest”. 

 Confidence levels – reflect the validity and accuracy of our assessments 

Low confidence 

Moderate confidence 

High confidence 

Assessment based on information that is not from a trusted source and/or that our analysts are unable to corroborate. 

Assessment based on credible information that is not sufficiently corroborated, or that could be interpreted in various ways. 

Assessment based on high-quality information that our analysts can corroborate from multiple, different sources. 

 


 

1] https://mid[.]ru/ru/foreign_policy/news/1824556/
2] The Russian sanctions prevent named individuals from entry into Russia.

3] Even before the sanctions were announced, CyberCX Intelligence had advised that the risks of cyber extortion and other cyber crimes were elevated for high-profile private sector organisations in New Zealand. The latest sanctions developments exacerbate these risks. See: Intelligence Update of 1 March 2022.

4] Doxing refers to obtaining and publishing personal information about an individual online.

5] https://cert.gov.ua/article/160530

 

Back to Blog