CyberCX launches updated Ransomware and Cyber Extortion Best Practice Guide 

Threat Advisory Update. Russia/Ukraine conflict: Impacts for Australian and New Zealand organisations

Threat Advisory

The situation in Ukraine is actively evolving. CyberCX Cyber Intelligence is closely monitoring developments. This advisory contains point in time assessments that may change quickly. This post provides updates to our Threat Advisory released on February 24, 2022, accessible here.

 

Key Points

  • We continue to assess that direct targeting of Australian and New Zealand organisations by Russian state actors is highly unlikely.
  • We continue to assess that regional organisations face a real chance of cyber extortion by pro-Russian criminal actors. This risk is elevated for high-profile private sector organisations that:
    • take a public stance in support of Ukraine or in condemnation of Russia
    • are involved in facilitating or enforcing sanctions.
  • We assess that destructive cyber attacks by Russian state actors against Ukrainian, NATO or other European targets are highly likely, and there is a real chance Australian or New Zealand organisations could suffer collateral damage.
    • The risk has marginally increased since our February 24 Threat Advisory especially for the financial and energy sectors and organisations with reliance on operational technology.
  • CyberCX continues to urge all Australian and New Zealand organisations to adopt a posture of heightened cyber readiness and awareness.

Background

The invasion of Ukraine by Russia has progressed to widespread conflict with major loss of life. Russian ground forces have pushed into Ukraine from its northern, eastern and southern borders. Ukrainian forces have repelled several attempts to capture strategic targets around Kyiv. There has been widespread damage in Ukraine as the result of artillery and aerial bombing.

Disruptive cyber attacks are continuing to take place against Ukraine, with a gradual increase in publicly reported destructive cyber attacks.

The EU, UK, US and others (including Australia) have escalated sanctions against Russia and ally Belarus, including suspending key Russian financial institutions from the SWIFT global banking system. These measures have caused major disruption of Russia’s economy, with the rouble plunging 30-40% against the US dollar. Several countries, including Australia, have shifted from providing non-lethal support to Ukraine to additionally supplying weapons. A significant number of high-profile global organisations and companies have imposed restrictions on Russia and Russian elites.

Rhetoric among cyber criminal and hacktivist actors

Since our February 24 Threat Advisory, multiple cyber crime and hacktivist groups have made public comments on the conflict.

  • At least six cyber criminal actors have made pro-Russia public statements.
    • Most relevantly for Australian and New Zealand organisations, cyber extortion group Conti issued statements in support of Russia, signalling the group will use their “full capacity to deliver retaliatory measures” against western threats to Russia, including against critical infrastructure assets.1
    • In 2021, Conti was the number one most frequent cyber extortion threat for Australia and New Zealand. Its most frequent victims were in the health, financial and manufacturing sectors. Conti is known for both ransomware and data theft extortion.
  • At least one cyber extortion group, Lockbit, has made statements asserting it will remain “apolitical”.
    • In 2021, Lockbit was the number two most frequent cyber extortion threat for Australia and New Zealand. Its most frequent victims were in the professional services, construction and manufacturing sectors. Lockbit is known for both ransomware and data theft extortion.
  • Several cyber crime and hacktivist groups have indicated support for Ukraine and Ukraine’s defence ministry has reportedly circulated requests for cyber warfare assistance in hacking forums.
    • The loose hacktivist collective Anonymous publicly leaked a Russian military database and launched a DDoS attack against Russian state-owned media giant Russia Today.

Impacts for Australian and New Zealand organisations

All regional organisations face a real – and increasing – risk of cyber extortion attacks.
  • Since our February 24 Threat Advisory, this risk has materially increased for Australian and New Zealand organisations that:
    • have taken a high-profile anti-Russia stance
    • have been featured in Russian media in relation to sanctions
    • operate in sectors equivalent to those in Russia that have been targeted by sanctions (e.g. energy)
    • provide essential services or are prominent within their communities
  • We have moderate confidence that Conti and similarly motivated groups will adopt ‘publicity focussed’ targeting to maximise their impact on the conflict.
  • We assess that the cyber extortion threat will be exacerbated by ongoing economic disruption within Russia as the result of international sanctions may drive cyber crime operators to increase their operational tempo.
It remains highly unlikely that Russian intelligence or military cyber actors will directly target Australian or New Zealand organisations.
  • We continue to assess that the strategic relevance of Australia to Russia remains low relative to NATO/European countries. Australia’s increasing level of support for Ukraine and sanctions against Russia have been in step with those applied by countries and international organisations with much higher strategic relevance to Russia.
All Australian and New Zealand organisations continue to face a real chance of suffering collateral damage. This risk is more elevated for organisations with operations in NATO countries, Europe or Ukraine or in certain key sectors.
  • We assess that the likelihood of a destructive cyber attack has increased since our February 24 Threat Advisory as conflict has become more intense.
    • So far, Russian cyber attacks have remained opportunistic and narrowly targeted despite the significant escalation of kinetic warfare.
  • There is a real chance that a recklessly used cyber weapon will cause collateral damage to Australian and New Zealand organisations, either directly, through the spreading of a self-proliferating weapon or through disruption to vendors and suppliers.
  • We continue to assess that Ukrainian, NATO and other European organisations in the energy, military, government, media and financial services sectors, as well as operational technology-operating industrial assets, are most likely to be the initial targets of a destructive cyber attack.
  • Regional organisations are most at risk if they:
    • have operations in Ukraine, Europe or NATO countries
    • are in the energy sector
    • are in the financial services sector
    • rely on operational technology.

Recommendations

Adopt a position of heightened readiness and awareness

CyberCX urges Australian and New Zealand organisations to be alert to any anomalies in their environment and ensure they are prepared to respond to incidents. This could include:

  • Performing threat hunts aligned to tradecraft used by Russian threat actors2
  • Triaging high quality IOCs related to Russia-based cyber threats
  • Implementing any ‘quick win’ mitigations not already in place3
  • Empowering emergency patch management for new vendor patches
  • Ensuring surge capacity operational teams are on stand-by (if relevant)
  • Reviewing cyber incident response preparedness plans
  • Maintaining situational awareness of latest cyber threat intelligence.

 


 

This threat advisory has been prepared by the CyberCX Cyber Intelligence Team.

Read more about our practices and insights:

If you need assistance responding to a cyber incident, please contact our investigation and response team here.

 


 

Guide to CyberCX Cyber Intelligence reporting language

CyberCX Cyber Intelligence uses probability estimates and confidence indicators to enable readers to take appropriate action based on our intelligence and assessments.

Probability estimates – reflect our estimate of the likelihood an event or development occurs
Remote chance Highly unlikely Unlikely Real chance Likely Highly likely Almost certain
Less than 5% 5-20% 20-40% 40-55% 55-80% 80-95% 95% or higher

Note, if we are unable to fully assess the likelihood of an event (for example, where information does not exist or is low-quality) we may use language like “may be” or “suggest”.

 Confidence levels – reflect the validity and accuracy of our assessments
Low confidence Moderate confidence High confidence
Assessment based on information that is not from a trusted source and/or that our analysts are unable to corroborate. Assessment based on credible information that is not sufficiently corroborated, or that could be interpreted in various ways. Assessment based on high-quality information that our analysts can corroborate from multiple, different sources.

 


1] In response to these statements, an individual believed to be a Ukrainian Conti group member leaked the group’s message logs from late January through late February. CyberCX Cyber Intelligence is still analysing this dataset for potential insights into Conti’s tradecraft to inform assessments and provide actionable threat intelligence to Managed Security Services customers.

2] See Detection section https://www.cisa.gov/uscert/ncas/alerts/aa22-011a

3] See Enhance your Organization’s Cyber Posture section https://www.cisa.gov/uscert/ncas/alerts/aa22-011a; https://www.cisa.gov/sites/default/files/publications/CISA_Insights-Implement_Cybersecurity_
Measures_Now_to_Protect_Against_Critical_Threats_508C.pdf

Ready to get started?

Find out how CyberCX can help your organisation manage risk, respond to incidents and build cyber resilience.