Since 24 February 2022, we have been watching with concern the war of aggression against Ukraine launched by Russia in violation of international law. In this context, the fear of cyber attacks is also growing. In the following article, we would like to present our findings on the extent to which this war is being waged in cyberspace and what effects on the cyber threat situation can be expected.
But first to the time before the attack on Ukraine: Even before the Russian invasion began, there was a flood of data wiper and distributed denial of service (DDoS) attacks against Ukrainian government agencies as well as critical infrastructure and news agencies. The data wiper malware aimed to destroy large amounts of data without being noticed. DDoS attacks flooded servers with illegitimate requests, causing infrastructures to overload and crash.
According to Ukraine’s Computer Emergency Response Team (CERT-UA), phishing campaigns by Belarusian state-sponsored hackers targeting Ukrainian military personnel and associated individuals have been observed. The focus was on email accounts. “After the account is compromised, the attackers gain access to all messages via the IMAP protocol.”[1] Then the attackers used the contact information stored in the victim’s address book to spread the phishing messages to other targets. (https://cert.gov.ua/articles) Thus, Russia is clearly using cyberspace for hybrid warfare. This apparently includes not only attacking critical IT infrastructures, but also the targeted dissemination of false information by Russia.
Russia itself is also a target of attacks: Russia’s National Coordination Center for Computer Incidents (NCCCI) published an extensive list of 17,576 IPs and 166 domains attacking Russian infrastructure with DDoS attacks in early March. As part of its recommendations to defend against DDoS attacks, the agency (NCCCI) urges Russian organisations to shield network devices, enable logging, change passwords for key infrastructure elements, disable automatic software updates, disable third-party plugins on websites, enforce data backups and watch out for phishing attacks.
The current ground war is thus complemented by a spate of cyber-attacks in the digital domain. Hacktivist groups and other vigilante actors are helping the two countries attack government and commercial websites and expose troves of personal data.
The fallout from the war has prompted the Ukrainian government to form a volunteer “IT army” of civilian hackers from around the world to carry out operational tasks against Russia on the cyber front, according to Reuters. A new set of targets has been set up by this “IT army”, including the Belarusian railway network, Russia’s own GLONASS satellite-based global navigation system and telecommunications operators. (https://www.dw.com/en/russia-ukraine-conflict-what-role-do-cyberattacks-play/a-60945572)
Ukraine is also getting support from Anonymous, the internationally organised hacker collective that has declared digital war on the Kremlin. Numerous Russian government websites were inaccessible until 26 February, presumably caused by Anonymous activists. The website of the Russian government broadcaster RT, considered a Kremlin propaganda tool in Western countries, was also affected by retaliatory cyberattacks. (thehackernews.com)
Significance for German companies
But what does this mean for German companies? – Due to the participation in sanctions against Russia, Germany could also increasingly become a target of hacker attacks, according to SPD Interior Minister Nancy Faeser. She said that Germany had “ramped up protective measures to ward off possible cyberattacks and sensitised relevant agencies.” (https://www.bmi.bund.de/SharedDocs/kurzmeldungen/DE/2022/02/ukraine.html)
The German Rosneft subsidiary, Russia’s largest oil producer, has also not been spared from hackers in connection with the Ukraine conflict. The German Federal Office for Information Security (BSI) confirmed that Rosneft Deutschland GmbH reported an IT security incident at the weekend as part of its KRITIS reporting obligations. The hacker group Anonymous has claimed responsibility for the cyberattack on the German branch of the Russian energy company, which it says caused major damage. Allegedly, 20 terabytes of data were tapped and the content on dozens of devices was deleted. The hackers behind this attack, who consider themselves part of the Anonymous collective, are apparently from Germany. This means that Russia could interpret this hacker attack as an act of war and target German companies more strongly.
In accordance with § 7 of the BSI Act, the BSI also warns against the use of anti-virus protection software from the Russian manufacturer Kaspersky. The BSI recommends replacing applications from Kaspersky’s antivirus software portfolio with alternative products. Background: A Russian IT manufacturer could be forced by the Russian government to carry out offensive operations itself and attack target systems against its will. Another danger is being spied on itself as a victim of a cyber operation or being misused as a tool for attacks against its own customers. (Further information at: https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2022/220315_Kaspersky-Warnung.html)
Thus, we in Germany could also be confronted with large waves of cyber attacks in the future, as the borders are not clearly recognisable in cyberspace. Therefore, we in our control centre are observing current events with increased vigilance and are preparing for an emergency.
German companies are considered vulnerable when it comes to cyber security, as several attacks last year showed: The IT industry association Bitkom estimates the total annual damage caused by digital theft, blackmail and sabotage at 223 billion euros. Experts criticise that still very little is invested in cyber security[2].
Current developments are particularly worrying for our customers in the critical infrastructure sector. They fear that they could soon fall victim to attacks themselves. We have therefore also increased the protective measures in our control centre and rolled out new security mechanisms and use cases on our customer sensors that detect traffic to systems from certain IP ranges that are connected to the current cyberattacks from Russia.