On the Internet We’re All in a War Zone: Why it’s Time to Prepare for the Worst

Sadly, once again we find ourselves watching war as it unfolds. More than any previous conflict, this one is being fought in cyberspace as well as on land and in the air. Many commentators raised their eyebrows when NATO officially added cyber to Article 5 of its founding treaty back in 2016. That now seems like a prescient move. But while the fighting, both online and off, has been largely confined to Ukrainian targets thus far, that’s unlikely to last for long.

The truth is that, by accident or design, we’re all in a war zone online, because online conflict does not respect country boundaries or even physical distance. Western targets must prepare accordingly, by understanding their attack surface in granular detail, and probing for weaknesses that could be exploited by adversaries in the days, weeks and months to come. Resilience is the name of the game here, and that will only come about by plugging the highest risk gaps now across cloud and on-premises infrastructure.

Upping the Stakes

We’ve already heard of multiple offensive cyber-campaigns traced back to the Kremlin. They began even before the invasion, when scores of Ukrainian government websites were defaced and wiper malware known as WhisperGate was discovered targeting multiple organizations in the region. More destructive malware variants, HermeticWiper and IsaacWiper were launched in the early days of the campaign, reportedly rendering hundreds of machines unusable. 

By targeting the Master Boot Record (MBR) and strategically important folders of the Windows OS, the malware is eerily reminiscent of NotPetya, another wiper variant disguised as ransomware and aimed at Ukrainian targets in 2017. NotPetya is important because it tells us something very important about destructive cyber-attacks: they can very easily “spill over” and impact organizations that weren’t originally intended as targets. It also happened with Stuxnet—a weapon that was designed with high precision to target Iranian uranium enrichment facilities, but still spilled over and infected other machines.

In short, war is never as clean and precise as Hollywood movies make it seem. In the case of NotPetya, multinationals in Ukraine found their networks impacted, and the worm-like threat eventually travelled down corporate VPNs to spread globally, causing billions of dollars’ worth of damage. One victim, US pharma giant Merck, was only recently awarded a $1.4B payout from its insurer to cover costs incurred during the attack.

That said, Western firms may also need to contend with genuine Russian state-backed cyber-attacks if tensions ratchet up further and economic sanctions begin to hit the Putin regime hard. Just what they’re capable of should be clear following the SolarWinds attacks which compromised nine US government agencies. Russia also has an ace in the hole: an ‘army’ of organized cybercrime groups prepared to turn their nefarious talents to hitting critical infrastructure and other strategically important Western sectors. With big budgets to spend on attack tools and exploits, plenty of know-how, and a sophisticated cybercrime supply chain in place, they could do significant damage.

Building Resilience

If geopolitical tensions remain high for an extended period of time, the chances increase significantly of innocent organizations being drawn into the online conflict. The lesson for defenders is to fix defensive gaps now, before they’re exposed—intentionally or otherwise. Just as First World War gas attacks spread indiscriminately, harming anyone without a well-fitted and sealed gas mask on, cyber-weapons will go anywhere, through whatever gaps are left open.

Finding these vulnerabilities and misconfigurations first requires a detailed understanding of the entire corporate network, which for most organizations will extend from on-premises servers and data centers across multiple public cloud environments. That means knowing and mapping every single network device, application, service and data pathway. From this position of enhanced visibility, it’s then possible to enforce security policy to minimize exposure, and continuously check for and correct any policy compliance drift. The “continuous” qualifier is particularly important given the dynamic and ephemeral nature of cloud assets.

Ultimately, war, in whatever theater it’s fought, is about resilience. So if it wasn’t already before, take some inspiration from the brave men and women protecting their Ukrainian homeland, and make cyber-resilience a priority for your organization today.