Security consultant Alex Bomberg doesn’t know what comes next. As a commercial intelligence specialist and CEO of consultancy group Intelligent Protection International Limited and International Intelligence Limited, he is used to dealing with cyber security threats. It’s hard to predict what Russian cyber attackers might do at this time.
He expects a major attack on something central, such as energy supplies, banking systems or other critical infrastructure, aiming to disrupt as many organisations as possible. “It’s certainly quite scary because I don’t know what's next and there are lots of areas this could affect.”
Organisational resilience will be critical, he says. Leadership teams should be looking at all aspects of their organisations to make sure they are prepared for any eventuality. “People know that fuel prices are going to go up massively, for example. I think we have to prepare for something in the long run.”
Graeme McGowan, Director, Cyber & Security Risk at Optimal Risk, performs penetration-testing activities and wargaming scenarios for businesses to help them prepare for serious cyber threats. Russian hackers have been disrupting businesses for years, and have been particularly active in Ukraine, he explains. It is highly likely that they will turn more attention to the countries and organisations that have taken a public stance against Russia’s actions.
“Whether you’re an SME or a big company, and you’ve got any potential links to Russia, you’re going to be a target. If you’re well versed in what to do, you can probably avoid that. But from bottom up, people need to be aware of the risks.”
Companies often don’t understand what could happen until it has happened, he explains. It can be expensive to repair the damage, and insurance companies will want to see that businesses have taken as many steps as possible to protect their data. The proliferation of remote working needs careful consideration as well. McGowan recommends using a Virtual Private Network (VPN) and firewalls to protect your data and systems remotely.
“When we do wargaming exercises, we’ll take a company into a room and go through a typical scenario where a company might have been hacked. They don’t know what’s happened, but they just had an email from somebody saying: ‘All your client data has been stolen by this group from Russia. They’ve now put it on the deep and dark web, and you’ve lost all your credentials as a company.’ That’s the sort of scenario organisations might face.”
The five highest-threat Russian hacking groups
1) The UAC-0056 threat group (AKA TA471, SaintBear and Lorec53)
The UAC-0056 threat group has been active since at least March 2021 and has attacked government and critical infrastructure organisations in Georgia and Ukraine.
They tend to gain initial access via the sending of spear phishing email messages that contain either Word documents (with malicious macro or JavaScript codes) or PDF files (with links leading to the download of ZIP archives embedded with malicious LNK files). These are used to install and execute first-stage malware loaders that fetch other malicious payloads.
Their previous cyber attacks demonstrated the use of a spoofing phishing technique to reach their targets. This technique could be used to target various companies in Europe or the United States.
Targeted industries/sectors: government, energy
2) Sandworm Team (Black Energy, BlackEnergy, ELECTRUM, Iron Viking, Quedagh)
Sandworm, TeleBots, TEMP.Noble, or VOODOO BEAR, is a group of Russian hackers that have been behind a major cyber campaign targeting foreign-government leaders and institutions, especially Ukrainian ones, since 2009.
In February 2022, the United States’ and United Kingdom’s cybersecurity and law enforcement agencies uncovered a novel botnet that has been used by Sandworm since June 2019. The malware, dubbed Cyclops Blink, targets WatchGuard Firebox and other Small Office/Home Office (SOHO) network devices, and grants the threat actors remote access to networks. It is estimated to affect approximately 1% of all active Watchguard firewall appliances in the world.
Targeted industries/sectors: government, critical systems (energy, transportation, healthcare)
3) Gamaredon Group
Active since at least 2013, Gamaredon Group is a Russian state-sponsored APT group. In 2016, the Gamaredon Group was responsible for a cyber espionage campaign, tracked as Operation Armageddon, targeting the Ukrainian government, military, and law enforcement officials.
In February 2022, cybersecurity researchers reported that Gamaredon had attempted to compromise an undisclosed Western government entity operating in Ukraine as part of a phishing campaign. The threat actors leveraged a Ukrainian job search and employment platform to upload a malware downloader masquerading as a resume for a job ad that was posted by the targeted organisation.
Targeted industries/sectors: government, technology
4) APT29 (AKA Dukes or Cozy Bear)
APT29 is a well-resourced and organised cyber espionage group. Security researchers suspect that the group is a part of the Russian intelligence services. APT29 primarily targets Western governments and related organisations, such as government ministries and agencies, political think tanks, governmental subcontractors, diplomatic services, healthcare organisations, and energy targets.
The group frequently uses publicly available exploits to conduct widespread scanning and exploitation against vulnerable systems, likely in an effort to obtain authentication credentials to allow further access. This broad targeting gives the group potential access to a large number of systems globally. The group may maintain a store of stolen credentials in order to access these systems in the event that they become more relevant in the future.
Throughout 2020, APT29 has targeted various organisations involved in COVID-19 vaccine development in Canada, the US and the UK.
Targeted industries/sectors: telecom, technology, pharmaceutical
5) APT28 (AKA Fancy Bear)
APT 28, also called Group 74, Pawn Storm, SNAKEMACKEREL, STRONTIUM, Sednit, Sofacy, Swallowtail, TG-4127, Threat Group-4127, or Tsar Team, is a state-sponsored hacking group associated with the Russian military intelligence agency GRU. The group has been active since 2007 and usually targets privileged information related to government, military and security organisations.
It was observed targeting organisations and individuals involved in the US presidential election. The group’s efforts are focused on stealing targets' credentials and compromising their accounts to potentially disrupt elections and to harvest intelligence to be used as part of future attacks.
Targeted industries/sectors: military, security, government, press
ICAEW latest on Ukraine and Russia
Ukraine: resources
News and features on the impact of the Ukraine crisis on accountancy, business and the wider economy, including sanctions.