The unfolding crises in Ukraine has exposed new facets of nation-state conflicts that have impacts far beyond the immediate geographic region. As a global company, we have tremendous empathy for all who are harmed, displaced, or otherwise negatively impacted by the ongoing attacks, including many of our extended F5 family. Without overlooking the very real, very human aspects of the Russia-Ukraine conflict, we have also been asked by customers to provide guidance on the kinds of cyberattacks that they may see more of in the days to come, in light of recent events. Accordingly, the piece below intends to address those inquiries in a straightforward, respectful, and practical manner.
The role of cyberattacks in nation-states conflicts have given rise to new cybersecurity concerns on a different scale than many organizations have dealt with traditionally, further highlighting the importance of defending against sophisticated attacks through a proactive cybersecurity strategy.
With the evolution of the Internet, global business operations have changed tremendously. Digital transformation is happening at an exponential scale, spurring technology advancements and cyberattack sophistication in equal measure. In parallel, today’s organizations are still dealing with traditional attackers that are motivated financially, but also nation-states and cause-based actors that have broader goals. Of course, with the increase in sophistication of cyberattacks, corresponding protections need to evolve regularly as well. In today’s economy, you are much more likely to encounter nation-state actor that are developing exploits for known (and unknown) vulnerabilities.
In practice this leads to nation-states actors developing exploits that target the Internet (and critical services) infrastructure of other nations on a continuous basis. While the most immediate scenarios that come to mind are geopolitical conflicts between nation-states, many of the same principles must now be broadly applied to traditional enterprise security practices, particularly as nation-states often will attack a combination of government and private-sector Internet resources as a means to destabilization. Accordingly, targeted cyberattacks pose a significant threat both to the integrity of nations and also those attempting to conduct any related business efforts with (or within) a targeted geography. This has led to proactive and continuous cybersecurity as a heightened need for all types of organizations.
Broadly speaking, nation-state adversaries launch targeted cyberattacks to severely diminish the infrastructure of nation-states and disrupt the functionality of their Internet systems, which in turn can impact the financial and military infrastructure. Figure 1 highlights an example of a targeted attack (in this case, phishing) in action.
Figure 1: Targeted Phishing Attack in Action
Targeted cyberattacks are executed using malicious code designed to conduct stealthy operations. Some examples of the malicious code are exploits (exploiting vulnerabilities), rootkits (tampering kernel and user mode for unauthorized operations), Remote Administration Toolkits (managing compromising systems), Wipers (destroying Master Boot Records of the system), ransomware (encrypting sensitive data and asking ransom) and many others. While generally referred to as cyberattacks, one can deem these individual tactics as “digital weapons.”
Adversaries conduct a wide variety of attacks during nation-states conflicts, with digital threats posed alongside those of a traditional physical nature. Today's nation-states are well-versed in carrying out multiple sets of cyberattacks, with prominent examples discussed below:
Related, here is a quick breakdown of notable cyberattacks likely to be used as “digital weapons” in nation-state conflicts:
Cyberattack Type | Malicious Code Name (“Digital Weapon”) |
Characteristics |
---|---|---|
Distributed Denial-of-Service (DDoS) | Unknown Botnet | Denial-of-Service: Impacting the availability of critical infrastructure such as web portals of financial institutions, military, etc. |
Malware Distribution | Whisper Gate | Data Destruction and System Bricking: Corrupting the Master Boot Record (MBR) of the compromised systems and encrypting sensitive files |
Malware Distribution | Hermetic Wiper | Data Destruction and System Bricking: Corrupting and erasing sensitive files on the compromised systems |
Table 1: Malicious code likely to be used in cyberattacks launched during nation-states conflicts
Using the digital weapons listed above, nation-state actors can launch a tremendous set of attacks to severely impact the infrastructure owned by governments and organizations. This is usually part of a larger strategy to upset the ability of the nation-state to communicate freely, and to disrupt the financial and military systems on the fly by circumventing the integrity, availability, and confidentiality of the active systems in the infrastructure.
Again, while this may seem most immediately relevant to nation-states in conflict, there is a broader risk when the tools and exploits used in these attacks make their way into the larger threat landscape. (A historical example of this is the NotPetya bug from 2017.)
Proactive cybersecurity has become the prevailing necessary approach. While governments are generally responsible for ensuring that critical infrastructure (including military web portals, financial institutions' websites including SCADA infrastructure) should be continuously monitored and protected against cyberattacks, the lines between public- and private-sector security have become much more nuanced. Looking at the overall picture, securing network infrastructure and deployed applications is critical to circumvent network attacks such as DDoS and malicious code distributed over the wire to preserve the integrity of infrastructure resources without impacting the availability. More importantly, protecting the critical applications against HTTP attacks is required as well. The most important part is to ensure communication over the Internet stays undisrupted. For that, organizations need to ensure their infrastructure is embedded with security mechanisms to combat cyberattacks.
The accelerated pace of digital transformation has resulted in the adoption of modern applications by governments and organizations to achieve operational efficiency. However, these applications require protection against advanced cyberattacks, which can be targeted or broad-based in nature. It becomes even more relevant during times of nation-states conflict to ensure that critical applications can be kept available. Governments, and all organizations, should remain vigilant with the following key points to consider:
Building a strong and robust cybersecurity posture should include availability, i.e., one can still use critical applications if they are under attack. Achieving security with resiliency and undisrupted availability are the benchmarks of proactive cybersecurity, with the understanding that threats (and mitigations) will never stop evolving.