Cyberwarfare or cyber terrorism refers to a form of security incident in which a nation-state actor or group attempts to damage another nation’s information technology infrastructure.
They typically achieve this by disrupting the technology of public service organisations such as the government, healthcare, education, transport and military. These attacks can take many forms, including ransomware, espionage and denial-of-service attacks.
In recent years, we have seen how large an impact nation-state-sponsored attacks can have on public and private infrastructure. The WannaCry ransomware of 2017, for example, was attributed by the NCSC as the work of state actors.
This impacted thousands of organisations across multiple countries. The UK’s National Health Service (“NHS”) was severely affected, with 80 NHS organisations affected by the ransomware, along with household brand names like Telefónica, Boeing and Honda.
While WannaCry was not intended to be a direct attack on these companies, it highlighted the propensity of organisations to become collateral damage in broader nation-state attacks. This risk seems particularly pronounced at the moment, given the Russian invasion of Ukraine and evidence that offensive cyber activity had begun before the invasion.
Russian–Ukrainian cyberwarfare: what’s happened so far
In January of this year, Ukraine claimed it had “evidence” Russia was behind an attack that disrupted the Ukrainian government’s websites. The malware used in the campaign has been dubbed WhisperGate by researchers at Microsoft. It is a form of ‘wiper’ malware that overwrites the hard drives of systems it infects.
Russia launched its ground assault against Ukraine in late February following this digital altercation. While it was widely believed that Russia’s cyber offense would match the force of its on-the-ground army, this has yet to be seen. As the Economist noted in its coverage, a Russian cyber-attack on Ukraine “is the dog yet to bark.”
This is not to say that Russia has not yet attempted to disrupt Ukraine’s critical infrastructure, though. In a media interview with the BBC, Viktor Zhora, deputy chairman of the State Service of Special Communications in Ukraine, divulged that Ukraine is facing ongoing acts of cyber terrorism against government networks. Although, so far, these have been successfully deterred.
Part of the reason for this deterrence may be the formation of the “IT Army of Ukraine”, a rapidly growing group of security and IT personnel, based inside and outside of Ukraine, that has been tasked with launching cyberattacks on Russian websites and critical infrastructure. The Ukrainian government has formed the group. It is believed that the group communicate via a Telegram channel, according to the Wall Street Journal.
Ukraine has another ally in its cyber offense against Russia. The ‘hacktivist’ collective, Anonymous, has taken responsibility for a string of security incidents in Russia, aimed at disrupting the country’s critical services. Most recently, Anonymous gained control over Russian streaming services Wink, Ivi and live TV channels Russia 24, Channel One, and Moscow 24 to broadcast war footage from Ukraine.
Meanwhile, media coverage is building, questioning whether Russia is yet to release the full force of its cyber capabilities. If there is more to come, this cyber aggression could easily overspill into the networks and systems of other countries. Just as the WannaCry and NotPetya attacks escalated beyond their initial targets, WhisperGate and other forms of malware could impact the UK’s infrastructure.
In line with this, the US Cybersecurity and Infrastructure Security Agency (“CISA”) warned US critical infrastructure operators should take “urgent, near-term steps” to bolster their defences.
Why are online activities vulnerable to cyberwarfare?
In today’s hyper-connected world, a large-scale cyber-attack has the potential to impact any company devices, networks and solutions that are hosted on the internet.
The public sector, in particular, is vulnerable to these attacks. While the public sector in the UK is slowly improving its digital capabilities, although it is often restrained by a lack of resources, annual budget cycle constraints and legacy technology. Some private-sector organisations are not far in front, with little investment in IT administration or security.
Indeed, where it is challenging to justify new investments as preventative measures, organisations are more likely to be impacted by security incidents outside of their control. A UK Government report on the full costs of a cyber security attack highlights many organisations underestimate the real cost of a cyber incident.
Traditionally, public sector organisations are more reactive to cyber security implementation than proactive. For example, in the wake of the WannaCry ransomware attack, the government agreed to a £150 million contract with Microsoft to improve the cybersecurity of the NHS – but it took a devastating ransomware attack to trigger this.
Moreover, the government’s own 2021 report on Cybersecurity skills in the UK labour market highlights the public sector’s dependence on third parties for cyber security – indicative again of a lack of resources. For example, 95% of public sector organisations outsource their firewall configurations, while 80% depend on outsourced companies for incident response.
The outlook is not much better for general businesses. The research found 50% of businesses have a basic technical cyber security skills gap, while 8 in 10 businesses outsource the responsibility of setting up firewalls, incident response and detecting malware.
While outsourcing is a promising way to reduce the skills crisis, reliance on third-party suppliers can also increase cyber risk if these partners are not adequately vetted. As we’ve written about in our supply chain security guidance, security incidents in which a threat actor enters one company’s network and then moves laterally into customer and partner systems are increasingly common.
Moreover, this research highlights in the face of potential acts of cyber warfare, many UK-based organisations may not necessarily have the capabilities or skills to detect and defend against a widespread, destructive form of malware.
How to protect your organisation from acts of cyberwarfare
Given the war in Ukraine, organisations should assess and bolster their defences in case of a more extensive cyber-attack on the west by Russian nation-state actors.
Improving cyber resilience will not only reduce the likelihood of organisations becoming cyber collateral damage in acts of nation-state cyberwarfare but also improve their overall security posture, so they can better defend themselves against other security threats.
To assist with this, the NCSC has recently released guidance on steps to take when the cyber threat is heightened. The steps cover the fundamentals of security hygiene. While these are always critical, they are especially important given the current heightened risk of cyber-attacks.
In the medium-term, we also advise organisations consider completing Cyber Essentials, the NCSC’s flagship cyber security standard. This standard helps companies guard against the most common cyber threats. We’ve written a guide about Cyber Essentials, which explains the standard in more detail.
A step beyond this would be to implement the NCSC’s 10 Steps to Cyber Security framework, which is designed to help companies build a holistic approach to cybersecurity.
The NCSC also has a page on its website dedicated to the public sector, with links to relevant guidance on cloud security, risk management and protecting employee devices.
We offer dedicated cyber security consulting services for organisations seeking further guidance and support in improving their cyber security posture.
If you are looking for support with improving your cyber security resilience, contact us. Our friendly, experienced team will be happy to help.