CyberCX Hack Report: Insights from a year of offensive security testing

Change and disruption: How the Russia-Ukraine conflict is reshaping cyber crime

Threat Advisory

Change and disruption

CyberCX Cyber Intelligence is actively monitoring the conflict in Ukraine and the cyber implications for Australian and New Zealand organisations. We issued Threat Advisories on 1 March 2022 and 24 February 2022. This Intelligence Update offers insights into how the Russia-Ukraine conflict is impacting the global cyber crime ecosystem to provide situational awareness to Australian and New Zealand organisations.

 

Key Points

  • Australian and New Zealand organisations face a real chance of ransomware, data theft extortion or DDoS attacks by pro-Russia criminal groups and hacktivists. Regional organisations are most at risk if they are high-profile and:
    • have taken a public stance in support of Ukraine or in condemnation of Russia
    • are involved or perceived to be in involved in facilitating or enforcing sanctions
    • operate in sectors equivalent to those in Russia that have been targeted by sanctions (e.g. energy and financial services)
    • operate critical infrastructure.
  • The conflict is generating significant ‘noise’ in cyber news and churn in the cyber crime ecosystem, making it harder for regional organisations to assess and monitor threats.
  • Cyber criminals with no ideological link to the conflict will increasingly exploit Russia-Ukraine content in phishing and cyber-enabled fraud attacks against Australian and New Zealand organisations.

Criminal and hacktivist targeting of western organisations

Sentiment Approximate known actors1 Known locations
Pro-Russia 10 Belarus, Russia
Pro-Ukraine 25 Belarus, Georgia, Turkey

We assess that pro-Russia cyber extortion groups are targeting critical infrastructure to support Russia’s interests.

We assess that Australian and New Zealand organisations face a real chance of ransomware, data theft extortion and DDoS attacks by pro-Russia cyber crime groups and hacktivists

We assess there is an unlikely, but plausible, risk that pro-Ukraine or pro-Russia hacktivist attacks will inadvertently spill over to Australia or New Zealand.

 

Noise and churn in the cyber crime ecosystem

The increase in cyber threat information generated by the conflict is making it harder for Australian and New Zealand organisations to prioritise and mitigate threats.

We assess that infighting within cyber crime groups, triggered by the conflict, will also make it harder for Australian and New Zealand organisations to track threat groups.

We assess with low confidence that the conflict may temporarily disrupt some cyber extortion operators in the conflict zone, but will not affect more persistent and resilient groups.

 

Exploitation of the conflict by cyber criminals and scammers

Cyber criminals, regardless of ideology, will increasingly exploit the invasion of Ukraine and the resulting humanitarian crisis.

 


 

This threat advisory has been prepared by the CyberCX Cyber Intelligence Team.

Read more about our practices and insights:

If you need assistance responding to a cyber incident, please contact our investigation and response team here.

 


 

Guide to CyberCX Cyber Intelligence reporting language

CyberCX Cyber Intelligence uses probability estimates and confidence indicators to enable readers to take appropriate action based on our intelligence and assessments.

Probability estimates – reflect our estimate of the likelihood an event or development occurs
Remote chance Highly unlikely Unlikely Real chance Likely Highly likely Almost certain
Less than 5% 5-20% 20-40% 40-55% 55-80% 80-95% 95% or higher

Note, if we are unable to fully assess the likelihood of an event (for example, where information does not exist or is low-quality) we may use language like “may be” or “suggest”.

 Confidence levels – reflect the validity and accuracy of our assessments
Low confidence Moderate confidence High confidence
Assessment based on information that is not from a trusted source and/or that our analysts are unable to corroborate. Assessment based on credible information that is not sufficiently corroborated, or that could be interpreted in various ways. Assessment based on high-quality information that our analysts can corroborate from multiple, different sources.

 


 

1] These numbers are based on non-state sponsored actors that have made a public statement in support of Russia or Ukraine.

2] On February 24, the day of invasion, threat actors likely associated with Russian intelligence services reportedly compromised US-based satellite operator, Viasat, causing downstream impacts across Europe. This Intelligence Update only covers cyber crime activity; we will cover nation-state activities related to the conflict—and their impacts for Australia and New Zealand—in a subsequent Update.

3] https://www.finder.com.au/ukraine-scams-what-to-check

4] https://blog.malwarebytes.com/scams/2022/03/dont-fall-for-the-donate-to-help-children-in-ukraine-scam/

5] https://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-sees-increased-malicious-and-scam-activity-exploiting-the-war-in-ukraine

Other Cyber Security Resources

Ready to get started?

Find out how CyberCX can help your organisation manage risk, respond to incidents and build cyber resilience.