CyberCX Hack Report: Insights from a year of offensive security testing

Threat Advisory Update. Russia/Ukraine conflict: Impacts for Australian and New Zealand organisations

Threat Advisory

Threat Advisory
The situation in Ukraine is actively evolving. CyberCX Cyber Intelligence is closely monitoring developments. This advisory contains point in time assessments that may change quickly. This post provides updates to our Threat Advisory released on February 24, 2022, accessible here.

 

Key Points

  • We continue to assess that direct targeting of Australian and New Zealand organisations by Russian state actors is highly unlikely.
  • We continue to assess that regional organisations face a real chance of cyber extortion by pro-Russian criminal actors. This risk is elevated for high-profile private sector organisations that:
    • take a public stance in support of Ukraine or in condemnation of Russia
    • are involved in facilitating or enforcing sanctions.
  • We assess that destructive cyber attacks by Russian state actors against Ukrainian, NATO or other European targets are highly likely, and there is a real chance Australian or New Zealand organisations could suffer collateral damage.
    • The risk has marginally increased since our February 24 Threat Advisory especially for the financial and energy sectors and organisations with reliance on operational technology.
  • CyberCX continues to urge all Australian and New Zealand organisations to adopt a posture of heightened cyber readiness and awareness.

Background

The invasion of Ukraine by Russia has progressed to widespread conflict with major loss of life. Russian ground forces have pushed into Ukraine from its northern, eastern and southern borders. Ukrainian forces have repelled several attempts to capture strategic targets around Kyiv. There has been widespread damage in Ukraine as the result of artillery and aerial bombing.

Disruptive cyber attacks are continuing to take place against Ukraine, with a gradual increase in publicly reported destructive cyber attacks.

The EU, UK, US and others (including Australia) have escalated sanctions against Russia and ally Belarus, including suspending key Russian financial institutions from the SWIFT global banking system. These measures have caused major disruption of Russia’s economy, with the rouble plunging 30-40% against the US dollar. Several countries, including Australia, have shifted from providing non-lethal support to Ukraine to additionally supplying weapons. A significant number of high-profile global organisations and companies have imposed restrictions on Russia and Russian elites.

Rhetoric among cyber criminal and hacktivist actors

Since our February 24 Threat Advisory, multiple cyber crime and hacktivist groups have made public comments on the conflict.

Impacts for Australian and New Zealand organisations

All regional organisations face a real – and increasing – risk of cyber extortion attacks.
It remains highly unlikely that Russian intelligence or military cyber actors will directly target Australian or New Zealand organisations.
All Australian and New Zealand organisations continue to face a real chance of suffering collateral damage. This risk is more elevated for organisations with operations in NATO countries, Europe or Ukraine or in certain key sectors.

Recommendations

Adopt a position of heightened readiness and awareness

CyberCX urges Australian and New Zealand organisations to be alert to any anomalies in their environment and ensure they are prepared to respond to incidents. This could include:

 


 

This threat advisory has been prepared by the CyberCX Cyber Intelligence Team.

Read more about our practices and insights:

If you need assistance responding to a cyber incident, please contact our investigation and response team here.

 


 

Guide to CyberCX Cyber Intelligence reporting language

CyberCX Cyber Intelligence uses probability estimates and confidence indicators to enable readers to take appropriate action based on our intelligence and assessments.

Probability estimates – reflect our estimate of the likelihood an event or development occurs
Remote chance Highly unlikely Unlikely Real chance Likely Highly likely Almost certain
Less than 5% 5-20% 20-40% 40-55% 55-80% 80-95% 95% or higher

Note, if we are unable to fully assess the likelihood of an event (for example, where information does not exist or is low-quality) we may use language like “may be” or “suggest”.

 Confidence levels – reflect the validity and accuracy of our assessments
Low confidence Moderate confidence High confidence
Assessment based on information that is not from a trusted source and/or that our analysts are unable to corroborate. Assessment based on credible information that is not sufficiently corroborated, or that could be interpreted in various ways. Assessment based on high-quality information that our analysts can corroborate from multiple, different sources.

 


1] In response to these statements, an individual believed to be a Ukrainian Conti group member leaked the group’s message logs from late January through late February. CyberCX Cyber Intelligence is still analysing this dataset for potential insights into Conti’s tradecraft to inform assessments and provide actionable threat intelligence to Managed Security Services customers.

2] See Detection section https://www.cisa.gov/uscert/ncas/alerts/aa22-011a

3] See Enhance your Organization’s Cyber Posture section https://www.cisa.gov/uscert/ncas/alerts/aa22-011a; https://www.cisa.gov/sites/default/files/publications/CISA_Insights-Implement_Cybersecurity_
Measures_Now_to_Protect_Against_Critical_Threats_508C.pdf

Other Cyber Security Resources

Ready to get started?

Find out how CyberCX can help your organisation manage risk, respond to incidents and build cyber resilience.