Published by CyberCX Intelligence on
CyberCX Intelligence actively monitors cyber implications of the Russia-Ukraine war for Australian and New Zealand organisations. This Threat Advisory advises on cyber risk for Australians sanctioned by Russia on 16 June and the organisations directly connected to them.
- The Russian government sanctioned 120 Australians on 16 June, indicating a focus on Australia’s defence, government, mining, technology, think tank, higher education, entertainment and media sectors.
- We assess that this development materially increases cyber risk in the immediate to medium term for the sanctioned individuals and organisations directly connected to them. Key risks include:
- publicity-focused and/or disruptive cyber attacks, including website defacement and distributed denial-of-service (DDoS) attacks by pro-Russia cyber criminals
- cyber extortion by pro-Russia cyber criminals, including ransomware and data theft extortion
- cyber-enabled intimidation of named individuals by pro-Russia groups, especially those involved in public commentary
- information operations by Russian nation-state actors, including ‘hack and leak’ attacks.
- This development is consistent with CyberCX’s Threat Advisory Update of 1 March 2022 that assessed that Australian organisations have a higher threat profile if they adopt a public view on the Russia-Ukraine war, or are in sectors equivalent to those targeted in Russia by western sanctions.
- On 16 June, the Russian Foreign Ministry announced sanctions against 120 Australians operating across the defence, government, mining, technology, think tank, higher education, entertainment and media sectors.1
- The new additions bring the list of Australians on Russia’s ‘stop list’2 to a total of 348 and expand the scope from the first round of sanctions in April which primarily captured Australian parliamentarians.
- The sanctions target high-profile individuals associated with major Australian private and public sector organisations, particularly those in sectors equivalent to those targeted by western sanctions or who have engaged in public commentary about the Russia-Ukraine war.
- The Russian Foreign Ministry has indicated the latest sanctions are in response to the Australian government’s sanctions against an increasing number of Russian citizens.
Impact on cyber risk
- CyberCX Intelligence assesses that the public listing of these individuals—and organisations they are affiliated with—will increase their attractiveness as targets to Russian-based threat actors.
- CyberCX Intelligence assesses that impacted individuals and organisations face the following changes in the immediate term through to at least August 2022:
- Materially increased risk of publicity-focused and/or disruptive cyber attacks, including website defacement and DDoS attacks by pro-Russia cyber criminals.
- Materially increased risk of ransomware and data theft extortion by Russian-based cyber extortion groups.3
- Materially increased risk of cyber-enabled intimidation against named individuals, for example via social media ‘trolling’ or doxing by pro-Russia groups.4
- Increased risk of information operations (particularly hack and leak operations) against organisations and employees by Russian nation-state or other pro-Russia cyber criminals. Hack and leak operations could target enterprise and/or personal accounts and devices.
- CyberCX Intelligence continues to assess that it is highly unlikely that Russian nation-state actors would directly target Australian organisations with destructive cyber attacks, per our Threat Advisory Update of 1 March 2022.
- There is a real chance that destructive attacks against Ukrainian or NATO targets could ‘spill over’ to affect Australian organisations. Organisations with operations in these countries and/or in sectors which rely on operational technology face increased risk.
Recent Russian and pro-Russia cyber activity related to the Russia-Ukraine war
- Based on reported activity, the cyber dimension of the Russia-Ukraine war has decreased in tempo and impact in May and early June compared to March and April.
- In June, Russian nation-state actors conducted a phishing campaign against Ukrainian media organisations that involved the Microsoft “Follina” zero-day vulnerability (CVE-2022-30190).5
- In May, Russian nation-state actors targeted UK government officials and other public figures in an information operation facilitated by email compromises.
- A disinformation website called “Very English Coop [sic] d’Etat”, registered on 19 April 2022, posted data stolen from the ProtonMail email accounts of several UK public and political figures. These figures include former head of the British Secret Intelligence Service, Richard Dearlove, and pro-Brexit individuals.
- The website alleges that the targeted UK individuals were part of a conspiracy to interfere in Brexit-related decisions. The authenticity of the emails has not been verified.
- Two victims, including Dearlove, stated they had been targeted by Russian nation-state actors. Security researchers have attributed both the information operation and the actual email compromises to Russian nation-state actors. These victims have not been sanctioned by Russia.
- Pro-Russia cyber criminals continue to target organisations outside Ukraine with short-term disruptive attacks, primarily DDoS attacks.
- As of May and June, the majority of reported cyber activity related to the Russia-Ukraine war consists of publicity-focused and/or disruptive attacks conducted by pro-Russia cyber criminals.
- CyberCX Intelligence recommends organisations take a ‘high alert’ stance for the next month and then reassess based on any further activity/inactivity. This could involve:
- Lowering thresholds for alerts on accounts and devices specific to sanctioned individuals.
- Applying additional security controls that do not impact the organisations’ ability to do business (e.g. filtering out email attachments that wouldn’t normally be sent to users).
- We recommend organisations prioritise patching CVE-2022-30190.
- We further recommend that organisations consider providing additional support to sanctioned individuals, as well as similarly high-profile employees who may not have been named. This could involve:
- Conducting an open source exposure assessment to understand individuals’ digital footprint and identify any cyber hygiene concerns.
- Implementing open source monitoring and alerting (across social media, deep and dark web sources) to proactively detect threats to individuals.
This Intelligence Update has been prepared by the CyberCX Intelligence Team.
Read more about our practices and insights:
If you need assistance responding to a cyber incident, please contact our investigation and response team here.
Guide to CyberCX Cyber Intelligence reporting language
CyberCX Cyber Intelligence uses probability estimates and confidence indicators to enable readers to take appropriate action based on our intelligence and assessments.
|Probability estimates – reflect our estimate of the likelihood an event or development occurs|
|Remote chance||Highly unlikely||Unlikely||Real chance||Likely||Highly likely||Almost certain|
|Less than 5%||5-20%||20-40%||40-55%||55-80%||80-95%||95% or higher|
Note, if we are unable to fully assess the likelihood of an event (for example, where information does not exist or is low-quality) we may use language like “may be” or “suggest”.
|Confidence levels – reflect the validity and accuracy of our assessments|
|Low confidence||Moderate confidence||High confidence|
|Assessment based on information that is not from a trusted source and/or that our analysts are unable to corroborate.||Assessment based on credible information that is not sufficiently corroborated, or that could be interpreted in various ways.||Assessment based on high-quality information that our analysts can corroborate from multiple, different sources.|
2] The Russian sanctions prevent named individuals from entry into Russia.
3] Even before the sanctions were announced, CyberCX Intelligence had advised that the risks of cyber extortion and other cyber crimes were elevated for high-profile private sector organisations in Australia. The latest sanctions developments exacerbate these risks. See: Threat Advisory Update of 1 March 2022.
4] Doxing refers to obtaining and publishing personal information about an individual online.