Despite Russia’s cyber threat understandably fading into the background amid the war in Ukraine, there is a longer-term strategy that governments, organisations and industry should be putting in place to prepare for the country’s cyber actors.
Note the word “prepare”, not “panic”. Despite Russia’s very sophisticated cyber capabilities, there is still a common set of techniques and tactics used across its diverse actor matrix. At first glance, it is this variation that causes concern, alongside the general mystery of Russia as an entity. However, reassuringly, it also gives reason for governmental response teams, and cyber security specialists, to be optimistic about future resilience.
If part of the attack strategy is to simply create a sense of fear or uncertainty, then focusing instead on the most rudimentary and robust protection protocols can take some of that indecision away. This is something that Mandiant, a global cyber defence leader, has looked to encourage through its dedicated hardening guide, which has sought to contextualise the real Russian threat.
Jamie Collier, senior threat intelligence adviser at Mandiant, says: “The hardening guide essentially lays out some very common security controls by mapping the types of attack we have seen conducted by Russia in the past.
“In that sense, it offers strategy to organisations. Russian state threats certainly require some specific planning, yet we should never forget how important security fundamentals are. Moreover, by focusing on common Russian attack techniques, security functions are able to significantly reduce their exposure. Ultimately, knowledge of prominent threats can, and should, empower network defenders.”
Collier’s reason for optimism comes despite seeing the cyber landscape evolve during the pandemic, with cyber espionage usurped by ransomware as the most pressing challenge.
He adds: “World leaders and heads of state are now starting to intervene much more directly in tackling ransomware as a result of its proliferation, understanding that it now has a critical impact on not just network security, but national security as well.
“In the context of Russia, this has actually helped organisations as they’ve been forced into having these conversations and defence discussions.”
Threat variety
This isn’t to downplay Russia’s profile, of course. The war in Ukraine has served as a reminder – if ever it was needed – that the Russian threat isn’t just talk. It isn’t just creating a perception of potential threat. There is often a follow through, as we have seen with countless cyber examples in recent years, and are now seeing play out in a much more physical sense.
From a digital standpoint, Mandiant has been able to generate a hardening guide, having watched and analysed the progression of Russia’s state actor activity for decades. From this analytical starting point, the company’s main aim is to translate this insight into an action plan or strategic blueprint for different segments of society to follow.
“It is a complex process with Russia specifically, due to the sheer amount of variety we see in their cyber activities,” says Collier.
He immediately alludes to the different intelligence agencies involved in conducting cyber operations, including the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), the Federal Security Service (FSB) and the Foreign Intelligence Service (SVR).
“They all have quite different mandates, which are reflected in the types of cyber operations we see,” he says. “For instance, the GRU tends to be more brazen or loud, which reflects a general reputation for disregarding international norms. This comes through in the form of actors such as Sandworm, who continue to make the news to this day.
“Then you have something like SolarWinds, which has been linked to the SVR by more than one international government. These types of operations showcase an impressive degree of stealth and operational discipline being used to make it as difficult as possible for incident responders.”
Adding a further layer of complexity to the situation is the fact that these various operations are not necessarily tied in together through collaboration or strategy. If anything, the general consensus points more towards a sense of competition among them to gain favour with Russia’s governmental hierarchy.
“It also leads to quite a potent blend of information operations, in addition to traditional cyber security actions,” says Collier. “We’ve seen it played out in the context of, say, the 2016 US election, but really this diverse mix of threats has been going on for decades, playing out in a variety of different areas. The overlap between information operations and cyber security is so interesting.”
In addition to the “variety” box, the “severity” box is also very much ticked, as evidenced by the US election example. The Tokyo 2020 Olympics and Paralympics are another frequently cited example that triggers reminders of the threat on one hand – but that perhaps also skews response plans on the other.
Such high-profile events have given Russian state actors a persona and gravitas that doesn’t always reflect true vulnerability levels. This often distracts organisations from focusing on what they actually need to protect – and, pivotally, how to protect it.
Collier explains: “Am I a foreign government where Russia will be interested in gathering intelligence? Am I a media organisation where a threat might come in the form of information operations? Am I a major sporting event? Am I an industry-leading organisation? Am I a key link in a supply chain?
“Yes, there are elevated threats in different areas, so I think it’s important that organisations focus a bit more on what is important to them, rather than on all the various Russian threats out there. We often look at Russian cyber capabilities as one holistic and all-encompassing threat, yet it may only be certain elements of the Russian intelligence apparatus that we need to focus on, depending on our sector and geography.”
Uncertainty skews response
More than being just a technological exercise, the Russian state actor threat represents something of a psychological effort as a result. Knowing where the dangers lie, resisting the urge to over-react and cause panic, knowing that the threat is serious enough never to underestimate it, and then putting in place bespoke defence protocols, is a delicate tightrope to walk.
It can perhaps even be mirrored with the war in Ukraine, where the response from the wider world, and in particular Nato countries, has been criticised in some parts for being too careful. Russia’s volatility, mystery and variety make any rash reactions a nervy prospect in any context. And those two worlds have even crossed in recent years, courtesy of a state actor operation impacting the Ukrainian financial services sector.
Collier says: “It was an easy attack to almost ignore or overlook, given that DDoS [distributed denial of service] attacks are relatively unsophisticated, with mitigation steps well known. Yet, combined with the DDoS operation were actual text messages sent to Ukrainian citizens informing them that their bank was offline. This was purely to create a sense of personal unease, and to encourage them into frustrating situations to try to solve in person.
“Creating uncertainty is part of the process of being feared, which ultimately skews the required response or the creation of an effective defence.”
Vigilance without panic
So, what does an effective defence look like?
Fortunately, in this regard, while many are scrambling or searching for the right answer, there are those who have been analysing the threat for so long that patterns have emerged, and a defence landscape is now evident.
Collier calls it the “attack lifecycle”, which informs each stage of each method of attack, by way of techniques, controls, tactics and requisite response. Even with more complex attacks, such as SolarWinds, which are extremely difficult to detect, there are still familiar traits, which can be combated with the abovementioned basic defence protocols.
It is here where a united approach works best. Collier notes that government networks are critical in terms of having overarching visibility of victim environments. Meanwhile, the private sector and cyber defence specialists offer more bespoke insight into specific networks and sector impacts.
Merging the big picture with tailored insight forms the perfect, complementary platform for organisations to build a defence guided by strategy, not panic.
Collier concludes: “It converts the outlook from one built around trying to prepare for every eventuality, to one built protecting what is most important and against the most relevant threats.
“This should, of course, be the case in any context, but is especially important in the face of Russian state actors, given the unique variety of threat, and the psychological aspects involved.
“We really can wipe out a lot of our attack exposure by just getting the basics right. And this pragmatism goes a long way to eradicating some of the broader fear.
“Given the current climate, we have to be humble in terms of making grand strategic conclusions, or in escalating fear levels. Hopefully, this more sustainable and stripped-back overview of the threat landscape can achieve a balance between being vigilant, without causing panic.”