back to article Ukraine invasion: This may be the quiet before the cyber-storm, IT staff warned

As the invasion of Ukraine heads into its third week with NATO allies ratcheting up sanctions against Russia, infosec vendors have urged Western governments and businesses to prepare for retaliatory cyberattacks. According to Mandiant, Ukraine remains the top target for destructive or disruptive cyberattacks. That said, …

  1. Clausewitz 4.0 Bronze badge
    Devil

    FUD - Fear, uncertainty and doubt

    Most companies will never be the target of destructive military software implants.

    Do not believe this FUD - Fear, uncertainty and doubt of western companies.

    They are just snooping into temporarily disabled hackers to enter into your wallets. Beware !

    1. Old Used Programmer Silver badge

      Re: FUD - Fear, uncertainty and doubt

      Da, comrade.

    2. MyffyW Silver badge

      Re: FUD - Fear, uncertainty and doubt

      I'm more of a Liddell Hart kind of a girl, so will be thoroughly prepped, patched and table-top war-gamed. One can't too careful.

    3. bombastic bob Silver badge
      Alert

      Re: FUD - Fear, uncertainty and doubt

      still might be a good time to do a backup (if you do not do them often enough). air-gapped USB external drive is a good start.

    4. Mike 137 Silver badge

      Re: FUD - Fear, uncertainty and doubt

      "Most companies will never be the target of destructive military software implants"

      Maybe not in those narrow specific terms, but as we saw with NotPetya, depending on exactly what is deployed vast numbers of insecure systems may fall as collateral damage.

      Now is the time for all conscientious CTOs to get their infrastructure externally pen tested (ideally regularly, not just as a one-off). And, of course, to immediately rectify any fragilities found.

    5. W.S.Gosset Silver badge

      Re: FUD - Fear, uncertainty and doubt

      > Most companies will never be the target of destructive military software implants.

      Target? No. Correct.

      Hit anyway by wild-released malware? Costlessly spraying itself at everything it can find and hitting anything it lands on? Extremely possible.

      Malware is more usually blunderbuss, not sniper. It's a lot easier to write "stupid" hit-everything code than it is to write "smart" target-selecting code.

    6. Roland6 Silver badge

      Re: FUD - Fear, uncertainty and doubt

      >Most companies will never be the target of destructive military software implants.

      I think you will also find that most companies are not the direct target destructive malware, until the bots manage to establish a bridgehead.

      The trouble is that it doesn't matter what size company you are, if the bot's discover a weakness they will exploit it relentlessly until they either fail or establish a bridgehead - the bot's have no way of really knowing what size of business is behind some random IP address, to them its a Windows Server 2xxx running RDS, Exchange, OWA, IIS...

  2. amanfromMars 1 Silver badge

    Caveat Emptor

    If that is the best advice that Mandiant can give, Google are buying a market dud.

    1. Anonymous Coward
      Anonymous Coward

      Re: Caveat Emptor

      Thank you, came to post exactly what you wrote. If BAU security activities are now considered mandatory due to the escalating conflict, paying for such advice seems as clever as gifting a hair comb to a bald guy.

  3. Pascal Monett Silver badge

    "it's probably best to have a plan in place than lapse into complacency and cynicism"

    Indeed it is. And it has been for the past ten years at least. And a majority of companies still have nothing in place.

    Frankly, I'd be surprised to know that a majority of companies have a proper data backup system (that has been tested).

    It should be a given that large companies with a dedicated IT department should indeed be prepared, but malware doesn't pay attention to the size of the network it is attacking, it just attacks anything it can. So small and medium-sized companies are equally at risk - but they don't put the same effort into their IT budget because they're putting all their efforts into gaining market share and satisfying the customer.

    Like hospitals, who put all their effort into taking care of people (thankfully). They come down hard when hit by some despicable miscreant, but they don't have the resources to implement proper protection.

    I'm starting to think that the only solution for hospitals is to mandate an impenetrable air gap between hospital computers and the Internet, but I have no idea how feasible that is in reality.

    1. Potemkine! Silver badge

      Re: "it's probably best to have a plan in place than lapse into complacency and cynicism"

      Airgap is a good way to protect from the outside, but in the real world airgaps often don't exist. Most of the time, there's still a communication between the protected network and the outside world, to update and/or patch the software, to debug, to get log. When an USB key coming from the outside is connected to the protected network, the airgap is broken. Even "pseudo-airgaped", a network needs to be protected, monitored, backed up, and so on...

      1. Paul Crawford Silver badge

        Re: "it's probably best to have a plan in place than lapse into complacency and cynicism"

        An "absolute air gap" is very hard to maintain, but the reality is having the equivalent of no external connection massively reduces the attack surface.

        In many cases good security practice (e.g. simply disabling macros in Office, making user-writeable areas non-execute, etc) and segmenting external web/email machines from the rest is going to seriously impede an attack.

        1. Eclectic Man Silver badge

          Re: "it's probably best to have a plan in place than lapse into complacency and cynicism"

          I think the Stuxnet malware was installed via an infected USB drive onto a supposedly air-gapped system.

          The NHS cannot afford to have properly air gapped systems as the amount of data they transfer between different hospital departments, Family Practitioners, specialists etc. is quite large. Incorporating air gaps would be horrendous.

          1. PriorKnowledge
            Meh

            A firewall would have worked for the NHS

            They left port 445 open for connections between all workstations. A simple IPSec policy to allow a handful of trusted management computers to initiate connections (but no-one else) would have sufficed. Heck, that could have even been implemented as a general firewall policy (allow inbound from trusted IP addresses only). In fact, VLANs and port community isolation from the networking team alone would have been enough to mitigate the spread!

            With basic defences in place, it would have been as simple as isolating the one infected machine from the network to shut off the ransomware…

    2. AndrueC Silver badge
      Stop

      Re: "it's probably best to have a plan in place than lapse into complacency and cynicism"

      I'm starting to think that the only solution for hospitals is to mandate an impenetrable air gap between hospital computers and the Internet, but I have no idea how feasible that is in reality.

      It's possible but it would adversely impact the quality of health care. One obvious example is the need to keep GP notes in synch with hospital procedures. But then there's the whole area of ordering supplies, the need to communicate with fellow professionals who might not be on site (or indeed not in the same country) and as technology advances remote consultancies and even remote controlled surgery is a thing.

      A hospital can no more easily cut itself off from the internet than any other business can these days. the NHS have long had a WAN (several over the years in fact) so systems do not need to be 'on the internet' but they do have to communicate with outside resources.

    3. Clausewitz 4.0 Bronze badge
      Devil

      Re: "it's probably best to have a plan in place than lapse into complacency and cynicism"

      NUCLEAR reactors can be penetrated. Do you really think Google / Mandiant can protect a hospital with air-gap?

  4. Potemkine! Silver badge

    IMNSHO, I think it's possible Russia won't start a full-scale cyberwar. The reason is the stake may be not high enough yet for Russia to unveil all its attacks means. There is also a huge risk of counter-measures. We already know that encrypted Russian communications are intercept and decoded by Ukrainian services. Russia may have a lot to lose if the cyberwar goes as well for Russia as the invasion of Ukraine.

    1. Cederic Silver badge

      Hmm. That link demonstrates that Ukraine were able to intercept an insecure communication, not that they're able to intercept and decrypt secure communications.

      Which aren't working, which is why the insecure one was used.

      As for losing a 'cyberwar' would that mean that Russian businesses that can't access the internet wouldn't be able to run software they can't use on hardware they can't buy to produce goods they can't export? Would they notice?

      1. Eclectic Man Silver badge

        The rumour / article in highly respected UK newspaper was that the Russian secure comms relies on 4G mobile communications. Unfortunately for them these are being destroyed by the artillery attacks, so the Russians are having to rely on older, insecure technologies, including analogue radios in some cases.

        "The loss of top ranking officers has come at a time when much of Putin’s invasion force has become bogged down by logistical problems, poor morale and Ukrainian resistance. The failure of its encrypted communications system could be another severe blow.

        “In the call, you hear the Ukraine-based FSB officer ask his boss if he can talk via the secure Era system. The boss says Era is not working,” Grozev said on Twitter."

        https://www.theguardian.com/world/2022/mar/08/vitaly-gerasimov-second-russian-general-killed-ukraine-defence-ministry-claims

  5. Pete 2 Silver badge

    Time for a change

    > the first thing organizations should do to prepare themselves

    Surely the first thing to do is to consider just what systems actually need to be connected to the wild west public internet?

    Home working has required more companies to expose themselves(!) to outside connections. Hopefully from their employees, only. However, it still boggles the mind that there is sensitive, vulnerable and juicy targets of national infrastructure and security that is accessible, and therefore hackable.

    I realise that nothing will be done until it is too late. That governments will take no action to protect vital systems until they get hacked into oblivion. Even then, there will only be an inquiry, conclusions that nobody was to blame and "lessons learned" while business carries on as usual. Just as the NHS learned in 2017 with the Wannacry attack. Although there was much fuss, many NHS systems remain open to attack - some even from the same malware.

    1. Roland6 Silver badge

      Re: Time for a change

      >Surely the first thing to do is to consider just what systems actually need to be connected to the wild west public internet?

      Swiftly followed by: from where will it actually get accessed?

      Many (smaller businesses) only really need to have their systems user accessible from UK address ranges with occasional oversea's access.

  6. Twanky Silver badge
    Holmes

    Now is the time to be a prepper – the computer security kind

    No. No it isn't. It's too late.

    Trying to bolt on security as an afterthought is always too late. It's also, often, more expensive than doing it right first time.

    1. Paul Crawford Silver badge

      Re: Now is the time to be a prepper – the computer security kind

      But it is still cheaper than doing nothing.

      1. Twanky Silver badge

        Re: Now is the time to be a prepper – the computer security kind

        I'm reminded of the joke about the lost traveller asking for directions from a passing local:

        'How do I get to insert name of destination?'

        'Well, I wouldn't start from here'.

        1. Magani
          Meh

          Re: Now is the time to be a prepper – the computer security kind

          >> 'How do I get to insert name of destination?'

          Farmer Brown: "Ya can't get there from here."

          As mentioned above, it's something that has to be planned from the start, not added on after.

    2. Anonymous Coward
      Anonymous Coward

      Re: Now is the time to be a prepper – the computer security kind

      .. which is why we banned all Microsoft and Adobe software from the outset.

      In real terms, it is by far the most efficient route to minimising your attack surface (as well as reducing the amount of effort to keep it that way), and it also deals with the "hard shell, soft center problem" which means that one bridgehead inside is enough to attack the rest (that said, we also have that other ancient favourite in place, network segmentation)..

      The raw fact is that there are a couple of products that are always implicated in security breaches and ransomware attacks, and no marketing and golf course sales can change that. If IT management decides to close its eyes to that (as I have seen in quite a few bigger companies and even government departments), then they are in my opinion 100% responsible for the consequences. The only way you get those two players to really pay attention is by hitting them in their wallets. At present, the disclaimers they force you to sing up to means they can continue to deliver subpar code and make their customers the victim.

      We may have an extra physical war right now, but the cyberwars have been going on for quite some time as it's far less risky and more profitable for criminals. Act accordingly.

      1. Roger Kynaston Silver badge
        Unhappy

        Re: Now is the time to be a prepper – the computer security kind

        Good luck getting everyone migrated off Windoze, to use Ubuntu, LibreOffice and the GIMP.

        It is always difficult to impossible to blanket ban software that everyone uses.

        1. Anonymous Coward
          Anonymous Coward

          Re: Now is the time to be a prepper – the computer security kind

          Not Linux - too much fiddling around and not enough commercial software to make it a viable desktop replacement (as opposed to on the server side where you may consider that a default by now). For GIMP et al, for instance, we used Seriff's pay-once Affinity software (we got all of them, Designer, Photo and Publisher) because it works and is able to really use the hardware. I think there's also some stuff from the Omni Group around like OmniGraffle, their approach to Visio. IMHO it's closer to the original Visio than the disaster that Microsoft made of it.

          We were lucky that we did this from the word go, but we did assist some private banks in migrating to MacOS desktops and laptops, with the latter adding the benefit that we didn't have to keep a massive amount of stock for the travelling part of the staff. The only problem we have is finding decent MDM software. We cannot use Jamf for legal reasons (US based), and Snow software seems to consider itself above talking to potential customers (judged by how hard it was to get hold of anyone in Europe), and emerged to need a Windows server to work which would rather defeat what we were trying to achieve :).

          It has prompted a research project to maybe develop our own MDM. It appears it's very much needed.

    3. Eclectic Man Silver badge
      Coat

      Re: Now is the time to be a prepper – the computer security kind

      But that is how it has always been done! Why change the habits of a lifetime?

      Yes, I know, my career*, such as it was, was invariably attempting (and often failing) to get managers to include security requirements in the tender stage so it could be designed in, rather than added on afterwards. trouble was that if you include it in the tender stage, it costs more up front, so you lose the bid. If you add it on afterwards, it counts as a change.

      *Much more like a car without brakes or steering going down a bumpy hillside, instead of an arrow flying straight to a well-chosen target.

    4. Del+Alt+Del

      Re: Now is the time to be a prepper – the computer security kind

      Best time to plant a tree is 20 years ago. Second best time is now.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022