The Director of Redpoint Labs, David Duncan, discusses the dangers and cyberattacks that Western companies may face from Russian hackers with Jurgita Lapienytė
If Russia turns to cybercriminals to support its economy, ransomware will be even more devastating.
Russian cybercriminals have targeted Western companies with impunity in the past. Given the country is isolated from the world and likely to default, Russia might seek revenue by attacking Western companies. The collateral damage might be devastating, especially for companies with a false sense of security.
Russia has long been considered a haven for cybercriminals. Many have claimed to be apolitical in the past, but that statement didn’t carry much weight as Western companies have always been their primary target.
The Director of Redpoint Labs, David Duncan, assesses that Russian cyber Advanced Persistent Threat (APT) groups will shift their sights to western and NATO countries that support Ukraine.
“We have seen a lull in cybercriminal operations in the United States. This lull in cybercriminal activity is probably due to Russia using these groups to support Russian military operations. However, I assess that these groups will shift to target western-based companies that placed sanctions on Russia for their invasion of Ukraine,” he told Cybernews.
Collateral damage to Western companies, critical infrastructure, and government organizations likely will surpass anything we have seen in the past.
“Russia is backed into a corner and isolated from the world. Russia will use any tool to retaliate against the West,” Duncan said
One step ahead
According to Duncan, Russian hackers are some of the most stealthy operators from all the APT groups.
"Russian hackers are skilled social engineers, and once they gain access, they "live off the land" (LOLBAS). Living off the land allows these hackers to remain unseen and operate freely in a network for months or years,"
Russian hackers are adept at developing and changing their malware to stay ahead of security vendors, and the Conti group leaks show evidence of this.
"Conti frequently employs people to test their malware against security tools. Conti and other Russian-based ransomware groups operate as businesses and have dedicated resources to stay ahead of network defenders and security vendors," Duncan said.
Cyberattacks are an essential revenue source for North Korea’s nuclear and ballistic missile programs. Russia, a heavily sanctioned country, might also leverage its ransomware and APT groups as a source of revenue.
“If Russia turns to ransomware to support their economy, I assess that ransomware in 2022/2023 will be far more devastating than in previous years. Victim companies will feel the full force of Russian cyber operations, ultimately crippling the majority of these organizations,” Duncan said.
Paying a ransom has been the only way out of the crisis for many organizations. However, succumbing to the demands might no longer be an option.
Russia’s pariah status could make life difficult for cybercriminals linked to the country, with US financial crime regulator FinCEN warning companies that they could end up supporting sanctioned individuals and entities if they give in to ransom demands.
Any US firm paying out a ransom to a sanctioned individual or other entity without government permission would face fines or additional criminal penalties under new regulations set out by the Treasury’s Office of Foreign Assets Control.
“Not paying a ransom or violating sanctions place these innocent bystanders in a conundrum and is a headache for business leaders,” Duncan said. “This new restriction puts additional strain on companies attempting to navigate the murky waters of ransomware.”
He assesses that companies will try to force Digital Forensics and Incident Response (DFIR) companies like Redpoint to pass a judgment that the ransomware group is not from Russia.
“Additionally, I see these cybercriminals changing their name and malware to obfuscate their origin to increase payment likelihood.”
Where to start
Cybersecurity experts have already seen an increase in malicious cyber activity. President of Silversky Jason McGinnis observes a spike in 'spray and pray' attacks where adversaries hope that if they try enough people, eventually, someone will fall for the scam.
"They are searching for open ports and vulnerabilities, which puts a lot of small businesses at high risk because they may not have the right tools and security programs in place," he told Cybernews.
McGinnis also speculated that sanctions might be an additional drive for cash, and so all businesses need to think about how to protect their environment.
"Many small businesses had the attitude of 'I'm too little, nobody wants to come after me, because what have I got.' There's been a little bit of a false sense of security."
He hopes an increased spotlight on cyberwar news will be a wake-up call for entities.
"Educate yourself. Understand what the risk is and then think about what you can do."
Even fundamental things, such as password management cybersecurity training for employees, can significantly reduce the risk of falling victim to a cyber attack.
"They need to start acknowledging a risk, educating themselves, putting a basic plan in place, and thinking about mitigation, maybe insurance. It's about getting started," he said.
To view the original article from Cybernews' Jurgita Lapienytė, please click here.