This blog is part of a 10-part series that dives into the RSAC 2023 Submissions Trends pulled from our record number of Call for Speakers submissions in 2023. In this blog, we focus on the Ukraine-Russia war.
The ongoing conflict between Russia and Ukraine captured a lot of buzz at RSA Conference 2022. It did again at RSA Conference 2023 as the impact that cyber continues to play in the war was a topic raised in several sessions throughout the week. Multiple speakers pointed to the Russian military doctrine of attacking on multiple fronts which over the past decade has mostly been waged in cyber space, including both attacks on infrastructure and psychological manipulation.
In the session, Reconsidering Ragnarok: The Cyber Threat Terrain After the Ukraine Invasion, Elvis Chan, Assistant Special Agent in Charge at the Federal Bureau of Investigation (FBI) affirmed this, noting that not only is cyber a means of destruction, it is also a means of propaganda. And Russia has become a master at it.
The war using cyber space is nothing new to Ukraine. Speaking on the panel, Stronger Together: The US-Ukrainian Cyber Partnership, Illia Vitiuk, Head of the Department of Cyber and Information Security Service in Ukraine, noted Russian aggression on the cyber front goes back almost a decade to 2014 with the annexation of Crimea. One of the first destructive cyber attacks launched by Russia was on Ukraine’s power grid in 2015. Vitiuk explained, “For six hours, 250,000 people were without electricity.” During the attack, threat actors even went so far as to flood the power company’s customer service lines to prevent the incident from being reported. He continued that these attacks have become expected by Ukrainians stating, “You won’t surprise anyone with that now, but back then it was something extremely new.”
Ukraine has served as a testing ground for many different types of Russian cyber weapons. Elaborating on this, Vitiuk stated, “There are no types or combinations of cyber attacks we actually haven’t seen,” noting a whole spectrum of attacks including DDoS, stealing data, malware, ransomware, supply chain, financial fraud, and man-in-the-middle. In the session Droned Out: Surveilling the Noise in the Russian War in Ukraine, Alexander Leslie, Threat Intelligence Analyst, at Recorded Future broke down many of these attacks in fine detail.
Panelists across sessions referenced the different MOs used by Russian threat actors citing many of these attacks are planned for months, or even years. Michael Sikorski of Palo Alto Networks explained that attacks like SolarWinds take a very long time. “They waited six months before deploying a back door.” Another point raised was the broader destruction of many of these Russian cyber attacks. For example, Ukraine was the original target of the NotPetya ransomware attack in 2017, but it went on massively disrupt critical infrastructure in more than 60 countries.
What has been critical to the Ukraine defense is public-private partnerships and improved information sharing between cybersecurity vendors and national intelligence services. The Shields Up effort by the Cybersecurity & Infrastructure Security Agency (CISA) is one example. Shields Up was designed to change the way threat information is shared. Rather than distributing cryptic bulletins about a cyber event, the advisories have changed to provide details with more clarity and guidance for how to respond. A recent advisory put out by CISA on the Snake malware developed by Russian intelligence is just one example to demonstrate how much information sharing has improved.
How we define success and fight back is also changing, and we are seeing the results. Elvis Chan discussed the new approach being taken by the FBI. “We have become more aggressive in disruptive operations,” he said. Chan noted in the past, the FBI was focused on activities such as running cases, getting indictments, and seizing property or funds. Recognizing investigations take a while to run, the FBI decided they need to flip that strategy on its head. In talking about Operation Cyclops Blink, Chan noted this was the first time courts were used to get a seizure warrant where the FBI could develop a tool to turn a botnet off. “Now it’s disruptions, neutralizations and what are we doing to inflict consequences and pain on cyber adversaries.”