“No technology service or system is completely risk-free.” It is the warning of UK National Cyber Security Center which, like the rest of its counterparts in all countries, has launched companies and institutions to reinforce their defenses on the Internet in the face of the war in Ukraine. According to Manuel Ricardo Torres, a professor at Pablo de Olavide University and one of Europol’s 15 international advisers on the Terrorism and Propaganda Advisory Council (ECTC), “Russia has shown that it is willing to use all the resources you have at your disposal. And information warfare is one of them, especially in response to economic sanctions that follow attacks. One of the threatened environments is the universe of Windows 365, according to the alert AA22-047A sent by the Cybersecurity and Infrastructure Agency (CISA) of the United States.
The US entity identifies defense contracting companies as its main targets. “These actors [atacantes respaldados por el Estado ruso] leverage simple passwords, unpatched systems, and unsuspecting employees to gain initial access before attacking enterprise and cloud networks [servidores remotos conectados a internet]”. As recognized by the same entity, the priority targets for these incursions are the “widely used environments of Microsoft 365, which are compromised to access sensitive and unclassified information, as well as technology.” This set of programs is the most used by individuals and companies for work and communication applications (Office).
Udi Mokadi, one of Israel’s foremost security experts, shares this forecast about the vulnerability of associated entities to an even greater one: “The world is changing dramatically. It is no longer worth protecting a single organization, but it is also necessary to control suppliers. An attacker looks for the shortest, fastest and most defenseless path. They are professionals, they do not wear pajamas. Security is a necessity and you have to go ahead, go on the offensive. The cost of a mistake is really high.
“Information acquired,” according to the US alert, “provides significant insights into the development and deployment timelines of US weapons platforms, vehicle specifications, and plans for communications infrastructure and information technology.” information”.
Ukraine has been the testing laboratory for Russia’s cyberattack capacity and it is logical that these days we are witnessing the implementation of this type of capacity
Manuel Ricardo Torres, advisor to the Europol Advisory Council on Terrorism and Propaganda
The alert of the security agencies is based on “the historical pattern of cyber attacks against Ukraine with international consequences,” according to the British security center. The Europol adviser agrees: “Russia, in the same way it has mobilized a huge amount of conventional military force, is also going to use that civil dimension that, in fact, it has been using up to now in Ukraine from 2014 until now. It has been the testing laboratory for cyber-attack capacity and it is logical that these days we are witnessing the implementation of this type of capacity”.
The risk, according to Manuel Ricardo Torres, is double. The first, by contagion. “Although it seems that an attack is surgical, clearly oriented to a goal, the reality is that there is always the risk of overflow, that in the end control of the vectors is lost and ends up affecting another objective that is not related to the attack. ”. “The second risk”, as explained by this international adviser, “is that Russia, in response to the set of sanctions of an economic nature that Europe is going to implement and the United States and that directly affect its business sphere, may be tempted to exercise some type of retaliation against the economic and business sphere of those same countries”.
The risk is widespread. “Absolutely”, replies the Europol adviser. And he explains: “Even if an attack is targeted at a specific company, in the end it spreads all over the world. I don’t think there is right now, neither in Europe nor in the US, any area that is considered out of danger”.
“Impossible journeys” and other signs of an attempted attack
Some of the evidence of an attack, according to the US CISA, are: frequent failed authentication attempts, access from different usernames or from different IP addresses (numerical representation of the internet point where a device is connected), the use of the same IP for multiple accounts, “fail trips” (detectable when a user logs on from addresses evidencing a significant geographic distance in a short time), abnormal password resets, domain takeover attempts, or activity from accounts that were inactive or with sporadic use.
The problem, as Torres warns, is that “now achieving a level of robustness and sufficient preparation cannot be improvised”. “Many companies and institutions,” he adds, “will find themselves with the harsh reality that, if they haven’t done their homework years ago, now it’s very difficult to take emergency measures.”
And he concludes: “Patching all the vulnerabilities in a network and generating a protocol on how to organize in the event of a service down is something that some have taken very seriously for a long time. Who has not done it on time will not be able to do it. It’s just like conventional military weakness: Even if a country is determined now to solve that problem, it won’t be able to do so for many years. This also happens in the civil sphere. Waiting for a crisis to break out to start taking action and devoting the necessary resources makes them late.”
Chester Wisniewski, principal investigator for Sophosa company specialized in state-of-the-art cybersecurity, agrees with the Europol advisor’s analysis: “Collateral damage and repercussions can occur for both people and organizations outside the main scenario.”
Wisniewski recommends “heeding the advice of the United States and other governments.” “They should be on high alert, take steps to protect their network and systems, and since physical security is paramount, consider steps to secure, shut down, or take down their physical networks and systems in Ukraine.”
And the researcher concludes: “In the end, it doesn’t matter if you are attacked by a State, a Russian supporter or the stereotypical teenager from some basement: you must have updated security systems, configured in layers to anticipate failures and carefully monitored to recognize signs of an ongoing attack.”