The Russian invasion of Ukraine isn’t just on the ground, it’s also online, and cybersecurity experts warn it could impact Canadians.
A recent report from Waterloo, Ontario-based online security firm eSentire found that the Conti Ransomware Group declared its support for Russia on the group’s data leaks website.
At first, the Conti Ransomware Group announced its “full support for [the] Russian government” on February 25, a day after Russia invaded Ukraine.
Later in the day, the group appeared to soften its message, saying it “does not ally itself with any government and we condemn this ongoing war”, but also said it would focus its efforts on retaliation against ” Western warmongers”.
The group is known for using the Cobalt Strike ransomware to infiltrate the computer networks of large corporations, including municipalities and healthcare systems.
To see him aligning himself so openly with Russia is significant, said Keegan Keplinger, Yukon-based threat research and reporting manager for eSentire.
Keplinger recently authored a report on the Conti Group and its use of Cobalt Strike, which is posted on the company’s security advisories page.
“I’ve never seen this before,” he said of Conti’s alignment with Russia, but that doesn’t surprise him either. For example, he said, the group uses malware from Russia and is looking for a Russian keyboard.
“If you have a Russian keyboard, the malware will stop and no longer infect you.”
Keplinger expects the Russian government to be aware of what the group is doing online.
“It’s not like the Russian government is saying go fight these people. But the Russian government at least turns a blind eye.”
Call to strengthen online defenses
On February 24, Canada’s Communications Security Establishment (CSE) warned power companies, banks and other large businesses “to take immediate action and strengthen their online cyber defenses” on the same day that the Russia invaded Ukraine.
“When we have a situation like the one we have now with Russia engaged in a conflict, we want to ensure that Canadian institutions have all possible mechanisms to defend themselves,” said Dan Rogers, associate chief at the time. at CST.
Even before the invasion, Matthew Schmidt, an associate professor and national security expert at the University of New Haven in Connecticut, warned that people would see high-level cyberattacks “just before war”.
“It’s become a constant staple of modern warfare. It continues now,” Schmidt said in a December interview.
Russian intelligence services maintain a relationship with cybercriminals through associations or recruitment, says Jeff Sims, who until recently was chief executive of online security firm Cyber Mongol, based in Kitchener, Australia. Ontario. He is now a senior security engineer with the cyber-intelligence company Hyas and is based in Quebec.
This “allows them to operate with near impunity as long as their attacks align with Russian objectives,” Sims said. “Given the current climate we find ourselves in, this will surely increase criminal activity against Canadian assets in general.”
When it comes to attacks like the Cobalt Strike malware, the likely victim would be corporate environments and not the average person, Keplinger said.
“On their private computer, you only have one computer, so there’s really no need to intrude and bypass the network,” he said. “When it comes to corporate networks, any time you’ve had a hands-on intrusion in the last year or two, it pretty much always involves Cobalt Strike.”
Sims also noted that with some people continuing to work from home rather than in the office, people become “easier targets outside the scope of corporate security controls and attackers know that.”
He warned that this could mean more sophisticated attacks on businesses by targeting an individual user.
Expect an increase in cyberattacks
Companies aren’t the only ones worried, however, Sims said.
“I don’t want to preach doom, but I think Canadians will definitely see an increase in ransomware, cybersecurity-related espionage and service disruption.”
He offered some “basic cyber hygiene” tips to keep you safe:
- Limit the amount of personal information shared online: “Period,” Sims said. “The adversaries do reconnaissance, and the less operations you give them, the more difficult you make them.”
- Keep software and operating systems up to date: Updates can mitigate all known vulnerabilities exploited by ransomware groups.
- Create a strong password: This means numbers or upper and lower case letters as well as special characters.
- Use multi-factor authentication, but with caution: “Don’t rely on multi-factor authentication to keep you safe instead of, for example, good click practices, because adversaries can phish an account with special tools, even protected by multi-factor authentication.”
- Remember to think before you click: “A rule I use is that I never click to connect to a resource via email. If I’m concerned enough to want to check an account based on an email I receive, I go straight on the web browser and log in to this resource. This should prevent you from having your credentials hacked.”
- Regularly back up files to an offline storage device such as an external hard drive: This helps protect against possible ransomware attacks, but also protects data in the event of a hard drive crash, “which is probably even more likely,” Sims said.
Advice for municipalities and businesses
In recent years, Ontario municipalities like Stratford, Wasaga Beach and Midland have been victims of ransomware attacks.
Elizabeth W. Clarke, public relations director for eSentire and based in Atlanta, also offered tips for businesses or municipalities to stay safe:
- Work with a company to review any critical vulnerabilities that could be a target.
- Make sure email security products are in place to prevent phishing and spam attacks.
- Train employees to understand what malicious content might look like and report it.
- Use multi-factor authentication for all external services.
- Require long and unique passwords.
- Disable all non-active accounts.
- Be prepared to isolate critical infrastructure from the Internet.
- Have a plan in place for what to do if a cyberattack occurs.