Last week during a webinar session, I was asked a question about why the cyberattacks from Russia didn’t materialize to the levels that we were warned about.
To answer this question, we need to understand various aspects of how Russian APT groups operate and work on targets. Russian APT actors have never shown a linear progression in intensity and volume of attacks except in certain specific circumstances (this is mostly true after they chose a target. They don’t go after multiple targets in cyberspace at random). Mostly they choose targets, attack with ferocity till they succeed, and then move on. Such attacks are continuing as we have seen in the case of the German wind turbine manufacturer Nordex SE that was attacked last week. Russian APT groups are keeping a lookout for renewable energy companies, power firms, and oil pipeline companies to be specific.
So what exactly are Russian APT groups up to and what is this ‘delay’ all about?
Given the above facts, a multi-sectoral attack across geographies is not on the horizon in the near term. From the chatter we are picking up from the Dark Web and the APT groups we are monitoring, we get a view that some targets and countries are being chosen and attacked selectively with specific malware and tactics.
Here are some facts on the activities of Russian APT groups in the last 8 weeks
- Our honeypots across Western Europe have recorded a rise in cyberattacks since the onset of the war
- The spike has been limited to the sectors we have mentioned earlier and manufacturing companies along with defense forces, firms, and groups
- Russian APT groups are running sophisticated campaigns to target NATO and defense forces in the region
- These groups could also start targeting countries that are supplying lethal weapons to Ukraine
- On the day the war started, over 10,000 modems of Viasat, a satellite broadband provider, were knocked offline
- Ukrtelecom, Ukraine’s biggest provider of fixed internet services confirmed a week back that they have been hit by a severe cyber attack that led to the disruption of services with several cities being disconnected and connectivity falling to as low as 13 percent of pre-war levels. It is said that the attacks had targeted home routers among other devices (that were shut down)
- In the days leading to the war, several Ukrainian agencies were attacked by Russian APT groups
- It is possible that Russia doesn’t want more attention to come its way while it focuses on the war of attrition in Ukraine
- Russian groups have also taken note of the advisories issued by governments and are aware that the chances of attacks being detected, contained, or even repelled are high. Russia already is facing a huge spike in inbound cyberattacks and doesn’t want more actors to join in the ongoing cyberattacks targeting its critical infrastructure and enterprises
- The volume of reconnaissance attacks from Russian APT groups has been steadily growing since January 2022. Such attacks have targeted OT and IoT-based infrastructure projects in Western Europe and North America
- The chances of false flag attacks on critical infrastructure by Russian hackers remain high. Many of these hackers are using Ransomware-as-a-Service and Malware as-a-Service in association with an APT group of a southeast Asian country to monetize cyberattacks.
- Intelligence indicates some degree of attrition among the two Russian APT groups. This includes the Primitive Bear group that has been targeting Ukraine.
- Some APT groups have been drafted to target hackers that are attacking Russia as well
On analyzing these facts, we can easily conclude that Russian hackers have not given up or are going slow. It is just that they are sticking to their existing playbooks that focus on specific attacks tied to a timeline rather than attacking every piece of digital infrastructure out there.
Some of the reconnaissance attacks may be upgraded to full-fledged attacks in April. Russia could also activate new botnets in its Eastern region to compensate for the loss of a few botnets in March.
Lastly, Russian APT groups could release some of their tools to enable other hackers to target enterprises, individuals, and governments across the globe. In summation, we are not out of the woods yet. Sectrio advises all businesses to maintain a high state of alert and be prepared to ward off cyberattacks in the next few weeks.
Interested in learning the 7-step approach to improving IoT security in 7 days? Talk to our IoT cybersecurity experts today. Book your slot now.
Download and use our compliance kits to improve your institutional security posture: visit Compliance Kits
Try our threat intelligence feeds for free for the next two weeks.