Ask HN: Is your org preparing for Russian hacking as part of Ukrainian crisis?
With the West now imposing sanctions, increased Russian originated cyberattacks are likely to follow. Are corporate and government security teams at DEFCON 3?
17 comments
I work in infosec department. No we are not, well some are talking about it but that's just silly unless your company 's compromise and resulting loss of reputation somehow benefits the russians, you do business with US gov or have presence in Ukraine.
This is interesting strategic intel but everyday is a day a Russian or some other therest actor is trying to hack us. We operate assuming a breach, if that isn't just b.s. corporate speak then not much has changed.
This is interesting strategic intel but everyday is a day a Russian or some other therest actor is trying to hack us. We operate assuming a breach, if that isn't just b.s. corporate speak then not much has changed.
Instead of overtly strategic hacking, isn't the more likely scenario a green light being given to Russian-NSO types to ransom and thieve to their hearts' content?
Not NSO types but regular criminal groups. They already have access to many US orgs just not enough personell to do the hands on keyboard hacking (as opposed to malware).
They will do a ton of hacking but it's not like them to do it just for the sake if making noise. They will posture and distract but at any scale thry will have a strategic objective.
Be worried about everyone else that is expecting you to waste efforts worrying about russians when you don't have to. What immature teams do is setup too much monitoring, geo block russia,etc... introducing a false sense if security and alert fatigue at the same time.
If you haven't already, work on good detections for lateral movement, ransomware and wipers. If you have, just another tuesday.
They will do a ton of hacking but it's not like them to do it just for the sake if making noise. They will posture and distract but at any scale thry will have a strategic objective.
Be worried about everyone else that is expecting you to waste efforts worrying about russians when you don't have to. What immature teams do is setup too much monitoring, geo block russia,etc... introducing a false sense if security and alert fatigue at the same time.
If you haven't already, work on good detections for lateral movement, ransomware and wipers. If you have, just another tuesday.
Uh, the idea is that Russia would use widespread and indiscriminate cyberattacks to punish sanctions. That would make almost everyone a target.
It's not in apt28/29 MO (gru/svr) to do that, they outsource to criminals that do this already everyday. Being alert is reasonable but any mature team is already prepared for this. You don't panic when you are prepared is my point. They don't need a war to spread wipers, if you are not ready after wannacry and notpetya...
It doesn't have to be targeted. NotPetya was a Russian GRU hack aimed at Ukraine that just happened to spillover into becoming the largest worldwide cyber attack in history.
Like i said, do business in ukraine or related entities then be especially on alert. Companies like maersk did business there during notpetya that had spillover. More alert than usual, IR plans reviewed for this.
I think they've already launched the most financially devastating attack imaginable for U.S. corporations - have you noticed that Slack is down?
I'm surprised that cyber-attacks are not as prevalent as one may expect these days...
Cyber-war is asymmetric and cheap. And our infra is weak.
Sure, there are walled moats in FAANG but not so much in social infra (power, banking, commerce, etc)
The biggest will be when one channel of general social discourse is fully taken down. Such as slack (commerce discourse) or reddit or FB (anything people generally communicate on)
HN going down will also be a bad thing, just because of the tech-heavy user-base HN users are.
@dang, how many registered users are on HN.
Regardless, whatever that number is - its a really big % of the overall tech population.
Cyber-war is asymmetric and cheap. And our infra is weak.
Sure, there are walled moats in FAANG but not so much in social infra (power, banking, commerce, etc)
The biggest will be when one channel of general social discourse is fully taken down. Such as slack (commerce discourse) or reddit or FB (anything people generally communicate on)
HN going down will also be a bad thing, just because of the tech-heavy user-base HN users are.
@dang, how many registered users are on HN.
Regardless, whatever that number is - its a really big % of the overall tech population.
If you haven't been preparing for state-level attacks from Russia and PRC backed groups, you're already way, way behind the curve.
Case in point, in the Ukrainian blackout attack of 2014, a highly capable group had access and effective control over the SCADA at the control centers and substations for months before selling it to Russian agents who utilized it at their leisure.
If your org/team is waiting for the crisis, it's only luck protecting you.
Case in point, in the Ukrainian blackout attack of 2014, a highly capable group had access and effective control over the SCADA at the control centers and substations for months before selling it to Russian agents who utilized it at their leisure.
If your org/team is waiting for the crisis, it's only luck protecting you.
I believe this is just silly fear mongering at this point.
Well, I'd guess our difference in opinion is because I work securing critical infrastructure in multiple countries, and I suspect you do not.
If you mean "are Russian actors going to start knocking Youtube offline tomorrow" then no, but they have absolutely had active programs and groups operating against EU and US organizations for years. The US and Five-Eyes certainly do as well in the other direction, but to appearances they seem less willing to engage in sabotage of non-military systems and much more interest in mass surveillance.
If you mean "are Russian actors going to start knocking Youtube offline tomorrow" then no, but they have absolutely had active programs and groups operating against EU and US organizations for years. The US and Five-Eyes certainly do as well in the other direction, but to appearances they seem less willing to engage in sabotage of non-military systems and much more interest in mass surveillance.
It wasn’t a surprise attack by Russia — its been a possibility for several weeks. Many large organizations have been preparing for every eventuality including the heightened risk of cyberattack, likelihood of sanctions, disruption to internet circuits in that area of the world, etc.
Nothing that I know of. Unless you're in the SOC, I doubt they'd tell us what they are doing.
You can ask. Disseminating intel is part of their job. For parties that have an interest. A lot of intel is TLP green or white (shareable to anyone in the company and public respectively)
If it's not something I have to take action on, then it would be a waste of company time for me to ask.
Nothing's changed other than a lot more people are emotionally charged about the topic by media.