Disinformation campaigns, distributed denial-of-service attacks, wiper malware, Internet blackouts, and bot armies are just a few of the various digital attacks that Russia has aimed at Ukraine. In late February, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint advisory warning US firms to prepare their defenses to defend against these kinds of attacks. As of now, at least four different kinds of wiper malware — destructive disk-wiping malware — have been released during the conflict.
For those who are still wondering where is the cyberwar in the Russian invasion, it's already here and it's imperative for organizations across the globe to be prepared. However, in a tightly integrated global economy, these preparations must not occur in isolation but, rather, must encompass an organization's partners — and their partners' partners and so forth. Collective resilience captures this notion of strengthening the defenses across an organization's entire supply chain ecosystem by pursuing strength in unity, but viewed through a realistic lens, that self-preservation requires strengthening and lifting up the weakest links within highly interdependent systems. When it comes to the growing uncertainty and instability stemming from the Russian invasion, there has been a sharp swing toward collective resilience to proactively offset and mitigate the ongoing Russian malicious cyber activity.
Russian malware has a history of making organizations across the globe collateral damage, even if they are not the intended target. In 2017, a destructive supply chain attack propagated across the globe in a matter of hours. Maersk, Merck, and FedEx were just a few of the global victims, as the cyberattack disrupted ports, hindered vaccine distribution by the Centers for Disease Control and Prevention, and crippled manufacturing sales. This history, coupled with Russia's ongoing deployment of a range of malicious cyber activity during the fog of war, elevates the risk and potential for collateral damage across the globe due to cyberattacks. CISA's Shields Up campaign attests to the growing risk to organizations stemming from the Russian invasion.
However, Shields Up should not just apply to an organization's own systems but to its partners as well. Third-party risks remain a core attack vector targeting the weakest link within an organization's supply chain. More than 2,000 US-based firms had suppliers in Ukraine and Russia prior to the invasion; a number which exponentially increases to hundreds of thousands of suppliers when integrating their second- and third-tier suppliers. Even if these suppliers are not the intended targeted, they may become collateral damage in the war.
An organization's digital supply chain similarly must be part of this extended defense. Just as NotPetya exploited the digital supply chain, the US and UK have warned that the Russian-linked Cyclops Blink botnet is targeting ASUS, a Taiwanese electronics company. Coupled with the Lapsus$ Group's ongoing attacks, supply chain attacks remain on the rise and are a core component of Russia's strategy of preparatory installation and reconnaissance. The Cyclops Blink campaign has been active since at least 2019, illustrating Russia's ongoing efforts to embed and prepare for future exploitation. FBI Director Christopher Wray explained how cyberattacks do not occur instantaneously, but rather, "There's activity that leads up to it. ... There's developing access to those systems. So, there's a whole range of preparatory work, which is what we've been seeing." This access increasingly occurs through the digital supply chain.
Furthermore, the growing list of approximately 400 sanctioned Russian companies introduces an additional cyber and supply chain risk for organizations. For instance, the March 24 US Department of Treasury sanction targets almost 50 Russian defense-industrial base organizations, including Joint Stock Company Russian Helicopters. This company alone has hundreds of tier-1 and tier-2 suppliers and is in the supply chain of many technology and aerospace and defense companies as it accounts for 10% of the global helicopter market. Many in the aerospace and defense sector rely on the same suppliers, exacerbating the potential for a single sanctioned company to propagate risk throughout the industry.
These companies are not only at risk of noncompliance fines but need to consider the degree to which the hundreds of restricted companies have access to their data or networks. More sanctions are also likely, including secondary sanctions that target third-party relationships — a step that would yet again stress the necessity of collective resilience across an organization's entire supply chain.
Some are adhering to CISA's warnings and strengthening their own defenses, while others still debate the absence of malicious cyber activity in the Russian invasion. While fortunately there has yet to be the major attacks many feared, Russia continues "to undermine, coerce, and destabilize," according to Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology. As we've seen in the past, these destabilization efforts are unlikely to remain contained to Ukraine. Organizations should seek a collective resilience approach in preparation for the growing geopolitical instability across the globe. Defenses are only as good and as strong as those with whom we partner.