The Russian invasion of Ukraine isn’t just on the ground — it’s also online, and cybersecurity experts warn it could have an impact on Canadians.
A recent report from the Waterloo, Ont.-based online security firm eSentire found the Conti Ransomware Group has declared its support for Russia on the group’s data leak website.
At first, the Conti Ransomware Group announced its “full support of [the] Russian government” on Feb. 25, a day after Russia invaded Ukraine.
Later that day, the group appeared to soften its message to say they “do not ally with any government and we condemn this ongoing war,” but also said it would focus its efforts to retaliate against “the Western warmongers.”
The group is known for using Cobalt Strike ransomware software to infiltrate computer networks of major corporations, including municipalities and health-care systems.
Seeing it align itself with Russia so openly is significant, said Keegan Keplinger, a Yukon-based threat intelligence research and reporting lead for eSentire.
Keplinger recently wrote a report on the Contri group and its use of Cobalt Strike, which is posted to the company’s security advisories page.
“I have not seen that before,” he said of Contri aligning with Russia, but it also doesn’t surprise him. For example, he said, the group uses malware that comes out of Russia and looks for a Russian keyboard.
“If you have a Russian keyboard, the malware will stop and it won’t infect you any further.”
Keplinger expects the Russian government is aware of what the group is doing online.
“It’s not like the Russian government’s saying go and fight these people. But the Russian government is at least turning a blind eye.”
Call to bolster online defences
On Feb. 24, Canada’s Communications Security Establishment (CSE) warned power companies, banks and other major companies “to take immediate action and bolster their online cyber defences” the same day Russia invaded Ukraine.
“When we have a situation like we have now with Russia engaged in a conflict, we want to make sure that Canadian institutions have every mechanism possible to help defend themselves,” Dan Rogers, associate chief at CSE, said at the time.
Even before the invasion, Matthew Schmidt, an associate professor and national security expert at the University of New Haven in Connecticut, warned people will see high-level cyberattacks “just short of war.”
“That has become a constant background fixture of modern warfare. It’s going on now,” Schmidt said in an interview in December.
Russian intelligence services maintain a relationship with cyber criminals through association or recruitment, says Jeff Sims, who until recently was chief executive officer of Kitchener, Ont.-based online security firm Cyber Mongol. He’s now a senior security engineer with the cyber intelligence company Hyas and is based in Quebec.
This “allows them to operate with near impunity as long as their attacks align with Russian objectives,” Sims said. “Given the current climate that we find ourselves in, this will surely bolster criminal activity against Canadian assets in general.”
When it comes to attacks like Cobalt Strike malware, the likely victim would be corporate environments and not the average person, Keplinger said.
“On their private computer, you just have one computer. So there’s not a lot of need to intrude and go get around the network,” he said. “When it comes to enterprise networks, any time you have a hands-on intrusion in the last year or two, it pretty much always involves Cobalt Strike.”
Sims also noted as some people continue to work from home rather than in an office, people become “softer targets outside the scope of the corporate security controls and attackers know this.”
He warned that may mean more sophisticated attacks on corporations by targeting an individual user.
Expect an uptick in cyberattacks
It’s not just corporations that need to be worried, though, Sims said.
“Not to preach doom and gloom, but I think Canadians will definitely see an uptick in ransomware, cyber-related espionage and disruption to services.”
He offered some “basic cyber hygiene” tips to keep yourself safe:
- Limit the amount of personal information shared online: “Full stop,” Sims said. “Adversaries conduct reconnaissance, and the less you give them to operate on, the more difficult you make it.”
- Keep software and operating systems up to date: The updates can mitigate any vulnerabilities that ransomware groups know about and exploit.
- Create a strong password: That means upper and lower case numbers or letters as well as special characters.
- Use multi-factor authentication, but with caution: “Don’t rely on multi-factor authentication to keep you safe in lieu of, say, good clicking practices, because adversaries can phish an account with special tooling even protected by multi-factor authentication.”
- Keep in mind to think before you click: “A rule that I use is, I never click to log on to a resource through an email. If I’m concerned enough to want to look at an account based on an email that I receive, I go to the web browser directly and log on to that resource. That should prevent you from having your credentials phished.”
- Back up files regularly on an offline storage device like an external hard drive: This helps protect against possible ransomware attacks, but also protects data in the event of a hard drive failure, “which is probably even more likely,” Sims said.
Tips for municipalities and companies
In recent years, Ontario municipalities like Stratford, Wasaga Beach and Midland have seen ransomware attacks.
Elizabeth W. Clarke, director of public relations for eSentire and based in Atlanta, also offered tips for companies or municipalities to stay safe:
- Work with a company to review possible critical vulnerabilities that could be a target.
- Ensure email security products are in place to prevent phishing and malspam attacks.
- Train employees to understand what malicious content could look like, and report it.
- Use multi-factor authentication for all external facing services.
- Require long, unique passwords.
- Disable all non-active accounts.
- Be prepared to isolate critical infrastructure from the internet.
- Have a plan in place for what to do if a cyber attack occurs.