The war we are experiencing in these hours is a distant conflict, but probably the closest in recent decades due to the military strategy adopted by Russia and the technological context we live in. Hybrid warfare has long been talked about as the option that sees the use of cyber attacks against the enemy country’s systems with the intent of destroying its critical infrastructure and assisting a traditional military attack. For weeks the same Ukrainian secret services have been warning the international community about an aggressive campaign of attacks coordinated by Russia and which since the beginning of the year has targeted sites and systems in their country.
Scenarios
The new frontier of cyberdiplomacy
by Andrea Daniele Signorelli
Although the computer tools were different, in August 2008, we saw another conflict that culminated in the invasion of Georgia by the Moscow troops and in which the conflict for the first time saw the use of cyber attacks. I’m talking about the second war in South Ossetia, Putin’s motivations at his time were no different from current ones, the intent to expand Russia’s hegemony over the territories of the former Soviet Union. In different and certainly less incisive ways, the Russian government’s computer experts hit news and government sites belonging to the Georgian government.
IT security
WhiteJar, the hacker community where businesses put bounties on security flaws and problems
by by Dario d’Elia
So what are the cyber options in a context of war like the one we are witnessing. The answer comes from the observation of cyber space and the operations that have been coordinated by Russian intelligence apparatuses for months, these are sabotage operations through destructive malware (Wiper) and DDoS attacks that paralyze the affected services by saturating their resources, campaigns of espionage for intelligence activities on the targets, and finally disinformation through social media and instant messaging platforms to destabilize the Ukrainian social context.
Just yesterday I received news from sources in the country that local authorities asked to limit the use of platforms such as WhatsApp, believing that they could be a vector of disinformation. At this point the question that has been asked most frequently is what are the repercussions on Italy of the war we are witnessing. Is it really that far? We have read about “cyber viruses” that could affect us, what is it?
I have always emphasized that cyberspace is a space in which the concept of frontier fails, which means that a cyber attack could hit anyone, at any time and from any place. The absence of borders also considerably complicates the attribution of attacks, investigative activities that refer to different regulatory contexts, and obviously has an impact on the diplomatic front. Having said this, we can hypothesize two main scenarios, in the first that the Italian structures are affected by malicious codes that have escaped control once entered in a space without borders and which can potentially infect any vulnerable system they encounter. In a second scenario we have to imagine campaigns aimed at Italy with different objectives and therefore be prepared.
In the first case, one of the destructive malware designed to destroy operations in Ukrainian critical infrastructures could spread uncontrollably, infecting systems around the world. These malware could even be studied and modified by experts from other governments to target other states and make it impossible to attribute the attacks. In this scenario, one would tend to attribute an attack to a side effect of the Ukrainian crisis. Finally, if one of these malware were to use so-called zero-day holes not known at the time of the attack, their knowledge could be exploited by criminal actors to develop extremely aggressive and dangerous malicious codes.
However, these attacks could have severe consequences on our systems in everything from energy to healthcare. These malware could cause temporary or permanent blocks affecting the population. The fear is that we may be faced with a new WannaCry, a malicious code responsible for a real large-scale epidemic that occurred in May 2017. In the days of the attack, there were over 230,000 infected computers in 150 countries, with enormous damage to critical sectors. The other scenario that we may face is that of targeted attacks on our country, in which case the most likely option is that of espionage campaigns aimed at understanding the position of our government and NATO allies on the unfolding of the conflict. . We are therefore talking about intelligence operations conducted by Russian Apt groups (advanced persistent threat) operating within the Russian military apparatus (GRU) and which are undoubtedly extremely complex to identify. Most exposed are the companies and organizations that have relations with Ukrainian companies and entities, but also our diplomatic apparatus.
In both scenarios, information sharing plays a crucial role, i.e. the ability of governments to share information on threats. Cyber Threat Response Centers (Cert / Csirt) are being tested in these hours. Their job is to collect information about potential attacks and provide information about the vectors used to neutralize them. In these, our National Cyber Security Agency, through the Csirt, issued some alerts relating to the potential impacts of the Ukrainian situation on our infrastructures and shared information about one of the Wipers used in attacks on Ukrainian systems and known as HermeticWiper.
“Although there are currently no indicators in this sense, the significant cyber risk deriving from possible collateral impacts on ICT infrastructures interconnected with the Ukrainian cyberspace is highlighted, with particular reference to entities, organizations and companies that have relations with Ukrainian subjects and with who have telematic interconnections (eg, B2B connections, users on Ukrainian networks and vice versa, sharing of repositories or collaborative platforms).”Says the first alert. “These impacts could derive from the interconnected nature of the Internet, as malicious actions, directed towards a part of it, can extend to contiguous infrastructures as demonstrated by previous infections with global impact such as NotPetya and Wannacry.”
Obviously, companies that manage to acknowledge these alerts and implement the necessary countermeasures run less risks, however we cannot fail to keep in mind almost all small and medium-sized enterprises that do not have the technical and financial resources to raise their level of security. It is these particularly vulnerable entities that my thoughts go to and those of greatest concern. These entities could be targeted to target larger companies they do business with. It is therefore necessary to be vigilant and apply a concept of zero-trust (be wary of anyone) today more than ever, even in the management of consolidated activities with partners and suppliers.
Finally, I would like to warn network users against criminal activities that could exploit the Ukrainian conflict theme as a bait. We could receive emails and messages via social networks or apps inviting us to open videos or documents that would reveal atrocities or unknown aspects of the war, but in reality they would be traps that can initiate a process of infection of our systems. The recommendation is to be cautious and attentive, the alert is maximum.