Cyber Lessons Learned One Year Into Russia’s War in Ukraine

Don’t get cocky—or complacent. Those are arguably the two most universal lessons learned in the past year about cybersecurity, its role in armed conflicts, and the steps enterprises around the world must take to protect themselves.

In the past few weeks, as the world has braced for tomorrow, the first anniversary of Russia’s invasion of Ukraine, experts and pundits have been trying to assess the role that cyberweapons have played in the war. A year ago, Western nations in particular were prepping for the worst.

Shut down attackers with a threat hunting solution that offers high-fidelity and complete real-time data.

“We were expecting much more significant impacts than what we saw,” said Mieke Eoyang, deputy assistant secretary of defense for cyber policy at the Department of Defense, in a panel at the 2022 Aspen Cyber Summit in November. “I think it’s safe to say that Russian cyber forces as well as their traditional military forces underperformed expectations.”

While cyber hostilities have mostly remained confined to Ukraine, there have been some decisive exceptions related to Western infrastructure. In addition, a Russia-backed cyberattack on U.S. satellite company Viasat disrupted Ukraine military communications in the early days of the war; the Russia-linked hacking group GhostWriter led an all-out phishing assault on Poland in 2022; Russia’s Sandworm hackers deployed malware in Ukraine and Poland last fall; Russian-speaking hackers knocked offline more than a dozen U.S. airports (including LaGuardia and O’Hare) in October; Russian cybercriminals have been reportedly using underground discussion groups to brainstorm ways to weaponize the much-buzzed-about artificial intelligence bot ChatGPT, just released in November; and Russian phishing campaigns against NATO countries increased more than 300% from 2020 to 2022, some of which is no doubt linked to the current conflict, notes a recent Google analysis.

And those are just the incursions we know about.

Expect more. That analysis by three divisions of Google, released this month, notes with “high confidence” that Russia will likely “increase disruptive and destructive attacks in response to developments on the battlefield,” targeting both Ukraine and NATO partners.

It is really important that we are taking all the steps we can to prepare for the possibility of [cyberattacks], to make ourselves as hard and resilient a target as we can be.

“I don’t think any of us know what the escalation calculus is going to be and at what point we might be having to really think about attacks on U.S. infrastructure,” said Eoyang. “But it is really important that we are taking all the steps we can to prepare for the possibility of that, to make ourselves as hard and resilient a target as we can be.”

With that in mind, we’re recapping some of Focal Point’s Ukraine-related coverage prescribing the best steps that business and security leaders can take to effectively prepare for cyber hostilities to come. Here are three vital lessons to learn—and act on—now, if you haven’t started already.

Lesson 1: Global crises trigger (harder-to-resist) phishing scams

Once Russian tanks rolled onto Ukrainian soil, it didn’t take long for phishing emails to hit in-boxes. One of the first reported phishing attacks—instigated by a Belarus-tied cyber gang and directed at European Union personnel working with Ukrainian refugees—was detected the same day Russia invaded. Just weeks later, a report from the email security firm Cyren estimated that threat actors were deploying more than 100,000 fake donation emails a day.

This is becoming standard operating procedure—a crisis hits, and heart-tugging phishing messages with subject lines like “Help Ukrainian War Victims” proliferate. Earlier this month, Turkey’s General Directorate stated it had shut down 46 “phishing scam” websites attempting to steal donations for victims of last week’s devastating earthquake.

“Fraudulent emails—often containing malicious links or attachments—are common after major natural disasters” and other global crises, warns a recent announcement from the Cybersecurity and Infrastructure Security Agency (CISA). New phishing-as-a-service toolkits allow amateurs to steal online accounts. And voice-related phishing, or “vishing,” is also on the rise.

What enterprise leaders can do: The pressure is on employers to make sure their workers are informed, trained, and vigilant. Maintaining a tougher, smarter workforce means engaging workers in a companywide commitment to better cybersecurity. That means training all staffers, from entry-level to the C-suite, enhancing worker morale, and investing in technology that can improve the employee experience.

[Read on: A wave of Ukraine crypto phishing scams may get workers fired]

Lesson 2: A proliferation of “war exclusion” clauses proves you can’t rely on cyber insurance alone

With cybercrime on the rise and the war in Ukraine lasting much longer than anyone expected, insurers have started raising rates, deductibles, and concerns about exclusions—particularly the increasingly significant “war exclusion.”

Most policies exclude coverage for acts of war, but such clauses can be tricky to enforce. Given the confusing climate, some have called for a federal “backstop”—much like government insurance covers crop failure—for cyber insurance policies protecting critical infrastructure. In July, the U.S. Government Accountability Office recommended that the departments of Homeland Security and Treasury assess such a plan. But that will take years.

We assess with high confidence that Moscow will increase disruptive and destructive attacks in response to developments on the battlefield.

Meantime, insurers are backing off. Lloyd’s of London announced it will no longer cover cyberattacks attributed to any nation-state, and last year it reportedly began to discourage its roughly 100 syndicate members from writing cyber business this year. Chubb has gone public with a strategy of limiting coverage for widespread events.

What enterprise leaders can do: Take out that insurance policy and read the fine print to determine what’s covered, what’s not, and what you need. But it doesn’t stop there. Insurers increasingly expect clients to beef up cyber hygiene by adopting multifactor authentication and zero trust, automating patch management, and determining your cyber risk score.

[Read on: Will the feds backstop cyber insurance?]

Lesson 3: Building a threat-hunting squad is more vital than ever

If the war in Ukraine is remembered for one thing, it will likely be the figure of the non-state actor. Case in point: the Ukrainian IT Army, an unprecedented and powerful if loose alliance of hackers from across the globe, working in collaboration with officials from Ukraine’s Defense Ministry to target Russian infrastructure and websites.

Russia, of course, has its own crew of cyber-savvy Black Ops mercenaries and backroom coders who may or may not be working with official marching orders from the Kremlin. That’s the problem with this war—the variety of participants and their relationship (if any) to governments is staggering.

All of which makes threat hunting mission-critical for enterprises large and small. Threat hunters are your organization’s own private Navy SEAL team. These cybersecurity pros dig into systems and networks to root out attackers before bad things happen. They understand the tactics, techniques, and procedures of a host of different threat actors, from geeky hackers and ideals-driven hacktivists to cyber gangs and criminal syndicates.

What enterprise leaders can do: Get proactive. Start a threat hunting squad and make it as diverse as possible, including those with different backgrounds and experience levels. (Squads with diversity yield better results.) Look for so-called “soft” skills (problem-solving, risk-taking), and invest in realistic adversary training so hunters can adequately identify real-world threats.

[Read on: The Russia-Ukraine conflict shows why threat hunting teams are now critical]

As the Ukraine conflict enters its 13th month (which is about 12 and a half more than anyone expected a year ago), one thing remains certain: that nothing is certain, or predictable, when it comes to modern-day warfare, and cyberwar in particular.

“Because cyber is a risk-managed exercise and it takes time to prepare, it is very important that everyone is closing all the known vulnerabilities that they have, doing the patching, doing the basics, making sure that they have resiliency plans NOW,” says the DOD’s Eoyang. “Because I don’t know that anyone can say with certainty what will happen next.”