Ukraine: Cyber Threat Affecting the UK

As the situation in Ukraine continues to deteriorate, the National Cyber Security Centre (NCSC) has released an advisory that all UK businesses should prepare themselves for the possibility of cyber-attacks and bolster their cyber resilience positions. Although the NCSC has not specified that any attack against the UK is imminent, they believe that the risk is heightened due to the UK’s support of the Ukraine.

Why is it important?

There have been numerous media reports of cyber-attacks affecting Ukraine in multiple sectors since hostilities have escalated between them and Russia. However, cyber-attacks do not have confined boundaries and have been known to affect nations outside of the intended target’s geography.

Has this happened before?

In 2017, Ukraine was victim to a highly destructive cyber-attack called NotPetya. NotPetya is a very indiscriminate piece of ransomware – a form of malicious software that locks access to computer services in return for a ransom payable in cryptocurrency.

The indiscriminate nature of NotPetya meant that systems in Ukraine that connected with other systems elsewhere in the world were also infected. However, the ransomware was never designed to actually provide victims with the key to unlock their systems even if they paid. What was also unique about NotPetya was that it was designed to bypass all normal controls and spread through trusted connections rather than widely over the internet.

NotPetya was therefore designed to simply be as destructive as possible rather than generate a profit for Russia – whose military were identified by the NCSC as being responsible for the attack.

Who was affected outside Ukraine?

The global shipping company Maersk was one of the highest profile victims of the NotPetya attack.  Whilst based in Copenhagen, NotPetya quickly spread to all of its corporate offices across the world locking their systems irretrievably. The malware spread across the world affecting some of the world’s largest companies such as pharmaceutical giant Merck, couriers TNT Express, construction company Saint-Globain and Reckitt Benckiser manufacturers.

NotPetya was not targeted at any particular sector and any imminent cyber-attack towards Ukraine is highly likely to mirror the same destructive traits.

What can we do to protect ourselves?

The lessons learned from NotPetya are numerous, but the most significant is how it gained a foothold in the first place - through the supply chain. NotPetya gained access to computers by hacking a widely used piece of tax reporting software that connected with companies around the world. Supply chain cyber-attacks are numerous and highly likely to continue. With the current tensions in Ukraine, organisations in the UK should take steps to ensure that they are protected.  Some recommendations include:

• Backups. Ensure that you backup regularly and backup to ‘air gapped’ storage. This means that your backups are not connected to any network and can be safely restored.  If your backups are on your main network, they can also become infected.
• Increase staff vigilance. If your organisation operates a cyber security education and awareness programme, it is recommended that this is repeated as soon as possible so your employees are aware of the early signs of a cyber-attack or what to do if they discover one. Keep an eye out for password reset emails that you didn’t instigate – it could be a sign that your account is being actively targeted.
• Test your incident response plan. It is never a good time to check if your incident response plan works during a real incident. Test it in advance and ensure that it works as it should. Speed is critical during a cyber-attack and one changed role or phone number to key stakeholders could be the difference between containing the attack or it spreading and causing more damage.
• Reduce the number of IT administrator accounts. Wherever possible, the number of IT accounts with ‘administrator’ or high-level access should be reduced. A compromised administrator account can be catastrophic for an organisation, whereas a standard user account may not impact so badly.
• Enable Multi-factor Authentication. This is a secondary protection measure that requires a unique code generated from a phone or similar device in addition to your password. If your password is compromised, then the attackers would need possession of your device to gain access to your account.

Did you know…

The global cost of NotPetya is estimated to be between $5 to $10 billion.

Please get in touch with your usual Forensic Services contact or Chris Hine if you would like to discuss this issue further.