CDSA

Media and entertainment (M&E) organisations should be ready for cyberattack disruptions by Russia if they haven’t experienced any already, even if the energy sector seems like the most likely target, according to the founding partners of the security consultancy Krebs Stamos Group.

Chris Krebs, one of those founders, has been focusing in the last six months or so on helping technology organisations “understand how geopolitical risk factors impact their cybersecurity postures as well as their IT operations,” he said March 29 during a discussion around the ongoing Russo-Ukraine War that was part of the Media & Entertainment Information Sharing Analysis Center (ME-ISAC) monthly meeting.

The online event, held via the MESAverse platform and Zoom, provided background and context on how the war got to where it’s at, how the conflict has progressed, and the impact that the sanctions, cyber operations and military operations are having and may yet have on M&E businesses.

“A number of organisations have had to make pretty significant operational posture adjustments, in fact, over the last couple of weeks, as they made decisions on operations on Russia, for instance,” said Krebs, who previously served as the first director of the U.S. Cybersecurity and Infrastructure Security Agency.

With a long career as a cyber-policy expert in the private and public sectors, Krebs has unprecedented experience building coalitions to deal with critical security challenges.

“There’s still opportunity for disruptions,” he warned viewers. The current situation goes back to last summer, when the U.S. intelligence community had a sense that something significant was up after the Russian government placed “a couple of hundred thousand troops on the border of Ukraine,” just as Russia did in 2014, he recalled.

Russia is using the same “combined arms approach” that it previously used in 2008 when invading Georgia and 2014 when invading Ukraine, he said, explaining that Russia is using cybersecurity capabilities, as well as information and disinformation campaigns.

The U.S. government assessed a high threat of Russian cyberattacks against U.S. targets and Congress also grew concerned after Russia invaded Ukraine earlier this year, he said.

Sure enough, in January, Russia kicked off a series of cyberattacks, including half a dozen or more malware attacks on Ukrainian networks, he pointed out. There were also “website defacements” and Denial-of-Service (DoS) attacks, he noted.

Early on in the invasion, Russia was also implicated in a cyberattack on U.S. communications company Viasat, he said, referring to the attack on the firm’s KA-SAT network in Europe that resulted in a partial interruption of consumer-oriented satellite broadband service.

There were “bricked modems” in Europe and wind turbines in Germany that are dependent on Viasat capabilities that were impacted by Russian cyberattacks also, he said.

But Russia didn’t do anything along the lines of turning the grid off, Krebs said. There are a few theories on why Russia didn’t pull off more significant cyberattacks during the initial invasion, among them that Russia “didn’t really tell anybody” they were actually invading Ukraine and it didn’t take down the Ukraine communications network because Russia wanted to use that communications infrastructure, he noted.

Other theories: Russia expected to “make a lightning run up to Kyiev,” the Ukraine capital, and didn’t think there was much support for Volodymyr Zelensky, the Ukraine president, Krebs said.

But “this thing’s not over yet,” he warned, adding it’s not clear what the path forward will be between Russia and Ukraine. There is still “significant concern” as new sanctions against Russia are put in place by the U.S. and its NATO allies, who are also providing more lethal aid to Ukraine, he said, adding: “They’re absolutely feeling the pain in Moscow.”

There was a “strategic error by the Russians of leaving up the telecommunications network,” allowing Zelensky to communicate to his citizens and with the U.S. and other NATO allies, according to Krebs.

We are also “seeing some of those long-feared deepfake concerns come to light” now in the form of recent manipulated media (not quite deepfakes) indicating Ukraine was surrendering when it wasn’t, he said.

After Krebs wrote an op-ed for the Financial Times that was published recently about an upcoming Russian cyberattack, U.S. President Joe Biden issued a public warning about what Russia was up to, Krebs said, noting it was the first time he had seen a president go public about an expected incoming cyberattack.

“A lot of folks took notice,” said Krebs. The FBI did a flash alert also, reporting that four hackers scanned the networks of five U.S. energy firms.

“This is that new battle space” and there is “evolving intelligence that the U.S. government is increasingly concerned about,” he went on to say, adding: “The problem here is that it’s a pretty active battle space.”

The U.S. government also recently indicted four Russians government workers for hacking and “there are a number of bad actors that we are concerned about,” Krebs said, adding there is concern about not just state actors but non-state actors linked to Russia also.

There are also “a thousand different ways that this event could escalate” beyond just cyber threats, he warned.

We should all expect to see more piracy and there is a “non-zero chance of further escalation of hostilities in NATO countries,” so companies should consider options for their IT operations risk management, especially in Poland and the Baltic countries, he said. He also suggested that companies take advantage of lessons learned in this crisis to understand their ability to isolate and protect IT operations in other risky geographies.

“This is truly a situation without precedent,” according to Alex Stamos, co-founder of Krebs Stamos Group and also founder and director of the Stanford Internet Observatory.

It’s “not incredibly likely” that the threats will go away, said Stamos, who previously led the security teams at Facebook and Yahoo as they confronted some of the world’s most challenging threat actors and has helped dozens of companies build strong security foundations.

Companies should put security plans together now and be ready to execute on them if there is an attack by Russia or other bad actors, Stamos said, adding they should have automated plans in place that can go into effect quickly. He also suggested that IT people highlight to their companies’ executive teams what the risks are now.

Meanwhile, “don’t forget the fact that the Russian ransomware gangs continue to be a significant player” also, according to Krebs. “Your threat model should start with ransomware actors because that poses the greatest business operational disruption risk,” he warned.

ME-ISAC provides stakeholders with intelligence on incidents, threats, risks, vulnerabilities, and associated remediations in the form of alerts, threat intelligence feeds, newsletters, forums, training and more.

To learn more about ME-ISAC, click here.

To sign up for the March 29 event, click here.