Russia, diplomacy and potential repercussions in Australian cyberspace

Russia, diplomacy and potential repercussions in Australian cyberspace

Background

We recently witnessed the “largest expulsion of Russian diplomats” by 27-odd countries in support of the UK, following the attempted murder of a Russian double agent on British soil.

Russia in turn directed threats of retaliatory action to the countries involved, including Australia. Australia has signalled intent to boycott the World Cup, which will be held in Russia this year.

With the Gold Coast Commonwealth Games on right now, that may be just be sufficient cause for Russian “cyber activists” to direct some nasty traffic our way.

Russia’s track record of using cyber attacks in support of its political agenda [1]

1. 2007, Estonia. Large scale DDoS attack.

           Triggered by planned relocation of a Russian World War 2 memorial.

2. 2008, Lithuania. Government site defacements.

           Triggered by the Lithuanian government banning display of Soviet symbols.

3. 2008, Georgia. Internal communications shutdown.

           Triggered by Georgia sending troops to reclaim a breakaway republic supported by Russia. This was followed by a Russian military invasion.

4. 2009, Kygyzstan. DDoS against two ISPs.

           Triggered by the need to exert pressure on the government to evict a US military base. It worked!

5. 2009, Kazhakstan. DDoS on media outlet.

           Triggered by release of an article that was critical of Russia.

6. 2009, Georgia. DoS of Twitter and Facebook in Georgia.

           Triggered by the first anniversary of the invasion of  Georgia!

7. 2014, Ukraine. DoS on Ukrainian election commission.

           Triggered by attempts to create chaos in support of the pro-Russian candidate.

8. 2015, Germany. Compromise of German Bundestag.

           Triggered by an attempt to retrieve information on German and NATO leaders.

9. 2015, Holland – Pull out reports on MH17 investigation.
10. 2015, USA. Compromise of Democratic Party computers.

           Triggered by attempts to undermine elections.

11. 2016, Finland. Compromise of Finnish foreign ministry computers.
12. 2016, Germany. Emerging claims of malicious activity being conducted by Russian hackers to discredit incumbent chancellor, Angela Merkel.

Increasing confidence

The above sequence indicates an increasingly confident nation state, reaching further and deeper into foreign spheres to satisfy its political agenda.

One common thread in all the above attacks is an attempt to highlight weaknesses in the targeted country’s government and/or commercial infrastructure. Even stealthy attacks, once exposed to the media, serve to question the security posture of the victim nation. 

While the above list contains all the acts attributed to Russia, other nation states, such as North Korea have also been attributed with malicious acts against other nations.

Perhaps most significant in the context of the Commonwealth Games is the “Olympic Destroyer” [2] malware that was deployed against South Korea during the Pyeongchang winter Olympics. This malware was capable of permanently damaging computer systems employed in the games.

What does this mean for us?

Possibly a two prong approach:

1. Noisy hacktivist type attacks
   1. Government website defacements (e.g. foreign ministry)
   2. Commonwealth games site defacement
   3. Denial of Service attacks against Commonwealth Games infrastructure (similar to Olympic Destroyer)
2. Stealthy attacks
   1. Advanced Persistent Threats (APTs) to obtain sensitive data from Government and commercial entities
   2. Harvesting Commonwealth Games visitor information (which the Gold Coast City Council admitted doing, by collecting user’s Facebook accounts when they connect to the high-speed public Wi-Fi network)

How can we protect ourselves?

1. Tune preventive controls to indicators of exploit traffic, DDoS traffic, and APTs.
2. Have a DDoS response plan. [3]
3. Watch for acts of cyber-aggression against countries threatened with retaliation as a potential indicator of elevated threats again Australia
4. Don’t use unprotected public Wi-Fi networks (or “protected” public Wi-Fi networks). If you absolutely must, use encrypted chat channels and mail clients for communication.
5. Elevated monitoring of Industrial Control System processes and infrastructure for anomalous behaviour.
6. Read Security bulletins for the latest vulnerabilities affecting devices and software in your environment that might be exploited, and take necessary measures to patch them based on a risk-based prioritisation schedule

References

1. https://www.nbcnews.com/storyline/hacking-in-america/timeline-ten-years-russian-cyber-attacks-other-nations-n697111
2. http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
3. https://zeltser.com/ddos-incident-cheat-sheet/