Pages

5 February 2023

Cyber Insights 2023 | The Geopolitical Effect


Geopolitics describes the effect of geography on politics, and usually refers to the political relationship between nations. That relationship is always mirrored in cyber. The Russia/Ukraine war that started in early 2022 has been mirrored by a major disturbance in cyber – and that disturbance will continue through 2023.

The physical conflict has forced much of the world to take sides. The US, NATO, the EU, and their allies are providing major support – short of troops – to Ukraine. China, Iran, and North Korea are all supporting Russia. The cyber conflict is similar, largely conforming to the George W Bush ‘axis of evil’ (Iran, Iraq, and North Korea, with the popular addition of Russia and China) versus the US, EU, and their allies.

Here we’re going to discuss how the current state of global geopolitics might play out in cyber during 2023.

Background

“Russia may well resort to increased cyber offensive actions as it contends with on-the-ground setbacks in Ukraine,” comments Bob Ackerman, MD and founder of AllegisCyber. This has been considered likely throughout 2022, but as Russian military setbacks have increased toward the end of 2022, so the likelihood of increasingly aggressive Russian cyber activity will rise. Such offensive actions will not simply target Ukraine – they will be aimed at all countries seen to be supporting Ukraine.

“While we haven’t seen those feared attacks materialize yet,” says Christopher Budd, senior manager of threat research at Sophos, “it would be premature to say that those risks have passed. In 2023, so long as the uncertainty of war exists, everyone should plan for the real possibility of unexpected, large-scale cyberattacks.”

Indeed, the mirror between the kinetic and cyberworlds suggests it is inevitable in 2023. Kevin Bocek, VP of security strategy and threat intelligence at Venafi, expects to see Russian cyber activity becoming more ‘feral’. “We’re increasingly seeing its kinetic war tactics becoming more untamed, targeting energy and water infrastructure with missile strikes,” he says. “We expect the same to apply to cyberwarfare.”

He is concerned that Russia’s more feral activity will have the potential to spill over into other nations, “as Russia becomes more daring, trying to win the war by any means, and Russia could look to use the conflict as a distraction as it targets other nations with cyberattacks.”

Malwarebytes believes that large-scale attacks will appear first in Ukraine, but be accompanied by attacks against European allies. “In recent weeks [Oct/Nov 2022] Russia has been launching a barrage of missiles to cripple Ukraine’s electricity infrastructure. We could expect that at some point availability of such weapons will run low and that the Kremlin will want to increase the cyber effort. We may see further successful malware attacks from the Sandworm group as we have seen previously with the blackouts caused by the BlackEnergy malware,” comments Jerome Segura, senior director of threat intelligence at Malwarebytes.

While malware used to destroy or wipe systems is likely to be used against Ukraine,” he adds, “more stealthy malware such as backdoors are likely to hit European allies as attempts to compromise key leaders, gather intelligence and possibly expose or extort via ‘kompromat’.”

In one sense, the Russia/Ukraine conflict has taken the gloves off the lower-level cyberwarfare that has existed for years. You could say that 2023 may well prove to be a new era of bare-knuckle cyberwarfare. “Nation state cyber warfare will become more openly prevalent,” suggests Chris Gray, AVP of security strategy at Deepwatch. “The Russia/Ukraine conflict has taken away much of the ‘cloak and dagger’ aspects of this area and, in doing so, has also broadened the scope of available targets. Financial impact and the ability to increase chaos due to service interruption will increasingly grow over former levels.”

While we concentrate on Russia as the primary current protagonist in offensive cyber, we should not forget that Russian ‘allies’ will take advantage of the situation. “China is likely to expand the full spectrum of its cyber initiatives targeting economic, political, and military objectives,” continues Ackerman. “Bit actors on the global stage may well exploit Great Power conflict and related global distractions to launch targeted regional cyberattacks,” he added. Such as Iran targeting Israel.

Difficulty in attribution will remain

Increased nation-state cyber activity will become more obvious, but not necessarily legally attributable. The major powers will still seek to avoid direct retribution that could escalate into additional kinetic warfare. “The reality with nation-state attacks is you might never know you’ve been hit by one until another country’s intelligence agency actively identifies it,” warns Andrew Barratt, VP at Coalfire. “The attribution of attacks to specific parties is a highly contentious area with a lot of room for error and deniability. What we really need is crossover from friendly military intelligence partners to support a reasonable conclusion.”

SecurityWeek was told years ago by Luis Corrons, now security evangelist at Gen and co-chairman of the board at AMTSO, “The only people who really know what’s going on are the intelligence agencies, who have close knowledge drawn from signals intelligence and covert agents.” Historically, the intelligence agencies have been reluctant to make too many public accusations of attribution for fear that it might expose their sources.

Direct attribution from countries with mature intelligence agencies is likely to increase in 2023 – as will the strident denials coming from the perpetrators – but it will remain difficult. “The rapid expansion of non-state affiliated cyber actors including hobbyists, hacktivists, criminals, privateers, proxies, vigilantes, or cyber response reserve units, is unlike anything ever seen in traditional warfare,” explains Marcus Fowler, CEO of Darktrace Federal. “The surge in ‘vigilante’ approaches to cyber-crime will continue to alter the course of modern warfare in 2023, introducing unprecedented adversaries and allies for nation-states.”

Zero-day stockpiles

What remains largely unknown is the potential capability of unfettered cyberwarfare – all major nations have been stockpiling zero-days for years. “I dare not speak of the unused kinetic powers available to the nation-states,” comments Brian NeuHaus, CTO of Americas at Vectra AI, “but will digress to one which has only, I believe, been partially used. Cyberwarfare is still a real threat from a broader use of known TTPs, tools tactics procedures, and an unknown equity of zero-days just waiting for the right strategic moment to deploy against one’s foes.”

Zero-days are not used lightly, especially by nation-states. Once used, they instantly lose their value. The problem is that we have no knowledge of our adversaries’ zero-day stockpiles, nor their ability to unleash widespread destructive capabilities against critical infrastructure. Their use is likely to be one of desperation – a cyber version of nuclear weapons with the potential to escalate into open kinetic conflict.

We must hope this day never comes, for it is worth remembering Putin’s warning on the use of nuclear weapons: “For the planet, it will be a catastrophe. But for me as a citizen of the Russian Federation and the head of the Russian State, I must ask myself the question. What is the point of a world without Russia?”
Wiperware and other destructive attacks

Our hope must therefore be that no nation-state feels so backed into a corner that it unleashes the full power of stockpiled zero-days against the opponent’s critical infrastructure. That doesn’t mean we can relax – the threat from what we could perhaps describe as conventional cyberweapons remains real and likely to increase through 2023. Wiperware is probably top of the list.

“Russia’s invasion of Ukraine this year revealed the modern digital battlefield. Most notably, we have witnessed an increased use of wiperware, a form of destructive malware against Ukrainian organizations and critical infrastructure,” comments Fleming Shi, CTO at Barracuda. “The frequency has dramatically increased as we saw WhisperGate, CaddyWiper, HermeticWiper, and others hitting the news since the war broke out.”

Unlike the financial motivations and decryption potential of ransomware, wiperware is typically deployed by nation-state actors with the sole intent to damage and destroy an adversary’s systems beyond recovery. “In addition,” he added, in 2023, wiperware emanating from Russia will likely spill over into other countries as geopolitical tensions continue.”

Wiperware can easily be disguised as criminal ransomware with non-functioning decryption, adding deniability to destructive nation-state attacks. There are suspicions that WannaCry was a version of this. “Given the current political climate, Kaspersky experts foresee a record number of disruptive and destructive cyberattacks, affecting both the government sector and key industries,” says Ivan Kwiatkowski, senior security researcher at Kaspersky`s GReAT.

“It is likely that a portion of them will not be easily traceable to cyberattacks and will look like random accidents. The rest will take the form of pseudo-ransomware attacks or hacktivist operations to provide plausible deniability for their real authors,” he added. “High-profile cyberattacks against civilian infrastructure, such as energy grids or public broadcasting, may also become targets, as well as underwater cables and fiber distribution hubs, which are challenging to defend.”

A particular target area for such attacks will likely be ‘dual use’ technologies; that is, those that serve both military and commercial purposes. “Satellite technologies and other advanced communication platforms come under a higher level of focus. Both intellectual property theft and disruption of data delivery to governments and militaries around the world become a stronger focus,” says Kurt Baumgartner, principal security researcher at Kaspersky.

It is noticeable that the cyberattack against Viasat by Russia just prior to the Russian invasion of Ukraine, designed to disrupt Ukrainian military communications, spilled out of the region to also affect some 9,000 European users. Russia seems to have ‘got away with it’ on this occasion, but it effectively remains a nation-state cyberattack against civilians outside of the war zone. We are not aware of any clandestine response from the West, but must wonder if the response would have been different if the spillover had directly affected US users.

John Pescatore, director of emerging security trends at SANS Institute, endorses Baumgartner’s view. “The war in Ukraine will have broader impacts on the commercial sector as operatives on both sides attack dual-use technologies (that is, services used by both the military and civilians) to take down communication and critical infrastructures systems.” He expects to see more attacks in 2023 that will impact business internet connections, communication, and logistics systems.

“Increasing attacks on key dual-use technologies like cell towers, GPS, and commercial satellites – such as Star Link,” he adds, “will damage connectivity and business operations for private sector companies that depend on these technologies, even if they are not directly targeted themselves.”

Beyond Russia

While cyber eyes are trained on Russia, we should remember that it is not the West’s only cyber adversary. China, Iran, and North Korea will all increase their activity through 2023 under cover of the European war. China will likely continue concentrating on espionage rather than destruction – although this may change if the separate geopolitical tensions over Taiwan escalate into kinetic activity.

“China has high priority targets to meet in terms of economic and social development, made more pressing by continuing Covid outbreaks and a zero-tolerance stance on Covid,” warns Mike McLellan, director of intelligence at Secureworks. “Chinese intelligence collection will remain both broad and deep, as the Chinese Communist Party will not accept failure on any of its key focus areas.”

This focus will be on upgrades to its manufacturing base, food stability, housing, energy supply, and natural resources. “Organizations operating in or supplying any of those areas, particularly high­tech industries,” he continues, “are potential targets of Chinese cyberespionage.”

But he adds, “As tensions continue to rise around Taiwan and the South China Sea, and China continues to drive forward with its Belt Road Initiative (BRI), a large proportion of China’s cyber espionage apparatus will be regionally focused targeting governments and critical infrastructure projects, as well as dissidents and other individuals opposed to the Chinese state.”

Iran and North Korea are less concerned with maintaining any semblance of diplomacy with the US and EU. Iran may engage in more destructive cyberattacks, largely in the Middle East but potentially elsewhere. “Iran will exploit the blurring of state-sponsored activity with cybercrime, both against regional adversaries and more broadly,” says McLellan.

The country will make use of offensive cyber operations under the guise of hacktivist and cybercrime personas to harass and intimidate regional adversaries, particularly Israel. This will probably extend beyond the Middle East with Iran merging state and criminal activity. Citing the IRGC-affiliated Cobalt Mirage threat group, McLellan warns, “Iran will exploit this financially motivated activity as a plausible cover for state espionage or disruption operations, which can be dismissed as part of a ‘cybercrime problem’.”

“We’re also seeing North Korea flexing its muscles by flying long range weapons over borders,” adds Venafi’s Bocek. If the mirror between kinetic and cyber activity holds true, we can expect North Korea to become more aggressive in cyber in 2023. Such cyber activity, adds Bocek, “will be replicated by North Korea as it looks to advance its economic and political goals.”

Summary

A particular concern for 2023 and beyond is that the diplomatic seal may now be permanently broken. The Russia/Ukraine war will eventually end – but tensions between the two countries and their allies will continue. Aggressive international cyber activity may never return to pre-war levels. “Nation-states will continue to cause each other digital problems amid the constant fight for power and status on the world stage,” comments Zac Warren, chief security advisor for EMEA at Tanium.

“Nations will come to the table to discuss norms; China, Russia and others will inhibit progress,” warns Mike Hamilton, founder and CISO at Critical Insight. He has two specific predictions for 2023 that might take cyber relations beyond the point of no return. Firstly, he suggests, “Russia will have its infrastructure disrupted as a demonstration of seriousness.” Secondly, he adds, “Operational technologies will be disrupted/wiped, likely in the US water sector.”

If either of these incidents occur and can be reliably attributed to a foreign state, they will not be easily forgiven.

As it is in the kinetic world, so it is in the digital. “For everything in the real world, there is a shadow on the Internet,” says Sam Curry, CSO at Cybereason. “More-and-more, we are going to see the Internet as a primary forum for geopolitical activity. The classic diplomacy, information, military and economic (or ‘DIME’) options are seeing the rise of information options and a resurgence of military options from 2022. Going into 2023, it’s to be hoped that diplomacy and economics rise to the fore, but for that to happen, the world would need to see an amenable-to-all-parties resolution to the Russia-Ukraine War or at least motion in that direction with a meaningful ceasefire; and detente in the South China Sea, which although a secondary area is another potential area of rising concern and clash of superpowers.”

No comments:

Post a Comment