The concept of cyber warfare is not new, but under the cover of the war in Ukraine attacks are increasing and the stakes are getting higher for both telecoms and the wider world, argued Eric Hart, Manager of Subscription Services at LogRhythm in an interview with Telecoms.com.
Has there been a rise in the amount of cyber warfare activity since the invasion of Ukraine?
Cyber war activity increased even a little bit before the actual invasion took place. We’ve been seeing elevations overall, cyber attacks becoming more of a normal. Attackers can now use ransomware as a service, denial of service as a service… the availability and accessibility of mature hacking tools has never been more readily available. So I think there’s multiple factors at play. But the invasion of Ukraine has also seen an uptick – since the event that taking place, [there has been] more direct invisible espionage or hacking taking place.
Specifically, who is perpetrating it and where is it being targeted?
There are quite a few major players, Russia being one of the primaries, but China has also been very heavy and known in the hacking of telco providers probably since 2016, as far as being persistent and consistent and running in that area specifically against that type of industry. So the elevation really has been focussed on the telco providers in Ukraine, most recently going after consumer level routers and being able to exploit that vector as a means of being able to cause harm to a telco provider.
The elevation really has been focussed on the telco providers in Ukraine, most recently going after consumer level routers and being able to exploit that vector as a means of being able to cause harm to a telco provider.
In terms of the people literally launching the attacks, they are underground gangs of hackers that are in some ways state sponsored but off the grid?
It’s a mixed state. I think that that’s becoming more of a normal, at least it’s being identified as more of a normal, where, a nation state can more easily have that relationship with hacking groups. Some of them can be under the guise of legitimate business executing hacking activities and going through that model, or it’s more underground and it’s more organised crime not under the guise or premise of a legitimate business.
With regards to the legality and recourse of it all, presumably it’s against international law, but where do you go if you’ve had one of these state sponsored cyber groups attack you?
The best guidance I would give, and I can’t speak directly to from a European perspective, but in the US, for the FBI there are programmes like InfraGard. So you have established channels for reaching out to a government level and your local government agency to be able to report [attacks]. There’s a vetting process to be a part of that network. You get information sharing related to the type of attacks that they’re seeing, so you might get heads up.
If you are subjected to or you see something going on, you want to say ‘I might need a higher level of help’ because the reality is if the nation state level attacker is putting their assets at your industry or your company, it’s pretty tough for you to be able to stand up because it’s resources versus resources. And if they’re throwing more at you than what your defence programme can manage, they’re likely going to gain a foothold. So that programme is a way that you could reach out and get a formal level of network to help you.
Presumably the groups that are carrying out the attacks are impossible to get hold of, if there was a country backing it, they just deny it?
Typically, it depends on the type of attack that’s being run and what their goals are. There is a professional cybersecurity career as a negotiator for when you’re working through a ransomware scenario. There are folks that are experienced and they may not know specifically the individuals on the other side of a hacking group, but they know some of the members because they’ve had enough correspondence with them to know here’s a group that typically will uphold when they say if I pay X they will provide Y, and then others where they don’t have a reputation.
Even on the criminal side there is maturity – they have help desks, they have internal ticketing systems if something is broke.
So even on the criminal side there is maturity – they have help desks, they have internal ticketing systems if something is broke, but from a negotiation standpoint if it were to go to there, they might be cognizant that they want to uphold at least a level of trust. So there can be an opportunity, but if the attacker’s motive is simply to deny your services or disrupt your business or to take your information and not hold it for ransom and there’s nothing else that they need from you, that could be a one way exchange.
And are Western governments engaged in cyber attacks against Russia and China?
Formally I don’t think anyone could attest to that. But yeah there are known times when Western government agencies have conducted cyber war in response to specific actions. I think that’s one of the fears of many… [if] nation state cyber weapons were to be let loose, what would be the ramifications and impacts of that?
I know at the point of the Ukraine invasion, I raised up to my business basically saying we might want to make sure that we do have all chains for our personnel, that we might want to make sure that we have means to be able to at least facilitate basic communications. Because we’re a big Microsoft shop, who’s to say if Microsoft was a target point and Azure encountered outages from the cloud perspective, what resources will we not have because they were a target of a nation state objective?
How much worse have attacks towards the telecoms sector got since the invasion?
It’s really when you are not too concerned about being undetected or unseen. With war comes, we’re okay with casualties, we’re okay with damages. The more that the physical war escalates, the more the cyber warfare will become more noticeably destructive. That could be the routers being attacked in your home and they are no longer accessible. You might not have had physical damage to your home or to your city, but you might have inaccessibility to information in a way that we’ve become accustomed to. So that’s a direct impact to people as individuals.
The more that the physical war escalates, the more the cyber warfare will become more noticeably destructive.
Likewise, telco providers are the backbone of how we work today. So the ramification and impacts to businesses from a financial standpoint is not easily quantifiable. When it comes to war, we know that money is a main motivator. So I expect to for us to continue to see that as a main means one nation exhibiting its force and will on another.
And this has played a large part in the war in Ukraine so far?
It has, and historically there have been attacks against Ukraine that have spilled out to the world. It’s one of those examples of when a nation state levels a cyber weapon against another nation, the impacts aren’t always against just that one nation that they were targeting. We might guide it, we might align it to a specific course, but once you get that cyber weapon out, then it’s going to be accessible for other folks to be able to potentially copy and replicate, shift it and align it to their own benefit. But also some of those weapons are designed to be self-spreading, and so through that virtue, they’re going to spread out into other nations that were not the initial target.
What’s the doomsday scenario for a nation state level cyber attack, the equivalent of a full blown nuclear strike? What could they bring down? How much damage could they do? And how might they get worse in the future?
A doomsday scenario would be it would extend outside of telco and into power utilities – though telecommunications is a utility to us. A doomsday scenario would be power facilities taken offline, made inoperable. They could be physically destroyed, even though it was a cyber weapon it can cause physical damage to make it so that it’s not just a matter of rebooting some servers to bring them online. We would need engineers for physical repairs, and you combine that with say, damaging roadways and you might be looking at multiple months without power.
A doomsday scenario would be power facilities taken offline…they could be physically destroyed, even though it was a cyber weapon it can cause physical damage.
Likewise, on the telecommunications front, think about emergency services, the ability to request an ambulance, the backbone of what we rely on to get help – we’re going to start seeing a lot more of unnecessary and unwarranted harm. Even in the education system… our school systems and how much technology we use in teaching the next generation. It’s a full 360 – not [just the] immediate but the long term effects… that’s the doomsday scenario.
In the future we’re hardly likely to have less things connected to the internet or relying on the power grid – so it’s not hyperbole to say it could bring society to a halt?
Yes, and we’re becoming more connected than ever. We’re now in the realm of having the Low Earth Orbit satellite network systems, high speed internet is becoming more readily available everywhere in the world. There are benefits like the satellite network being able to provide communication services in Ukraine, but it becomes yet another vector, it becomes yet another asset that needs protecting, that needs monitoring, that needs a plan for what we are going to do the day that there is a nation state level actor on that satellite that its low earth orbit.
It helps us communicate but they’re on there and they shouldn’t be – what do we do them? But that’s part of our future, how our cyber risk is evolving. It continues to expand.
Are countries like the US and UK sufficiently defended against a scenario like that, or are we vulnerable?
My personal opinion is we have been in a perpetual state of always trying to catch up. We have always been behind the curve, we’ve never been ahead of the curve, and I personally haven’t seen us actually reach the summit to where we know we’re close enough to being even. It’s technology that’s really helped the defensive side be able to do what we do today. The problem is there’s typically a cost, there’s a barrier… there are so many choices, you make the wrong choice and that could have ramifications and impacts.
But with any good technology, it also needs good people. So that’s the other side of it and it’s rare that you really see both of them exercised to the maximum potential, where you have great people behind it with solid technology. And business politics and cultures and everything else come into play as well. Because at the end of the day a business is a business and they’re making priorities or making decisions.
My personal opinion is we have been in a perpetual state of always trying to catch up. We have always been behind the curve, we’ve never been ahead of the curve.
I remember [working] in health care when WannaCry [hit]. It was a tragedy unfolding in the United Kingdom, and I was able to leverage that as a means of saying, ‘here is the reason why we need to be able to politically be able to take action.’ We’ve been accepting of these risks all the way up until this point, we needed this disaster to show us the emphasis and priority of the work that we need to do to help safeguard ourselves.
Tying it back to Ukraine and today, the more we see cyber war taking place as a part of a modern conflict, again it’s an eye opener, an awakener. So for all of the telco providers and for all companies, it’s causing some good conversations. It’s causing some businesses to align where their budgets should go to when it comes to defending and protecting their assets.