Russia’s invasion has started a new war in Europe—a war in which cyber attacks and cyber activity are deeply entwined, according to William Altman, CyberCube’s principal cybersecurity consultant.
Limited cyber activity has been seen in the Ukraine/Russia conflict so far, but Altman told Intelligentinsurer.com that according to the data CyberCube had already seen, the firm has concluded that the situation has the potential to escalate rapidly with the possibility of a “cyber disaster”.
“We think several levels of escalation are needed to get there,” he cautioned, “but where we are today is a very precarious situation. We think it represents a shift in the cyber threat landscape and the risk quantification landscape.
“Re/insurers across the board find themselves navigating this very different threat level,” Altman said.
Three cyber war scenarios
The cyber risk analytics firm has identified three potential directions this conflict could take that would affect the books of business of brokers, risk carriers and reinsurers.
First, CyberCube believes, there will be retaliatory cyber attacks against companies and government agencies in countries that have provided material support to Ukraine.
Altman highlighted a list of countries published by the Russian government on March 7, 2022, that Russia believes have taken “unfriendly action” against it in this conflict.
“Entities in those countries are at the highest risk for these large targeted losses that we believe will come in the retaliatory stage,” he said. “There’s a number of industries and critical infrastructure that we think are at higher risk.” This could include mobile networks, internet service providers, oil rigs or shipping.
“That’s one potential avenue. It’s probably the most likely outcome for losses in the near future.”
Second, there is the potential for an indiscriminate attack using ‘wiper’ or self-replicating malware. Altman said this would be similar to an attack in 2017, also staged by Russia, known as NotPetya.
“It was one of the most devastating cyber attacks in history, and we know that folks out there are worried about this potential attack occurring again,” he added.
Self-propagating malware that can jump borders and become a global attack is viewed as the top threat that’s causing the insurance community fear, he added.
“We’ve been observing the different types of malware we’ve seen in this conflict to date and at least one piece of malware, known as HermeticWiper, when paired with another piece of malware, called HermeticWizard, has the self-propagating capabilities we saw with NotPetya. It’s able to spread on certain protocols and certain ports that connect different local networks together and that’s very worrying.”
This kind of attack could result in high levels of losses again, indiscriminately across industries, he added. CyberCube has encouraged insurance companies to talk to their insureds about how specifically to prevent this type of attack.
“That involves looking at everything from your unfiltered business-to-business virtual private network (VPN)-type connections, any remote desktop protocol desktop connections, any server message block connections—anything that can allow computers to talk to one another, and especially local networks to talk to one another, needs some added security and surveillance today.
“Companies could even potentially close those types of connectivity solutions for the time being, so they’re not at risk of having self-propagating malware spread through those specific protocols.”
However, Altman emphasised, several levels of escalation would be needed before the conflict reaches this stage.
Third, CyberCube believes there is potential for a cyber disaster, although Altman was keen to emphasise that “this is probably the least likely scenario”.
“There is the potential for an indiscriminate attack using ‘wiper’ or self-replicating malware.”
William Altman, CyberCube
A wiper malware threat would, again, come under this class of attack. But Altman warned that in a cyber disaster scenario, the Russian “targeting matrix” should be considered carefully. This means thinking about what variables cyber attackers look at when they decide which targets to hit next. This is especially relevant to targets outside Ukraine or the surrounding Commonwealth of Independent States countries, which include Azerbaijan, Georgia and Moldova, he added.
“Essentially we’re looking at physical cyber attacks that would result in large scale losses and large scale damage, and devastate the targets to the point where they may actually back out of the conflict.
“We could see attacks on critical infrastructure such as mobile network operators and internet service providers, and potentially energy-based attacks against offshore oil rigs, pipelines, electric utilities, etc. We may also see some attacks against shipping and logistics companies, airlines and more.”
Initially these attacks would be used to validate Russia’s cyber capability, to signal to the world that they have the capability to conduct these attacks and that they’re not to be messed with, Altman explained.
It will be only after several levels of escalation that one of these attacks could be conducted by these threat actors, he added.
“It’s also worth noting that in the past we’ve often said that true cyber disasters that result in massive amounts of loss for hundreds or thousands of companies are extremely rare, long-tail events.”
When looking at the frequency of such events, one of the threat inputs is the “threat actor”. For a cyber attack like this to happen, the threat actor has to be highly motivated, exhibit the intent to conduct the attack, and have the necessary resources and skills to carry it out.
“Historically there hasn’t been a threat actor around to satisfy all those boxes, until today,” Altman explained. “We have Russian state-sponsored threat actors, namely from the FSB, the GRU, and the SVR—intelligence and military apparatuses that control cyber operations.
“They are the ones that are capable of pulling off the types of kill chains—the stages of a cyber attack—that are needed to elicit a cyber disaster.”
The possibility of one of these disasters has never been higher, he said. “Nevertheless we don’t want to succumb to hyperbole and say that this is extremely likely. We just know that there has never been a better time than now to pressure-test your books for these exact events.”
CyberCube has encouraged its clients and partners to pressure-test their re/insurance books of business against all three scenarios because it believes the potential for cyber escalation in the Russia/Ukraine conflict is high.
“There has never been a better time than now to pressure-test your books for these exact events.”
The new threat landscape
The threat landscape has shifted away from a symmetrical threat landscape where there’s one defender and one threat actor, Altman said.
“CyberCube is tracking more than 33 threat actors that are involved in this conflict, on behalf of either Russia or Ukraine, so this is a very different threat landscape from the one we faced even a month ago.”
The Conti ransomware gang, which Altman called “possibly the most successful ransomware gang in history”, has formally pledged its allegiance and support for the Russian government. Attacks from such threat actors are more likely in this phase of this conflict, while Russia is still looking for plausible deniability so the attacks can’t be attributed to them and potentially constitute an act of war, he said.
He urged all entities across the insurance ecosystem to recognise that some of their assumptions prior to this conflict may not still hold. “When we say pressure-test your books of business, we’re saying ‘let’s come up with the loss number for these potential scenarios and let’s look at some of the assumptions you’ve made that you thought kept you safe in the past and see if they still hold true today’.
“To entities that decide not to pressure-test their books of business, I would say they’re playing with fire at this point,” he concluded.
To view the full interview visit: intelligentinsurer.com
Images, from top: Shutterstock / Francesco Cantone
