Russia’s Political, Legal Climate Raises Red Flags
Security professionals obviously are aware of the need to keep up with the latest threats, while concerns about specific geographic regions are usually just a subset of things to keep in mind. However, Russia-based risks should be on security teams’ radar screens, especially those doing business in or with enterprises from this region, said security analysts from IntSights.
The most recent menace is the changing political and legal climate in Russia, which is making the zone even more hostile than it was before, said Charity Wright, a cyberthreat intelligence analyst for IntSights. For example, she noted, new laws recently passed in Russia give the government tighter control and more access to data flowing throughout the country’s infrastructure and within its borders.
Dark Side of Russia (V2)-2Ironically, tighter government control and monitoring mean the bad guys have more freedom to launch attacks outside of Russia’s internet perimeter. “[The Russian government] is censoring, monitoring and managing everything … Greater control of Russian IP space means less accountability to the rest of the world for threats that don’t matter to them—unless it directly negatively affects Russian government or entities, they will turn a blind eye,” said Wright, who gave a talk at the recently held Black Hat security conference in Las Vegas. “My guess is the registrars will become even more unresponsive than they are right now.”
What this means, among other things for security practitioners and CISOs, is that it will be increasingly difficult to remediate Russian threats, she said. It will be more difficult, for example, to remove Russian phishing websites and suspicious registered domains or to block malware.
Organizations that do business or have infrastructure within Russia’s borders need to be warned, Wright said. “Any organization doing business in Russia or is considering doing business there obviously needs to evaluate their own resources in Russia and their third parties for risks,” Wright said. “Besides taking heed of storing local user data in Russia, organizations need to be aware of the government’s access to encrypted communications and the fact that VPNs and anonymizers have become extremely limited and illegal,” Wright said.
There is also a significant risk involved with Russia creating a “sovereign internet”: a law that was passed just a few months ago. “If you have assets in Russia, will they be cut off from the rest of the world wide web,” Wright said.
For those seeking more awareness of the modus operandi of Russia-based data thieves and other wrongdoers, the Russian dark web is very business-oriented and highly segmented. Threat actors organize themselves in partnerships in which each player provides specific services, said Andrey Yakovlev, a Russian threat intelligence researcher. For example, a threat actor who is proficient in writing password-stealing malware and has a working product will seek advertisers who provide bulletproof hosting and network infrastructure to deploy command-and-control servers. “Later, they will use encryption and obfuscation specialists that will encode their malicious payloads and fuse them with Microsoft Office documents, making them invisible for anti-virus products,” Yakovlev said. “Finally, they will buy mass-spamming services that have established mail servers arrays and email databases to distribute the given malicious campaign.
“High modularity and saturation of supply and demand makes the Russian threat one of the most difficult to thwart,” he added
The best defense—besides always learning more about different threats and continually improving your organization’s security processes—is to continually look for ways to lock down the weakest link: human error and fallibility. “Despite the differences in technical aspects of infiltration vectors, the vast majority of cybersecurity incidents initially begin with human error,” Yakovlev said. “Besides critical zero-day vulnerabilities in the external network, most cybersecurity incidents began with a misconfigured server that had a port open that was not supposed to or a carelessly downloaded file that was granted privileges it was not supposed to get. These things are [avoidable].”
