Johannesburg - Is it possible for South Africa to be caught up in the war between Russia and Ukraine?
Cyber experts sent out a warning this week.
While the cybercrime focus appears to be predominantly between Russia and Ukraine cybercrime groups and governments, experts fear it could quickly spread elsewhere.
“What we are seeing is that a few of these cybercrime groups are either taking sides or imploding amongst themselves due to their Eastern European links with one another,” said Martin Potgieter, Nclose’s co-founder and technical director.
“Something else we have noticed is a strain of malware termed “wiperware”, which is an evolution of ransomware that is used to permanently destroy data – but again, the main targets are between Ukraine and Russian points of interest.”
However should South Africa’s relations between Russia or Ukraine change, they could be caught in the cyber crossfire.
A few months ago, South Africa took the decision to abstain in a UN vote on the war in Ukraine. Should that change however, it could signal problems for South Africa.
“Using our vote to abstain sort of leaves us in a grey area where political ramifications are more important than cybersecurity fallouts. If we give either country any reason or inclination that catches us in a crossfire or their crosshairs, there’s not much we can do about it other than be reactive if it ever happens.”
Since the tension between Russia and Ukraine began, there has been a marked increase in cyber warfare activity between the countries.
Recently, cyber security firm ESET discovered new destructive malware circulating in Ukraine, as neighbouring Russia invaded the eastern European country.
ESET’s telemetry data showed the malware was installed on hundreds of machines in the country. According to ESET, this followed some distributed denial-of-service (DDoS) attacks against several Ukrainian websites earlier.
Meta, Facebook’s parent company said recently that attackers are increasingly targeting officials in the Ukrainian military, as well as politicians and media, to spread disinformation.
Several hours before the launch of missiles or movement of tanks on 24 February, Microsoft’s Threat Intelligence Centre detected a new round of offensive and destructive cyber attacks directed against Ukraine’s digital infrastructure.
Ukraine has also taken the war to Russia via cyberspace by establishing its “IT Army” to hack Russian organisations and their allies.
The IT army has over 266 000 members, while hacker groups such as Anonymous have also declared cyber war against the invading Russia.
“It’s not out of the realm of possibility that the cyber weapons used in this war could be used elsewhere,” said Potigieter.
“You can’t rule out that these cyber weapons are leaked or deployed by other individuals or groups for their own gain external from the war.”
Potgieter added that should SA be caught in the crossfire, it could potentially be very dangerous for the country.
“The more traditional forms of attack will probably still be the forefront of focus for now unless something drastic changes in the near future.”
New forms of cybercrime have also emerged in the form of wiperware.
“The wiperware strain is something that deletes data, so it would be difficult to monetise or there could be more to it that meets the eye – but only time will tell. Wiperware is not something new, but something new could be formed or derived from it.”
Potigieter has urged government departments, businesses and organisations in South Africa to ensure that their cyber security is up to date to deal with any potential future threats that could arise.
“This is an industry that can change overnight, and we must adapt the same way the cyber criminals do. We are closely tracking the situation on behalf of our clients and continuing to apply best practice security procedures such as patching vulnerabilities, making sure backups are resilient, testing our IR processes, locking down networks and systems, and enforcing strong authentication.”
“Organisations must continue with best cyber security practices. Anyone could be at risk for any number of reasons, there’s no real industry that can be narrowed down as most at risk.”
Potgieter we are already seeing the effects with our fuel price increase and global markets in general.
“From a purely cybersecurity perspective, there’s no reason why something could or could not happen, you don’t have to be physically present in a country in order to compromise its systems as we have seen in this war.”
Anna Collard, SVP of content strategy and evangelist at information security company KnowBe4 Africa, says even though state-sponsored cyber attacks against South African organisations traditionally ranked as very low priority, Russia’s past cyber attacks against Ukraine caused international consequences with severe collateral damage.
“The current malicious cyber activity in Russian president Vladimir Putin’s war could impact through disruption or un-contained malware that spills over to organisations and countries that are not directly involved, but who may be vulnerable to the exploits used by the aggressors," she says.
“Furthermore, Putin’s threats to retaliate against imposed sanctions should be taken seriously. Officials in both the US and Europe are warning businesses to be alert to suspicious activity from Russia on their networks and prioritise cyber security.”
Collard has urged South Africans to be cautious.
“When nation-states attack each other in cyberspace they use quite a bit of sophisticated malware. Typically malware exploits software vulnerabilities which can be found not just in the target country but amongst any organisations.
“When that malware leaks it can cause collateral damages, in some cases quite severe ones like in the case of the non-Petya attack in 2017, where a Russian attack against the Ukraine affected many international organizations, such as logistics company Maersk.
“So while South Africa wouldn't be directly affected by the crossfire it may fall victim to accidental malware outbreaks.”