RSA Conference The Kremlin-backed cyberattack on satellite communications provider Viasat, which occurred an hour before Russia invaded Ukraine, was “one of the biggest cyber events we’ve seen, maybe never, and certainly in times of war,” according to Dmitri Alperovitch, a co-founder of CrowdStrike and president of the security-focused think tank Silverado Policy Accelerator.

Alperovitch shared that view during a global threat briefing he gave with Sandra Joyce, executive vice president of Mandiant Intelligence, at the RSA conference on Tuesday.

The two suggested that the main purpose of the attack on the satellite communications provider Viasat was to disrupt Ukrainian communications during the invasion, by remotely wiping the firmware of modems, it also disabled thousands of small terminals. opening in Ukraine and throughout Europe. The attack therefore disrupted the satellite connectivity of thousands of people and disabled the remote monitoring of 5,800 wind turbines in Germany.

The Russians are terrible at combined arms.

This attack, along with several other destructive malware infections wiping data in Ukrainian government and private sector networks, illustrates a few key cybersecurity points about Russian cyber morons.

“The Russians are horrible at combined arms,” Alperovitch said, noting that this is true for both air and ground military invasions.

“And that’s what we’ve seen in cyber as well,” he added. “Even though they managed to achieve tactical successes on several occasions, including in the case of Viasat, they were unable to capitalize on them to carry out a campaign. The best tactics, even in the cyber, not compensating for a very, very bad plan.”

However, perhaps the most important lesson learned comes from the Ukrainian security operations teams.

Practice resilience

“One thing the Ukrainians taught us so well — and they certainly had eight years of practice and suffered from Russian cyber operations — is the importance of resilience,” Alperovitch said. “The reality is that a number of these Russian attacks are successful.”

The Russians have had success around the world penetrating networks and launching malware, he added. “However, the Ukrainians are able to rebuild the networks within hours,” Alperovitch said.

Indeed, Ukraine trained for years to fix networks after Russia deployed NotPetya – which erased data from energy companies and banks – and the associated Bad Rabbit malware.

“So it’s really no big deal to see a network wiped out because they’re ready for it,” Alperovitch said. “They have backups out of the box, and they can rebuild them very quickly and very efficiently. And that’s something we don’t practice here.”

In the United States, recovering from a major attack can take several weeks and “be really devastating”, he added. “We need to put a lot more effort into resilience.”

Don’t be afraid of influence operations

Another cyber lesson learned from the Russian invasion is not to be afraid of influence operations, or IO, Joyce de Mandiant added.

Mandiant tracked many of these disinformation campaigns during the war, including some propagated by a group the Threat Intelligence Shop calls “Secondary Infektion.” Mandiant linked the gang to false allegations, released in March, that Ukrainian President Volodymyr Zelenskyy had died by suicide in a military bunker in Kyiv. Another Secondary Infektion influence operation that circulated in Ukrainian and Russian falsely claimed that the Ukrainian and Polish governments were seeking to allow Polish troops to deploy to western Ukraine.

None of the influence operations had much impact on Ukrainian battlefields, Joyce said. Although Russian deep-counterfeiting technology has become more sophisticated, “the public is also maturing with them,” she said.

Ukraine also provided an on-the-ground vision of how to respond to incidents amid bomb drops, blackout conditions and blocked IP addresses.

“It’s stressful enough doing an incident response – let alone doing one during a war,” Joyce said. “The kind of resilience that Ukrainian defenders are showing right now in the cyber domain is incredible. And that’s something that, for our position at Mandiant, supporting those incident responses is something we’ve frankly never seen. .” ®