Sergey Nivens - Stock.Adobe.com
In the wake of Russia’s invasion of Ukraine, governments from around the world imposed economic sanctions against Russia. Following this, it became apparent that private organisations needed to take action, leading to many companies boycotting Russia by closing down their local premises, evacuating employees and refusing to trade in the country. Although the focus of this article is on sanctions against Russia, it is equally applicable to related sanctions against Russia’s close ally Belarus.
The need to boycott Russia was driven by pragmatism as well as ethics. Organisations needed to be seen to be doing something more than just sending “thoughts and prayers”. There was the potential for significant reputational damage if seen to be continuing trading in and/or with Russia. However, in the rush to boycott Russia, and to be seen to be doing so, there is a significant risk that organisations may have left themselves vulnerable to attack by improperly shutting down their regional assets.
“Multinational organisations faced multiple challenges when they moved out of Russia, from evacuating their personnel to vacating their buildings,” says Ran Nahmias, co-founder and chief business officer of Cyberpion, a specialist in attack surface management.
“They also needed to shut down their local IT operation, switching off digital assets and severing digital supply chain connections. This requires attention and a detailed action plan.”
To understand the scale of the problem, Cyberpion conducted research earlier this year, showing that the size of the external attack surface is often exponentially larger than the internal enterprise environment.
The report demonstrated the level of risk involved: 60% of Fortune 500 companies had a known vulnerability that threat actors could infiltrate to access sensitive employee or customer data. Out of these, a significant proportion of the vulnerabilities had already been abused. With the rapid departure from Russia, this has only exacerbated the issue.
“We checked the Fortune Global 1,000, and 60% still had active connections to Russian-based infrastructures,” says Nahmias.
One of the key issues for both private companies and government organisations is that they have become massively distributed entities. Some of the larger multinational organisations will often have multiple cloud platforms and multiple online domains, as well as regionalised assets for the various theatres they are operating in.
The distributed nature of online infrastructure means that organisations have essentially abandoned digital assets within Russian borders, which can pose significant risk to organisations if these assets have not been properly shut down.
“Domain name system [DNS] is at the foundation of internet interactions and often overlooked by security teams,” says Nahmias. “Like plumbing, security teams take DNS for granted, at least until something breaks or gets hijacked – then it becomes a huge security issue.”
Rather than decommissioning or deleting these regional assets, they have often simply been rendered dormant. The assumption is that, eventually, the situation will cool down and that trading with Russia will become viable again. Therefore, planning to reactivate existing regional assets, rather than creating them afresh, makes economic sense.
However, in the disruption caused by their rapid exit from the country, there is the question of whether companies were able to adequately shut down and secure all their localised digital assets.
The dangers posed by these abandoned assets are multifarious. Local digital assets can be usurped and used for malicious purposes, such as identity theft and credit card fraud. Not only does this leave organisations open to significant fines for breaches of data protection laws, there is the associated reputational harm caused by these incidents.
“The risk depends what the connection is pointing to and what authentication or security measures have been put in place,” says Nahmias. “Security teams tend to be more lenient about connections to internal resources than they are about connections to external ones.”
The distributed nature of modern enterprise means that networks are no longer spiders webs, but a complex mesh. While this is a far more robust form of network connectivity, there are also far more connections that need to be managed. As such, there is a potential risk of network connections from abandoned assets still being active, essentially permitting access to the rest of the corporate network. In many ways, this is a far greater risk to the organisation, as malicious actors could potentially obtain confidential information through these unsecured connections.
“Enterprises operate many domains – in some cases, even millions – so monitoring them manually is simply not an option,” says Nahmias. “There’s a lot of complexity involved – it’s DNS spaghetti. While we believe that most companies attempted to wipe their Russian IT connections clean, in most cases they have failed to do so.”
There is also a danger that abandoned regional assets could be accessed and hacked in anticipation of when they are eventually reactivated. This would essentially act as a backdoor, enabling malicious actors to bypass network security for deploying malicious software within a corporate network. These tactics could be exploited by local criminals, as well as hackers sponsored by nation-states.
“If a US-based consumer global brand exited Russia and closed their Russian site, but hadn’t done it properly, a malicious actor could revive it and potentially abuse innocent customers, harming the reputation of the global brand,” says Nahmias.
What needs to be done?
Organisations need to ensure that all their abandoned local assets have been rendered completely dormant and that they continue to retain rights of ownership for their digital domains.
Likewise, organisations need to review the connections between these abandoned local assets and the wider corporate network to ensure they have been properly tied off, either by removing these connections altogether or by sending the connections to a landing page that leads nowhere. However, the number of connections that are now out there is such that this is no longer manageable by conventional means.
“If you have a million domains or IDs, or 100,000 PCs, it’s not a human job anymore. AI [artificial intelligence] will have to come in,” says Nahmias. “Someone needs to provide a way of understanding when something breaks. The time to detect and respond is going to be the key to success.”
From a wider perspective, especially for multinational organisations that have a massively distributed network, this situation has demonstrated the need for a single oversight role. Rather than having a series of network managers and their teams, focusing on their specialist areas with limited coordination between them, the events of recent months have highlighted the need for a single oversight role, which can coordinate and control all of the digital infrastructure.
“PKI, cloud, DNS and web are typically managed by different teams that sometimes connect only at the CIO level. That means there are four people in an organisation examining the Russia relationship, and then collaborating the results,” says Nahmias.
Some may wonder that with organisations abandoning regional assets and reducing the number of regions they operate in, if centralised network models will become predominant again. While this would minimise the threat surface, it would not negate the risk completely and organisations would be unable to reap the benefits of a robust distributed hybrid network. Therefore, instead of minimising the attack surface, organisations will need to focus on securing connections.
“I don’t think that closing it down is the way to address the issue,” says Nahmias. “You might have a smaller attack surface, but it’s still there. You might as well look at preventing the malicious actors from abusing the attack surface, small or large.”
Rather than destroying their assets when boycotting Russia and Belarus, organisations have taken the long view and have instead decommissioned them. When the situation has deescalated, if organisations are willing to resume trading, they will want to reactivate their previously abandoned assets to enable a swift return to the market.
“The relationship between DNS and security is something that we see evolving in a lot of areas of companies today,” says Nahmias. “I would like to believe that most companies have done some sort of best effort, but I don’t think that they’ll all necessarily able to devote all their attention to the potential risks. Some of the risk is immediate and present, but there is another big piece that is a Pandora’s box in Russia, that one day will open.”
A suitable review of an organisation’s abandoned domains will highlight any potential vulnerability in their network’s security posture. For example, this could be an automated process that flags any discrepancies, together with their associated network connections, for human review. The situation has also highlighted the need for a network oversight role, rather than relying on the collaboration between series of specialist network teams, to ensure that the overarching corporate goals are being met.
“Security will have to be identifying the anomalies in a much broader spectrum,” concludes Nahmias. “Security will have to evolve to accept some risk and identify breaches when they happen to minimise the effect.”
Read more about cyber in the Ukraine war
- Mandiant and the US authorities have shared details of a phishing campaign that spoofed humanitarian information on evacuation procedures to target Ukrainians fleeing Russian bombardment.
- Computer Weekly speaks to Craig Terron of Recorded Future about delving deep inside the Russian disinformation machine, and how the Kremlin’s strategy is set to evolve.
- The NCSC has published refreshed guidance on cyber preparedness as the war on Ukraine continues, urging organisations to pay attention to the state of their security teams.