What is the risk of retaliation for taking a corporate stance on Russia?

Will your company’s decision and position on the Russian invasion of Ukraine or their continued presence in the Russian market (or exit from this market) carry with it the prospect of retaliation? The answer, unfortunately, is yes. Decisions, even to decide to do nothing and straddle the fence, carry  consequences. Even if the consequences are wrong-headed, unjust and unwarranted, individuals, governments and organizations will make their own interpretations.

I’ve spoken to the disruption in supply chains, to threading the needle on exiting or not exiting the Russian market due to Russia’s invasion of Ukraine. In addition, the U.S. government’s effort at outreach to ensure companies have the opportunity to digest and implement advisories being issued by CISA has reached a new level of both urgency and frequency.

Supply chains to and from Russia are disrupted by both the sanctions levied upon Russia as well as the decisions of airlines and sea freight companies to exit the Russian market. Some companies have opted to press on, while others have seen their brand banned from Russia and look-alikes pop up (as is the case with both McDonalds and Instagram).

Even within the criminal world there have been divisions. Individual criminals taking one side over another has resulted in internal rifts after hanging the internal laundry in the proverbial front yard.

For example, a Ukrainian researcher began publishing files from Conti, a Russian/East European syndicate of cybercriminals. The internal files from the organization include references to the criminal entity being associated with the Russian security apparatus, a claim previously made by the United States. His rationale? “I cannot shoot anything, but I can fight with a keyboard and mouse.”

While, Jeffrey Carr in his March 22 piece, D-day in Kyiv, discusses his efforts to assist the Main Intelligence Directorate of the Ministry of Defense of Ukraine (GURMO) and the expansion of its capability to leverage open-source intelligence (OSINT). He went on to share how satellite provider ViaSat had been taken down via a cyberattack on the morning of February 24. Hours later, GURMO had begun its counterattack against Russian entities.

This is in line, though apparently unassociated with, previously discussed steps being taken by the Ukraine government to put together a cadre of information technology professionals to conduct offensive operations. Subsequently, the government of Ukraine noted that it now has over 3,000 participants and is targeting cyberattacks against entities in Russia (public and private). In late March, the Ukrainian Ministry of Defense doxed over 600 Russian officers from within the Federal Security Service (FSB) on the Ukrainian MOD website.

Risk of cyber retaliation is real

There should be no doubt that there is a cyber domain to the conflict. More importantly, the potential for being directly affected is real.

Trellix, together with the Center for Strategic and International Studies (CSIS), issued a report that highlighted how companies are outmatched by nation-states. This hypothesis makes sense given businesses are resource-constrained and governments are less so, and the results of their survey evidence such:

• Access to consumer data was the motive for state-backed cyber incidents for 48% of respondents who believe they have been the victims of a state-backed incident.
• Only 33% of organizations reported reaching out to their customers to disclose a cybersecurity incident.
• Forty-six percent of respondents believe the personally identifiable information (PII) they hold from their customers is one of the main factors for which they would be targeted in a future cyberattack.
• Forty-one percent of respondents believe the PII they hold from their employees is one of the main factors for which they would be targeted in a future cyber attack.

No surprise, the key players, are those identified in the most recent ODNI Annual Threat Assessment, Russia, China, Iran and North Korea.

There is no letting up on the war of words.

Russia has taken a page right out of the playbook being used to get the word out on the state of affairs in Ukraine to the general public of Russia with mass SMS and robocalls. In the United States on March 28, Verizon subscribers began receiving SMS messages with embedded links which took the unsuspecting to a Russian media or website. Verizon, responding to The Verge, confirmed it is working to block the spam messages. While in this instance, the recipients were receiving SMS messages ostensibly from themselves, it doesn’t take a rocket scientist to see the point of origin could have spoofed service providers, vendors, or businesses in an effort to discredit or otherwise negatively affect their ability to conduct commerce.

Employees as hacktivists a risk

Then we have the insider to think about. 

I spoke recently with DTEX Systems’ senior vice president of engineering and cyber intelligence, Raj Koo, and the company’s director of security and business intelligence, Armaan Mahbod, on how the Russian invasion has affected the risk quotient to companies from their insiders. The issue is no longer a hypothetical. Indeed, Koo notes, “We’ve seen an uptick where company’s employees are generating a huge amount of risk – in particular when using corporate resources for ‘hacktivism’ from within the corporate network.”

Mahbod adds, “DTEX has seen an uptick by individuals who are unhappy with their employer’s decisions and have acted. For example, doxing their boss for taking a position, which they disagreed.”

CISOs key communicators to explain company decisions

CISOs are in a unique position of being able to communicate directly to the employee base and highlight the risks of external cyberattacks and misuse of company resources in a straightforward manner. Communication and awareness are key. Prudence tells us that explaining to the employee base why an unpopular decision was taken may well reduce the likelihood that an insider who may disagree with the decision will evolve into an insider with a malevolent bent.

On the other side of the coin, as evidenced by the cyberattack against ViaSat, those who are providing goods or services to NATO, European Commission and U.S. governmental entities may also find themselves receiving more than the usual amount of attention by Russian cyber entities. As detailed in the recent CISA Shield Up alerts, companies engaged in infrastructure are firmly within the targeting matrix of Russia.