As the war shows no signs of ending and cyber-activity by states and criminal groups remains high, conversations around the cyber-resilience of critical infrastructure have never been more vital
A number of security practitioners, policymakers, law enforcement professionals and other experts from various countries gathered in Warsaw, Poland, on May 10th, 2023, to discuss how the public and private sectors are dealing with heightened cybersecurity risks following Russia’s invasion of Ukraine last year.
Ahead of the event, called ESET European Cybersecurity Day (EECD), we sat down with ESET Principal Threat Intelligence Researcher Robert Lipovsky to talk about security challenges facing critical infrastructure systems in particular and what ESET does to help protect essential systems and services all over the world.
Q: In the past few years, but mainly since the beginning of the war in Ukraine, we’ve seen different countries working on new legislation to step up their cyber-defense capabilities. What’s really at stake here?
A: Indeed, I believe both public and private organizations are taking cyber-risks more seriously and they feel the need to address this. But while most organizations need to secure their perimeter, endpoints, network, all these typical “things”, governments and private companies managing critical infrastructure have different responsibilities. An attack on critical infrastructure can bring down a power grid, compromise the normal work of a hospitals, or impact the financial sector, or the security of our transportation systems.
With critical infrastructure, the stakes are higher – both from the perspectives of institutions and ESET. That’s why the responsibility in protecting them is higher, not just for a specific government organization, but also for ESET.
In this context, how do you perceive the readiness of governments to collaborate with the private sector and companies such as ESET to deal with these threats?
From what I can see, the situation has been improving in the past couple of years, and those responsible for cybersecurity in those organizations are taking things more seriously. The situation in Ukraine has also been a catalyst in private-public collaborations; they can see what the possible consequences of a cyberattack are, and, at the same time, Ukraine has also demonstrated how cybersecurity and defense can be done right. So, a lot of those attacks have been stopped – and a lot of those attacks could have gone much worse if it wasn’t for the concerted effort of cybersecurity vendors like ESET, the country’s defenders, the SOC personnel and the CERTs.
This trend is also visible on a global scale. On one hand, there has been an increase in cyber threats, and, on the other hand, ESET has also been doing important work raising awareness of risks through our research and threat intelligence. But cybersecurity is always an ongoing journey, not just a one-time tick all-the-boxes activity and thinking “okay, I’m done, I’ve secured my organization”. It is a continuous effort: it’s the software, the threat intelligence, the education of employees….There is always room for improvement, just as with private organizations.
ESET is responsible for the cybersecurity of organizations all over the world. How does ESET manage the sensitive information it collects to provide threat intelligence?
We compile a lot of threat intelligence that we don’t publish; instead, we disclose the relevant information in our private Threat Intelligence Reports. While they don’t contain confidential information that would compromise the victim, they provide additional technical information and details on top of what was made available to the public.
But some information might become public, and certain details might only be communicated to the local CERT. It is common, for example, for Ukraine’s CERT to disclose some of this information, subsequently making it possible for us to publish our research. But if there is a blackout, the public understand that there has been some kind of incident and information about the attack enters the public domain regardless, so the option of not disclosing can’t be considered.
There are also several legal requirements that our clients need to account for, so it is also up to the them to decide what information can be disclosed and how.
You mentioned private organizations. One of the challenges is that critical infrastructure of all types depends on networks of SMBs and other smaller organizations to supply their needs. Has ESET detected these kinds of attacks?
A lot of the resilience work indeed depends on the capacity and skill of dedicated staff and budget for cybersecurity defense, so large organizations are more likely to have security operations centers (SOC) and can ingest threat intelligence provided by various providers, such as us. Smaller organizations have fewer resources and thus rely more on managed service providers (MSP).
But APT groups don’t simply attack a power plant or a pipeline. What we see is that state-sponsored APT groups also target smaller companies in the supply chain if they know that this will spill over to their main target at the end of the chain. So, protecting critical infrastructure is a complex matter. It is not just about protecting the organization itself but keeping in mind that several suppliers can be also compromised. ESET has been detecting an increasing number of supply-chain attacks, mostly in Asia. This is a trend we warned about already in 2017 when NotPetya faux ransomware spread via the same attack scheme and causing the most destructive cyber incident in recorded history.
ESET has recently published its first public APT report. How different is this report from the private ones?
We published our first public APT Activity Report in November 2022 and the reason why we did is because there are just so many attacks going on that we believe it is worth raising public awareness on such threats. But these offer just a fraction of the cybersecurity intelligence provided in our private APT reports, giving more of an overview of what we see happening in the wild.
The private reports contain in-depth information on the attacks and are compiled to provide actionable threat intelligence. They serve a double function: informing our clients of the current threats, detailing specific APT groups’ activities, and also providing indicators of compromise, mapping attacker TTPs to MITRE ATT&CK tables, or other bits of data. This information can then be used by organizations to hunt for known and identified threats in their systems, so that they can detect and respond to them.
How does ESET attribute an attack to a specific group?
We are clustering APTs according to different nation-states, and we do this in two steps. Based on the technical findings of our research, we try to attribute attacks to a specific APT group, such as the notorious “Sandworm” APT. This is followed by a geopolitical attribution, based on the information of intelligence agencies from various countries – the USA, the UK, Ukraine, or the Netherlands. Once we match the technical and geopolitical attributions, we can conclude with some degree of confidence that an attack has been perpetrated by for example Sandworm – a unit of the Russian military intelligence agency GRU.
These synergies between public and private sectors come as a much-needed reaction to the growing number of cyberthreats you see daily. How does this flow of information between ESET and government institutions work?
I would highlight the relationships we have been keeping with several CERTs that, essentially, work as hubs to ensure that information gets where it is supposed to and in an efficient way. These are relationships that have been built up over the years. I’d even say that the whole cybersecurity industry is built on trust, and it is trust that has been the driving force in maintaining these collaborations.
And while our primary responsibility is to protect our clients, when we collaborate with CERTs, we are also expanding that responsibility by helping other organizations that are not our users. And cases like that have happened on numerous occasions. For example, a CERT in charge of investigating a cyber-intrusion might contact us for support. From the opposite perspective, we might initiate the contact if we see an ongoing attack, even if we haven’t had any previously established contact with the targeted company.
Apart from CERTs we have long established other partnerships around the world and, most recently, we’ve become Trusted Partners of the Cybersecurity and Infrastructure Security Agency (CISA) through the Joint Cyber Defense Collaborative that plays an important role in defending US critical infrastructure. We are always open to similar collaborations and initiatives that make cyberspace safer and more secure for everyone.
Research has been at the core of ESET’s work since its foundation; how does it help improve our technology?
We are very research oriented; it is in our DNA to go in-depth. It is the information that we train our models with that makes the difference. Our position as a dominant industry player in many European countries gives us a very good advantage in detecting cyberthreats. The observed information is then fed back into our systems to improve our capabilities or used as a basis for development of new detection layers, helping us identify future attacks and train our detection models.
It is not about mass processing attacks but about getting to know what the attacks are about and understanding how the attackers evolve. We can then leverage that knowledge and offer our customers and subscribers high-quality threat intelligence services that enhance their cybersecurity protection.
And along with this, we also publish our research on WeLiveSecurity and @ESETresearch on Twitter. The content there tends to be focused on a specific campaign or a singular piece of malware. And apart from the ESET APT Activity Reports, we also publish regular ESET Threat Reports that are a great way of compiling different kinds of threats we see in each period.
One of the difficulties with cyberthreats is that they are often invisible, even more so if working cyber-defenses mitigate all visible consequences. How do we raise awareness of the need for this continuous work you talk about?
A good example of this is the whole industry commenting recently on the development of the cyberwar in Ukraine. It is true that the attackers haven’t proven as resourceful as people expected, and they’ve made mistakes on numerous occasions, but real damage has been caused. There have been several cyberattacks that cannot be dismissed nor underestimated. At the same time, the reason why there wasn’t a more severe impact is the resilience of Ukraine’s cyber-defenders and because both ESET and other partners in the industry have been providing them with threat intelligence and other forms of assistance. Moreover, we have to remember that Ukraine has been the target of heavy cyberattacks at least since 2013, so they have been building their capabilities and resilience over the years, which brings me back to my initial point: cybersecurity is a continuous effort and Ukraine is currently leading the way in that field, inspiring other countries.
Thank you, Robert, for taking the time to answer my questions.