ICAEW.com works better with JavaScript enabled.

Ukraine crisis: the cyber threat from Russia is real

Author: ICAEW Insights

Published: 09 Mar 2022

As politicians and businesses take a public stance against Russia, members should be prepared for some kind of retribution from its cyber agents.

Security consultant Alex Bomberg doesn’t know what comes next. As a commercial intelligence specialist and CEO of consultancy group Intelligent Protection International Limited and International Intelligence Limited, he is used to dealing with cyber security threats. It’s hard to predict what Russian cyber attackers might do at this time. 

He expects a major attack on something central, such as energy supplies, banking systems or other critical infrastructure, aiming to disrupt as many organisations as possible. “It’s certainly quite scary because I don’t know what's next and there are lots of areas this could affect.” 

Organisational resilience will be critical, he says. Leadership teams should be looking at all aspects of their organisations to make sure they are prepared for any eventuality. “People know that fuel prices are going to go up massively, for example. I think we have to prepare for something in the long run.”

Graeme McGowan, Director, Cyber & Security Risk at Optimal Risk, performs penetration-testing activities and wargaming scenarios for businesses to help them prepare for serious cyber threats. Russian hackers have been disrupting businesses for years, and have been particularly active in Ukraine, he explains. It is highly likely that they will turn more attention to the countries and organisations that have taken a public stance against Russia’s actions.

“Whether you’re an SME or a big company, and you’ve got any potential links to Russia, you’re going to be a target. If you’re well versed in what to do, you can probably avoid that. But from bottom up, people need to be aware of the risks.”

Companies often don’t understand what could happen until it has happened, he explains. It can be expensive to repair the damage, and insurance companies will want to see that businesses have taken as many steps as possible to protect their data. The proliferation of remote working needs careful consideration as well. McGowan recommends using a Virtual Private Network (VPN) and firewalls to protect your data and systems remotely.

“When we do wargaming exercises, we’ll take a company into a room and go through a typical scenario where a company might have been hacked. They don’t know what’s happened, but they just had an email from somebody saying: ‘All your client data has been stolen by this group from Russia. They’ve now put it on the deep and dark web, and you’ve lost all your credentials as a company.’ That’s the sort of scenario organisations might face.”

The five highest-threat Russian hacking groups

1) The UAC-0056 threat group (AKA TA471, SaintBear and Lorec53)

The UAC-0056 threat group has been active since at least March 2021 and has attacked government and critical infrastructure organisations in Georgia and Ukraine. 

They tend to gain initial access via the sending of spear phishing email messages that contain either Word documents (with malicious macro or JavaScript codes) or PDF files (with links leading to the download of ZIP archives embedded with malicious LNK files). These are used to install and execute first-stage malware loaders that fetch other malicious payloads.

Their previous cyber attacks demonstrated the use of a spoofing phishing technique to reach their targets. This technique could be used to target various companies in Europe or the United States.

Targeted industries/sectors: government, energy

2) Sandworm Team (Black Energy, BlackEnergy, ELECTRUM, Iron Viking, Quedagh)

Sandworm, TeleBots, TEMP.Noble, or VOODOO BEAR, is a group of Russian hackers that have been behind a major cyber campaign targeting foreign-government leaders and institutions, especially Ukrainian ones, since 2009. 

In February 2022, the United States’ and United Kingdom’s cybersecurity and law enforcement agencies uncovered a novel botnet that has been used by Sandworm since June 2019. The malware, dubbed Cyclops Blink, targets WatchGuard Firebox and other Small Office/Home Office (SOHO) network devices, and grants the threat actors remote access to networks. It is estimated to affect approximately 1% of all active Watchguard firewall appliances in the world.

Targeted industries/sectors: government, critical systems (energy, transportation, healthcare)

3) Gamaredon Group

Active since at least 2013, Gamaredon Group is a Russian state-sponsored APT group. In 2016, the Gamaredon Group was responsible for a cyber espionage campaign, tracked as Operation Armageddon, targeting the Ukrainian government, military, and law enforcement officials. 

In February 2022, cybersecurity researchers reported that Gamaredon had attempted to compromise an undisclosed Western government entity operating in Ukraine as part of a phishing campaign. The threat actors leveraged a Ukrainian job search and employment platform to upload a malware downloader masquerading as a resume for a job ad that was posted by the targeted organisation.

Targeted industries/sectors: government, technology

4) APT29 (AKA Dukes or Cozy Bear)

APT29 is a well-resourced and organised cyber espionage group. Security researchers suspect that the group is a part of the Russian intelligence services. APT29 primarily targets Western governments and related organisations, such as government ministries and agencies, political think tanks, governmental subcontractors, diplomatic services, healthcare organisations, and energy targets.

The group frequently uses publicly available exploits to conduct widespread scanning and exploitation against vulnerable systems, likely in an effort to obtain authentication credentials to allow further access. This broad targeting gives the group potential access to a large number of systems globally. The group may maintain a store of stolen credentials in order to access these systems in the event that they become more relevant in the future.

Throughout 2020, APT29 has targeted various organisations involved in COVID-19 vaccine development in Canada, the US and the UK.

Targeted industries/sectors: telecom, technology, pharmaceutical

5) APT28 (AKA Fancy Bear)

APT 28, also called Group 74, Pawn Storm, SNAKEMACKEREL, STRONTIUM, Sednit, Sofacy, Swallowtail, TG-4127, Threat Group-4127, or Tsar Team, is a state-sponsored hacking group associated with the Russian military intelligence agency GRU. The group has been active since 2007 and usually targets privileged information related to government, military and security organisations. 

It was observed targeting organisations and individuals involved in the US presidential election. The group’s efforts are focused on stealing targets' credentials and compromising their accounts to potentially disrupt elections and to harvest intelligence to be used as part of future attacks.

Targeted industries/sectors: military, security, government, press

ICAEW latest on Ukraine and Russia

Ukraine crisis: central resource hub

Resources, news and features on the impact of the Ukraine crisis on accountancy, business and the wider economy.

Ukrainian flag against blue sky

Support for members during the Ukraine crisis

Magnifying glass
Technical and Ethics Advisory Services

ICAEW Members can contact our free confidential helpline for advice and support on technical, ethical, anti-money laundering and fraud issues.

Resources for members

Chartered Accountants from across the membership have reached out to share how they are responding to the sanctions. Many are re-screening all clients with connections to Russia. Here are some of the key resources to help you respond to clients' concerns.

Doing business in ...
Guides to affected countries

ICAEW's Library and Information Service produces guides for members who are considering doing business in overseas countries. There are separate guides for Ukraine and its neighbours, all of which include updates on the latest sanctions and restrictions.