The War in Ukraine has caused a sea change in the threatscape, where a highly capable group of threat actors now has a much stronger incentive to use cyber actions to achieve their objectives and support their interests. At IOActive we are adjusting our course of action in response to this change in several areas: in addition to our groundbreaking cybersecurity research, another element to arrive in the upcoming months will see us sharing more and different types of content on our blogs.
Some of this new content will be items we normally share discreetly with our clients in small, verbal briefings or through Information Sharing and Analysis Centers (ISACs). However, we have decided to judiciously publicize more of this information due to the more intense risks the community is facing today.
Original Cybersecurity Research
In accordance with our Responsible Disclosure Policy1, we’ll be sharing previously unpublished, original cybersecurity research to which product manufacturers were non-responsive after our disclosure steps or where we’re seeing similar vulnerabilities exploited in the wild. For example, due to the exploitation of vulnerabilities in commercial satellite communications (SATCOM) terminals2 as presciently foreseen by Ruben Santamarta in two research projects from 20143 and 20184, as well as by the US National Security Agency (NSA) in a January 2022 Cybersecurity Advisory5, we’ll be sharing vulnerabilities in a two-phase approach that we originally reported to a terminal manufacturer more than 3 years ago. You can find that initial post here.6
Analytical Threat Intelligence
IOActive normally chooses not to publicly share the products of our threat intelligence analytics, wherein we explore the operational and cybersecurity consequences of our original research findings or assess which threat actors may have the capability and interest to perform or operationalize attacks similar to those found in our research. Given the changed threatscape, however, we feel it’s important to share a retrospective look at the revealed SATCOM vulnerabilities and their utilization in the War in Ukraine; likewise, we will be sharing more analytical perspectives on cybersecurity threats to transportation, as briefly covered in a recent FleetOwner article specific to trucking fleet operations.7 While these analytical products are often informal, they can be extremely valuable to organizations of all types.
Strategies and Potential Courses of Action
In addition to providing threat intelligence products from an attacker’s viewpoint, we also advise our clients and share with ISACs strategies to manage their cybersecurity and operational risks, as well as potential courses of action based on our detailed understanding of how attackers operate and succeed. Often these suggestions and advice are made in response to our original cybersecurity research and its corresponding analytical threat.
1https://ioactive.com/disclosure-policy/
2https://www.reuters.com/business/aerospace-defense/satellite-firm-viasat-probes-suspected-cyberattack-ukraine-elsewhere-2022-02-28/
3https://ioactive.com/pdfs/IOActive_SATCOM_Security_WhitePaper.pdf
4IOActive whitepaper | Last Call for SATCOM Security
5https://media.defense.gov/2022/Jan/25/2002927101/-1/-1/0/CSA_PROTECTING_VSAT_COMMUNICATIONS_01252022.PDF
6IOActive blog | Wideye Security Advisory and Current Concerns on SATCOM Security
7https://www.fleetowner.com/technology/article/21235462/are-cybercriminals-waiting-for-the-right-time-to-attack-us-trucks