Russian DDoS attacks on the West may be a smokescreen - cyber deception expert


Cyberattacks create pressure on security teams guarding IT infrastructure. Stress often leads to mistakes, and adversaries anticipate exploiting cracks in the defensive walls.

The cyber war sparked by Russia’s invasion of Ukraine on February 24 brought a wave of distributed denial-of-service (DDoS) attacks crashing upon organizations supporting Kyiv or the Kremlin.

While the true impact of DDoS attacks is disputed, overloading defending teams with malicious activity could be an effective smoke screen, says Xavier Bellekens, CEO of Lupovis, a company that uses deception-based techniques to improve cybersecurity.

ADVERTISEMENT

“It’s always about the psychology of how you feel when you’ve got to defend. And while the security team is under pressure, they’re more likely to make mistakes. Everybody makes mistakes. It's human nature,” Bellekens told Cybernews.

Xavier Bellekens
Xavier Bellekens. Image edited by Cybernews.

Expert in cyberpsychology and a senior nonresident fellow at the Atlantic Council, he thinks it’s important to understand the adversary as thoroughly as the means of defense. Knowing who’s behind an attack, a bot or a human, should dictate the response and help manage stress levels.

Your recent report said that Russian hackers are using networks of organizations in the US, UK, France, and elsewhere to reroute their attacks against Ukraine. How deep would you say the Russian penetration of IT networks in the West is?

It’s no secret that Russian cyber groups focus on large organizations. However, we found that they are using organizations to launch cyberattacks. I think they’re dug in quite well.

They’ve been launching cyberattacks from critical national infrastructure organizations in the past. In 2015 and 2017, they used Ukraine as a testing ground when 260,000 people lost electricity. So, they have that knowledge, leveraging it to go deeper into these networks.

There are plenty of networks to breach because companies are of various maturity. If you cannot breach, for example, EDF (major French electricity producer), attack a smaller company with lower maturity. If they use those organizations to their advantage, they still can do quite a lot of damage.

“It would be delusional to think that that information is not transferred to advance Russian national interests.”

Bellekens told Cybernews.
ADVERTISEMENT

In the report, you discuss Russia launching “a tsunami of devastating attacks across the world.” Do you think, for example, ransomware groups work to advance Russia’s national interests?

It’s the same as with security professionals. They know each other, and there’s a network. If suddenly you are a top performer in one of the groups not associated with the government, why wouldn’t the government show interest in you? All governments do that.

This means that, undoubtedly, some of the information must be shared. It would be delusional to think that that information is not transferred to advance Russian national interests. For example, when pharmaceutical companies were developing the covid vaccine, we heard Russians were targeting some of them.

There is a government-led interest in understanding how other threat actors do things. We’ve also seen many smaller companies being targeted and infiltrated, likely to exploit less mature companies in the supply chain.

After Killnet, the pro-Russian distributed denial-of-service (DDoS) group, attacked the European Parliament, you said that “understanding who the perpetrators are is essential.” Could you explain what you mean by that?

By deploying decoys, we have seen that DDoS is an excellent way to distract attention. That’s why understanding who could be behind the attack allows you to think further than just the DDoS itself. We often see this happening when someone launches a DDoS, and then suddenly, our decoy is tripped by someone snooping around. That tells us that adversaries are deceptive.

This information is vital because somebody is clicking the button behind every cyberattack. There’s a human with a particular state of mind. For example, if it’s a sole hacktivist, you can be confident the chances of an attack escalating are limited. But if you know it’s a state-sponsored group, you may want to pay more attention. Having the ability to correlate that information can only make us stronger.

Are you saying that threat actors carry out DDoS attacks to mask more nefarious cyber activities?

The security team is already swamped on a typical day without a DDoS attack. Add a DDoS to the mix, and you get a situation with fewer chances the security team will be able to respond. Our decoys registered just that in the past months.

ADVERTISEMENT

And it’s a clever tactic. The stress of an attack is what adversaries like to play on. It’s always about the psychology of how you feel when you’ve got to defend. And while the security team is under pressure, they’re more likely to make mistakes. Everybody makes mistakes. It’s human nature.

I know that decoys touch the exotically sounding field of cyberpsychology. Give me an example of psychology in your work.

In cybersecurity, we always think about the defender. We are building walls around the castle. Typically, adversaries try to find a breach in the castle with deception. One way to use cyberpsychology is to leave a window open for them.

For example, if burglars enter a house through a window, they don’t know where the bathroom or the kitchen is. They know the rooms are there, but they need to explore the house to find the rooms. It’s similar to a network. If you start giving out bits and pieces of information, you get adversaries to follow them and be alerted before the attack happens.

“We’ve also learned that there are a lot of human adversaries on the Russian side, and they are carrying out manual attacks. It’s interesting to me because there are a lot of automated scanners that will exploit known vulnerabilities.”

Bellekens said.

It’s been nearly a year since Russia deployed its first wipers before invading Ukraine. What lessons have you learned over the last year?

One interesting point our studies showed is that the companies that have shown support for Ukraine were targeted much more by Russian DDoS attacks. Of course not. But understating the increased risks allows defenders to prepare.

We’ve also learned that there are a lot of human adversaries on the Russian side, and they are carrying out manual attacks. It’s interesting to me because there are a lot of automated scanners that will exploit known vulnerabilities. But if you want to do something more targeted, you still need to do reconnaissance and understand the target.

Again, suppose you’re a national critical infrastructure operator and believe you might be a target. In that case, you may want to understand whether a human or a bot targets you. If it’s a bot, continue your patch management. You may want to correlate this across your entire infrastructure if it's a human.

ADVERTISEMENT