Although there are currently no objective elements pointing to a specific cyber threat against Belgium or any other country of the European Union, the unease is growing in all industries and also among ordinary people. People are rightly asking a lot of questions and there are also alarming rumours circulating. People are wondering whether this is the beginning of a cyberwar and if we should, for example, withdraw cash because the bank terminals will soon be hacked. Of course, all hands are on deck at the Centre for Cybersecurity Belgium (CCB), but our services are not panicking, because we are monitoring the situation meticulously and are in contact with a strong international network of cybersecurity experts. 

Are we at the cusp of a cyberwar?

In recent conflicts between countries, a physical attack is increasingly preceded by cyber-attacks, known as hybrid warfare. The idea is to cut the other party off from communications or radar systems, causing them to be in the blind. They also try to destroy critical infrastructure via a cyber-attack to weaken the enemy.  We also noted that less harmful attacks are carried out by way of diversion. 

Our Cyber Threat Research and Intelligence Sharing team (CyTRIS) is monitoring the situation on a daily basis and has developed an overview of cyber-attacks observed in the conflict so far. It is always difficult to pinpoint the perpetrator of a cyber-attack because it is easier to hide in the digital world, after all, but in these cases, we can assume that there is a link to the Russian regime because of geopolitical events.

What cyber activities were detected in Ukraine?

DDoS attacks took place on the Ukrainian government, military, financial and communications sectors.  A DDOS attack causes the network to be overloaded, putting it temporarily out of service.  Usually, a DDOS attack does not cause permanent damage, but it can divert attention from another attack.

There is also evidence that wiper malware has been deployed. This is a type of computer virus that penetrates users' systems and can delete data there. The security company ESET claims that hundreds of computers in Ukraine have been disable in this way. 

Another security company, Palo Alto, discovered that backdoor malware called SockDetour has been used for espionage purposes including targeting US defence contractors. Backdoor malware is a computer virus that, as the name implies, leaves a backdoor in the systems to leak data. 

Web Defacement and Supply chain attacks have also been noted. During Web Defacement attacks, hackers penetrate a website and replace content on the site with their own messages. In a supply chain attack, the attacker enters enemy systems by exploiting a vulnerability in a software the victim is using.

And finally, several false messages have also been spread.  Disinformation campaigns are used in part to justify an attack.

U.S. and British cyber agencies reported a new threat this week: a virus called Cyclops Blink, from the Russia-linked Sandworm group. See advisory CERT.be.  Now that the CONTI ransomware group has openly offered its services to the Russian regime, ransomware attacks of this type can now also be expected from Russia. 

The information from these attacks is eagerly shared in the networks of cybersecurity experts, such as EU CSIRT.   CCB is part of these networks and therefore quickly receives important alerts that we can in turn share.

Can Belgian industries also be affected, and which industries are targeted?

All these attacks were discovered in Ukraine and therefore not in other EU countries.  We have no indication at this time that any of the Belgian industries are at risk. But that does not mean we are untouchable. A cyber-attack that can be felt as far away as Belgium can never be completely ruled out.  In the past, there have been digital attacks that had consequences as far away as Belgium, e.g., NotPetya in 2017. This attack began in a Ukrainian government department but quickly spread to the corporate world and was felt as far away as the port of Rotterdam and in some Belgian companies. With sanctions in place against the Russian regime, many are asking whether Russia will respond with a cyberattack on Belgian agencies, among others. Certain criminal organizations are openly backing the Russian regime and offering their help.  They threaten to launch attacks in countries that try to target Russia. At the moment we have no concrete indications. However, this threat is continuously being upgraded and additional measures will be taken if necessary.

Are we defenceless against a cyber-attack?

Certainly not.  Cyber experts and security firms continue to insist that basic security actions can already make a big difference: recognize phishing, use strong passwords and two-factor authentication (2FA), and above all, patch and update systems in a timely manner.

The best security for organizations and businesses, not just today, but year-round, is to strengthen cybersecurity resilience. Basic security actions play a primary role in this. We recommend that companies and organizations develop, update and test a (cyber) emergency plan on a regular basis. It is important that every employee knows what to do in the event of a cyber incident. Watch our webinar on cyber incidents https://www.youtube.com/watch?v=-cHcTidmT1Y

Are counter-responses from hackers helpful?

Belgian hackers announced that they would bombard Russian websites with DDOS attacks, and the hacktivist group Anonymous also announced attacks that will hit the Russian regime.  We certainly don't want to encourage this. Hacking is illegal and such attacks are probably just pinpricks for the Russian regime. On top of that, such attacks could be used by the Russian regime to justify a much more serious counterattack.

Let's not get carried away!

Right now, IT problems are more likely to occur in our organizations and businesses because of the so-called FUD (Fear, Uncertainty and Doubt) syndrome than because of an attack by the Russian regime.   Therefore, don't immediately panic if a website goes "down," or if the company network is "slow".   Chances are that the IT department might be a bit preoccupied with security updates. If you are asked to change passwords, do so as soon as possible. We would also ask that you pay close attention to your employer's security recommendations.

The CCB is closely monitoring the situation and we will immediately pass on concrete advice and instructions through our channels to sectors at risk if necessary. If people need to be alerted in some way, we will use all our channels to do so and count on the press to help spread the information. We are committed to publishing an update of the situation on a regular basis.