As day one at Black Hat USA 2022 came to an end someone asked me, ”What is your takeaway from today’s conference?” There have been several interesting presentations, and as expected a number of them detailed the cyberwar in Ukraine, including the presentation by ESET’s own Robert Lipovsky and Anton Cherepanov – Industroyer2: Sandworm's Cyberwarfare Targets Ukraine's Power Grid Again .
But, there is one standout moment of the day for me, a simple moment when all the mentions of Ukraine and the detailed analysis of the cyberincidents the country has endured was put in perspective. SentinelOne’s Juan Andres Guerrero and Thomas Hegel presented Real 'Cyber War': Espionage, DDoS, Leaks, and Wipers in the Russian Invasion of Ukraine, a detailed timeline of the cyberattacks relating to the conflict. As did all presentations relating to the war, this opened to a full room of over a thousand attendees; Juan clicked the first slide and reminded the audience that while we are here to talk about cyberattacks relating to the war, we should remember that there is a war – a real war – one that is happening on the streets and affecting people’s lives (or words to that effect).
The moment was a stark reminder that while the cybersecurity industry is united in stopping attacks happening in Ukraine, we do so remotely while there are people on the ground in an actual war zone. The remainder of the presentation by Juan and Thomas was a fascinating timeline of the attacks and how numerous cybersecurity companies and organizations have come together to provide unprecedented cooperation, including the sharing of research and intelligence. A slide calling out the main contributors listed them as: CERT-UA, United States Cyber Command, Cybersecurity and Infrastructure Security Agency (CISA), SentinelLabs, Microsoft Threat Intelligence Center, TALOS, Symantec, Mandiant, Inquest Labs, red canary, and ESET. The list demonstrates how companies that normally compete in business are united in this mission, and even under normal conditions – if there is such a thing in the cybersecurity industry – work together to keep the digital environment we rely on safe and accessible.
The ESET presentation delivered by Robert and Anton detailed the recent attempt by attackers known as Sandworm, a group that is attributed by different countries’ cyberagencies, including the US CISA, and the UK NCSC, as being part of Russia’s GRU, with unleashing a cyberattack against the power infrastructure. The combined efforts and knowledge of previous attacks against industrial control systems (ICS) used in electrical distribution plants provided cyberdefenders within the power utility company, CERT-UA and backed by experts from ESET the ability to thwart the potential attack. This attack, known as Industroyer2, is one of many aimed at causing disruption and destruction, and demonstrates that cyberattacks have now matured to a level where they are an asset, a weapon, available to those wishing to wage war.
To summarize, my takeaway of the day is one of pride to be a member of the cybersecurity industry, and more importantly that we need to recognize and thank the dedicated cyberdefense teams that have stepped up to protect systems and infrastructure from an aggressor.