Crisis in Ukraine: Increased sanctions complexities and cyber risk – what you need to know

As the crisis in Ukraine continues to unfold, governments around the world are warning organisations about the heightened risk of cyber-attacks. The challenges involved in managing such an attack have been further complicated by the sanctions imposed on Russia and its allies. Our expert team outlines what you need to know regarding the increased sanctions complexities and changing cyber risk landscape.

Key takeaways 

1. The sanctions landscape is evolving rapidly
2. The ransomware business model is changing, so it’s more important than ever to undertake proper due diligence before making a ransom payment
3. While we haven’t yet seen a massive upswing in cyber incidents, the risk level for organisations remains high
4. Be aware there are different considerations when dealing with cyber incidents from state actors

The sanctions landscape is evolving rapidly

There are two main types of sanctions:

• United Nations Security Council (UNSC) sanctions resolutions, which are binding on Member States; and
• autonomous sanctions regimes, where individual or groups of countries make unilateral decisions on what sanctions to put in place.

UNSC sanctions are not possible to implement in respect of the Russia/Ukraine war, given Russia’s veto power as one of the five permanent members of the UNSC. This means countries are imposing autonomous sanctions regimes, posing challenges including a noticeable lack of coordination and cooperation among countries (in the absence of an obvious forum to discuss sanctions regimes).

At a high-level, the range of sanctions currently being applied include financial sanctions (such as freezing assets), trade and investment sanctions (focusing on sectors critical to the Russian economy), taxes on Russian goods, and flight and travel bans.

As the situation unfolds, organisations need to:

• pay close attention to the list of sanctioned entities, individuals and sectors – as these can vary significantly between countries, and change on a day-by-day basis;
• watch for escalating sanctions regimes, should countries decide to support Russia. For example, the Australia Government has indicated that it would impose sanctions on China if it provided military support to Russia; and
• in line with statutory defences that are available, take reasonable precautions and exercise due diligence to prevent breaches of sanctions laws.

The ransomware business model is changing, so it’s more important than ever to undertake proper due diligence before making a ransom payment

In a recent webinar on sanctions and cyber risk run by Clyde & Co, Bill Siegel the CEO of Coveware (an organisation who help businesses recover from cyber extortion events, such a ransomware) outlined what his organisation had been seeing in respect to ransomware incidents since the crisis began to unfold.

The war is reshaping ransomware attacks more generally. In the latter half of 2021, ransomware as a service (RaaS) groups proliferated. RaaS is a business model whereby ‘affiliates’ pay a central operator to use their code and ‘brand’ to launch ransomware attacks. It was beneficial for affiliates to be part of these established and well-known RaaS groups because they would leverage their reputation of trustworthiness to get deliverables.

However, increasing sanctions arising from the war have rendered this an unviable business model. Cybercriminals do not want to be affiliated with RaaS groups that may be linked to sanctions, as ultimately, their ransom demands will not be paid.

Further, the war and law enforcement scrutiny has caused a proliferation of ransomware ‘variants’ (types of ransomware). Prior to the war, approximately ten ransomware variants made up more than half of all ransomware attacks. Now, there is double the amount of ransomware variants – and new and previously inactive ransomware variants are also emerging.

It is important to undertake appropriate and rigorous due diligence when paying a ransom, even more so now given the increasing complexity surrounding:

• greater difficulty in attributing an incident to a particular actor, and making decisions about whether an actor could be on a sanctions list; and
• having to consider whether an actor is politically motivated in favour of Russia and/or whether the actor is taking directions from Russia – while an actor may not be on a sanctions list, their actions may violate a sanctions attestation, or an insurer’s threshold for paying a ransom.

While we haven’t yet seen a massive up-swing in cyber incidents, the risk level for organisations remains high

Based on Clyde & Co’s data, there is currently no indication that Australian entities supporting Ukraine have become a target for ransomware attacks. Indeed, the number of incidents is stable, and the communication from cybercriminals hasn’t shifted from financial to geo-politically motivated.

Clyde & Co data on ransomware incidents across 2021 and 2022 points to routine fluctuation in activity and inactivity throughout the year, typically due to arrests and splintering of threat actor groups, as well as seasonality (lower numbers of incidents during the Northern Hemisphere holiday periods).

While the last couple of months’ worth of ransomware incident numbers is within the bounds of normal variation, organisations needed to be alert to:

• the potential for a Russian-born attack on Ukraine which would impact global supply chains or technology providers;
• the fact that it is still early days, and as the war continues, a ‘death to the West’ attitude could emerge from threat actors; and
• the splintering of threat actor groups presenting a real challenge, as there is less prior experience on how these groups will act to inform negotiation strategies.

As a result, it is crucial that organisations have a predetermined position on ransom payments, processes for responding to attacks, and the right infrastructure supports in place to ensure that the impact is neutralised (such as backups).

Be aware there are different considerations when dealing with cyber incidents from state actors

Although ransomware incidents receive a lot of media attention, there is another incident type that organisations need to know about, and prepare for – state-supported cybercriminal activity. The key features of state actor incidents include:

• State actors are covert and they can be difficult to evict from networks – More ‘run-of-the-mill’ cybercriminals are out for a big score, often targeting obvious data assets, such as financial or personal information. In contrast, a job well done for a state-supported cybercriminal is where no-one knows about it. This can pose challenges in responding to an incident as the state actor may be still within the compromised network when the organisation is discovering and responding to the incident. Further, should the state actor realise their presence has been discovered, they may act vindictively, encrypting and erasing data, or shutting down networks.
• State actors often have unpredictable motives – The target for the state actor might not always be the most obvious data asset (e.g. financial or personal information) – it could be negotiation and strategy documentation, policy documents or industrial trade secrets.
• State actors are commonly in organisations’ systems for longer – Because the state actors are not often seeking quick wins or immediate financial gains, state actors take a more cautious and considered approach to getting what they want.

While a commonly held view is ‘a state actor wouldn’t be interested in my organisation given my size and profile’, organisations should take stock and think more broadly about the supply chains they belong to. Suppliers and advisors provided with access to third-party’s data or network systems can also become the indirect targets of state actors (for example, accountants, trade bodies, lawyers and consultants).

Should an organisation be subject to a cyber incident, organisations need to be careful not to make misleading or false attributions to particular state actors when publishing communications on an incident, or when completing obligation notifications. Such announcements might incite further harm from state actor.

Finally, in order to prepare for this type of threat, organisations should take a look at their incident response plan, and consider putting together a tailored playbook to cater to the unpredictable nature of a state actor attack.

How can Clyde & Co help?

Clyde & Co has the largest dedicated cyber incident response and privacy advisory practice in Australia and New Zealand and has more 5-Star Cyber Lawyers than any other firm. Our experienced team has dealt with thousands of data breach and technology-related disputes in recent times, privacy reviews, assessments and solutions advices, including a number of the largest and most complex incidents in Asia-Pacific to date.

From pre-incident readiness reviews, solutions and advice, breach response, through to defence of regulatory investigations and proceedings, as well as recovery actions against wrongdoers, we assist clients globally across the full cyber lifecycle. Our team is also highly regarded for their expertise and experience in financial services information technology prudential requirements and managing all forms of disputes across sectors including advising on some of the most newsworthy class actions commenced in Australia.

Our 24-hour cyber incident response hotline or email allows you to access our team directly around the clock. For more information, contact us on:
Australia: +61 2 9210 4464
New Zealand: +64 800 527 508
cyberbreach@clydeco.com