Written by: Csaba Krasznay, Director of Cybersecurity Research Institute at University of Public Service
A new chapter in the security of our world opened on 24 February 2022. The term ‘our world’ must also include cyberspace, as the Ukrainian-Russian war has openly demonstrated our dependence on information systems and the vulnerability of this ecosystem. Although the news of the war is still concerned with conventional armed clashes, more and more information is available concerning the activities and tools of the various state and non-state hacker groups. Companies can prepare for the re-emphasis on cyber operations as the battles in physical space subside, with the difference that perhaps less significance will be placed on financial gain and far more on destruction. Most of enterprise IT has already migrated to the cloud and solutions that exchange data through APIs, which have have become widespread. However, the rapid transition has focused on efficiency rather than cybersecurity. It is no coincidence that, according to Gartner, APIs are expected to be the most attacked interfaces in 2022.
The presentation that this blogpost discusses was given on 9 June 2022, at the Balasys API Meetup. You can re-watch Csaba’s presentation (in Hungarian) here.
You may be wondering how cyber warfare is related to APIs, or what exactly cyber warfare is in the first place. Whereas in the past many researchers had only vague ideas about cyber warfare, today we have experienced cyber warfare in our own neighborhood. It could be said that life has kicked the door down on science. While what the potential for the events that have been occurring since 24 February 2022 was known to the experts, the conflict was not anticipated.
According to the definition of cyber warfare and cyber war, operations in cyberspace are called upon to contribute to the supremacy in cyber space among the parties involved. With this superiority, the belligerent party, in addition to being able to overcome its opponent, serves and supports the other dimensions of warfare — land, water, air, and outer space.
Cyber warfare has been under development for a long time, going through many stations before it escalated to the level of cyber wars. It was even doubtful whether it would be possible to reach the level of genuine cyber warfare.
Considering the present situation, attacks on critical infrastructures necessary for the functioning of states and subsequent loss of human life have been anticipated and foreseen. This was also confirmed by the fact that Russia was suspected of developing cyber weapons and systems related to them. However, we have not seen much of an example of cyber weapons in recent years, as a DDoS or a sophisticated zero-day used for espionage is not – or not necessarily – considered a cyber weapon. The only exception was the malicious code NotPetya, more commonly known as the WannaCry ransomware.
Public opinion and researchers therefore expected that cyber weapons would eventually be present in the war, and that this would eventually lead to control of cyberspace. However, malicious codes are not currently the biggest problem.
The cyber operations of the Russo-Ukrainian war can be assessed from four points of view: domination of the information sphere, attacks on civilian and government IT systems, operations on critical infrastructures and military cyber operations.
The domination of the information sphere is the most spectacular front between the two countries. It means power over information and cognitive space to make society believe the narratives conveyed and represented by states. The Russian narrative has gained ground in much of Eastern Europe, while the Ukrainian narrative is predominant in Western Europe.
Of course, in the background, plenty of conventional forms of attack can be identified. The opposing sides are attacking each other’s civilian and government IT systems, though surprisingly Russia has largely been a victim of these attacks. It can be said that building offensive capacity is much easier than defending the information systems of an entire country.
Cyberspace operations attacking Ukraine’s critical infrastructures can be found, but the results have fallen far short of preliminary expectations. Russia typically uses armed force successfully to destroy or render inoperable its opponent. In contrast, there are several cyber attacks dedicated against Russia that have achieved their intended purpose but have not come to light due to structured control over the information and cognitive space. Moreover, the use of civilian infrastructure and resources in warfare is common in military cyber operations.
Belligerent states have begun to use the cloud more intensively than ever before. The Telegram channel used to recruit and coordinate the Ukrainian civilian IT army was used to call for attacks on the Russian Sberbank APIs, which has been proven successful and made the bank’s APIs unavailable. For attackers, the choice was an excellence target, as the FinTech realm operates through APIs, and banks form an important role in people’s everyday lives, which means that temporary or permanent interoperability causes high levels of disruption. In addition, due to the sanctions imposed on Russia, an increasing number of foreign IT service providers have withdrawn their support for various licenses, causing some difficult moments for many Russian companies.
It is obvious that managing the cloud is becoming of key importance in the conflict. The Ukrainian state placed its national data assets into the cloud before the war broke out. Under the agreement with Amazon Web Services, the company provided support for the transition, and the same opportunity was made easily available to Ukrainian companies as well. With the onset of the emergency, the entire country began a shift to the cloud. The rule of law was also adapted in line with this tendency. Fortunately for Ukraine, the Russian side was not prepared enough to execute attacks aimed at the cloud and APIs. So far, Russia has tried to inject malicious code that has not, however, achieved its intended goal, which means they have seen an urgent need to adapt to new technologies.
Such is cyber warfare, as soldiers actually do it. The key to the resilience of the government and the state is moving to the cloud. Not fully, of course, but if done rationally and with proper control this process seems inevitable.
Such is cyber-resilience in reality. Attention needs to be paid not only to data and infrastructure, but also to critical infrastructures, since they are proving to be more resilient than originally thought.
Hacktivist groups exist – What will their future be? Many civilian hacker groups support one side or the other, so the doubt rightly arises: what will their will be after the war? Even if the rest of the world stays out of the conflict, cybercrime groups trained in the war can mean a problem for them in the future.
A large amount of data has been put into the ‘wild’, and will be used to nurture artificial intelligence in the coming years.
The convergence of space and cyber operations is clear, with space warfare taking place through cyberspace.
Personal security will be critical in software development. It is not enough to protect APIs like IT, one must also pay attention to the identity of the developer, given the fact that hundreds of thousands of Russian software developers have been left without work, and are expected to flood the industry.
Cyber warfare must also be taken into account in the corporate risk model. If the war reaches a status quo and the two sides are no longer preoccupied with each other, revenge and retaliation are expected. This may seem like a rather ominous, negative-sounding prediction, but for software security, it is essential to know what solutions are available and which ones need to be improved.
Ez a blogposzt a Creative Commons Attribution-ShareAlike 4.0 International (CC-BY-SA 4.0) License feltételei mellett licencelődik.
Szilárd Pfeiffer: API security: there is nothing new under the sun
With the incredible amount of data flowing through them, the security of APIs is becoming a growing concern in the IT industry. What are the best practices and proven solutions that organizations can follow in order to ensure the security of their APIs? There is really nothing new under the sun: APIs are secured by exactly the same precautions as anything else you publish on the internet.
Gábor Pék: Trusted Types: A world without XSS
XSS, or cross site scripting, is one of the most widespread security problems today, as confirmed by statistics from bug-hunting companies such as Hackerone. Although our defenses have been significantly strengthened in recent years, this attack vector is still with us. As we move away from server rendered pages towards SPAs (Single Page Applications), we are being forced to deal with a new type of XSS attack: the DOM XSS. Gábor shares the story of the creation of Trusted Types, a new browser-based protection mechanism, and his experience with implementing it into Avatao’s Angular code base. According to a study conducted by Google, the company "has zero DOM XSS among applications migrated to Trusted Types." A great result, to be sure! But is it worth the effort?