One of the most notable differences in the Russia-Ukraine war compared with previous conflicts is the proliferation of nation-state based cyberattacks.
The Centre for Strategic & International Studies had long predicted the breakout of cyber warfare and even indicated Russian cyberattacks on government, military, and critical infrastructure would be consistent with a so-called "thunder run strategy" intended to cause chaos, confusion, and uncertainty.
Attacks have not been confined solely to Ukraine either. In fact, a recent report indicated the focus was shifting away from Ukraine to NATO allies with a 57 per cent surge in cyber attacks reported by a number of NATO allies.
While Australia sits outside the Alliance, the federal government's allegiance to Ukraine through military equipment, humanitarian aid, Russian sanctions, cooperation with the US, and more puts it at risk of Russian-sponsored cyber offensives, and government and cyber defence leaders need to be prepared.
Domains and dogs
Recent domain name system (DNS) analysis conducted by Infoblox detected the existence of a novel malware toolkit that had evaded other security measures being used in the conflict and beyond. It has sat idle on networks enjoying unfettered access to victim devices.
Known as Decoy Dog, the malware uses the DNS - a system that translates domain names to IP addresses so browsers can load internet resources - as a means for the hackers to remotely communicate commands to compromised devices. The nature of the malware lets the hackers control the device completely, so it could be told to steal data, take photos, or even stop working via a DNS command.
There is still much to uncover, but the malware has all the earmarks of nation-state cyber espionage. Similar to Russian hacking group-linked Sunburst malware, which infiltrated SolarWinds' software, Decoy Dog was able to remain undetected for a long time. In the SolarWinds attack, the networks of New South Wales Health, Rio Tinto, and Serco were compromised, while in the case of Decoy Dog, even though the malware smoke signal has been found, the victim identities remain a mystery.
Worryingly, Decoy Dog can do new tricks compared to previous malwares of its kind, including adaptability. The very existence of its knowledge-led threat actors to immediately respond, adjusting the toolkit to ensure continued communications with targeted systems. We're seeing a level of ominous determination happening here.
Keeping a tight leash
While there's no evidence to indicate Australian government networks have been targeted yet, Decoy Dog's ability to spread and remain hidden, its nation-state behaviour, and Canberra's geopolitical position in current and potential global conflicts mean government and enterprise cyber security leaders need to get ahead of it.
Major government security agencies across the globe, including the Australian Cyber Security Centre (ACSC), advocate for the use of a protective domain name service (PDNS) that uses specific threat intelligence to prevent devices from communicating with Decoy Dog.
READ MORE:
The ACSC has even gone a step further by making its system, AUPDNS, freely available to all federal, state, and territory government entities that perform critical services for Australians, meaning there's little excuse for government agencies to not have this safeguard in place.
But this threat stretches far beyond just one specific attack - more than 90 per cent of malware relies on DNS at some point in its execution. This is because of domains' unique security properties by virtue of its location in networks and the central role it plays in all network interactions.
Australian enterprises and government agencies should consider DNS security as part of a broader detection and response security strategy. Protective DNS can play an important role as the first line of defence because it can thwart attacks before the malware is even known and independent of the devices being protected. This is particularly important in the context of the Security of Critical Infrastructure (SOCI) Act, which is driving a greater uplift of security posture among organisations supporting Australia's most vital instruments of national infrastructure.
DNS should also play a starring role in the updated Australian Cyber Security Strategy, due to be announced in the coming months, to help the nation succeed in its ambitious goal to be the most secure country in the world by 2030.
- Dr Renee Burton is head of threat intelligence for security and networking company Infoblox and spent 22 years at the US National Security Agency.
