Use of Russian technology products and services

Cybersecurity – even in a time of global unrest and the recent invasion of Ukraine – remains a balance of different risks

original

The invasion of Ukraine by Russia has made many of us reconsider how we see the world and – in particular – how Russia might also use cyber operations.

As expected, there are ongoing cyber attacks against Ukrainian infrastructure (including those that we've attributed with our partners to the Russian intelligence services). But we've not seen – and don’t expect to see – the massive, global cyber attacks that some had predicted. However, we have previously seen Russia acting against UK interests, and also acting through proxy compromises to get to UK entities (for example with the SolarWinds Orion software, and in going after UK telecoms networks to get to their customers).

Back in 2017, we published a blog describing our approach to understanding the risks behind using ‘cloud-enabled products' where the supply chain included hostile states, such as Russia. We explained the risks and advised those national security departments in government to ensure they weren't using Russian products, like Kaspersky antivirus (AV). We also said that for most people and enterprises, the biggest risks remain:

  • not keeping software up to date
  • poor network configuration management
  • poor credential management.

We know these are the most common causes of compromises, including those we (and our partners) have attributed to the Russian state. We still think this advice is correct but, given the conflict in Ukraine, the context has changed considerably.

While we continue to assess the overall level of technical threat resulting from Russia’s actions, we need to be realistic regarding how Russia may respond. Russian law already contains legal obligations on companies to assist the Russian Federal Security Service (FSB), and the pressure to do so may increase in a time of war. We also have hacktivists on each side, further complicating matters, so the overall risk has materially changed.

We have no evidence that the Russian state intends to suborn Russian commercial products and services to cause damage to UK interests, but the absence of evidence is not evidence of absence. The war has proven many widely-held beliefs wrong and the situation remains highly unpredictable. In our view, it would be prudent to plan for the possibility that this could happen. In times of such uncertainty, the best approach is to make sure your systems are as resilient as you can reasonably make them.

If you use Russian-nexus products and services

Back in 2017, we said supply chain security was really hard, and that just looking at a flag isn't normally enough. That's still true, but given the situation, we're advising certain organisations to specifically consider the risk of Russian-controlled parts of their supply chain as part of their overall business risk management.

The following organisations should reconsider their risk:

  • public sector organisations that weren't covered by our 2017 guidance
  • organisations providing services to Ukraine
  • high-profile organisations (that is, organisations that - if compromised - could represent a PR 'win' for Russia)
  • organisations providing services related to critical national infrastructure
  • organisations or individuals doing work that could be seen as being counter to the Russian State's interests, making them retaliatory targets.

We can’t provide generic advice on how to evaluate risk, since it will be different for all organisations. Each will have to evaluate the potential damage to their enterprise if Russian-nexus products and services are suborned, but it would be prudent to err on the side of caution, for example:

  • if you are more likely to be a target for the Russian state because of what’s going on, then it would be prudent to consider your reliance on all types of Russian technology products or services (including, but not limited to, cloud-enabled products such as AV)
  • if you use services that are provided out of Russia (including development and support services), then you should think about how you could insulate yourself from compromise or misuse of these services. This is true whether you contract directly with a Russian entity, or it just so happens that the people who work for a non-Russian company are located in Russia.

You may choose to remove Russian products and services proactively, wait until your contract expires (or your next tech refresh), or do it in response to some geopolitical event. Alternatively, you may choose to live with the risk. Whatever you choose, remember that cybersecurity, even in a time of global unrest, remains a balance of different risks. Rushing to change a product that's deeply embedded in your enterprise could end up causing the very damage you're trying to prevent.

Regardless of whether you’re a likely target, ongoing global sanctions could mean that Russian technology services (and support for products) may have to be stopped at a moment’s notice. This would bring a new set of risks. Enterprises should consider how such an event would affect their resilience, and consider plans for mitigation.

Individuals using Kaspersky AV

We've had enquiries from people worried about their home IT. It almost certainly remains the case that nearly all individuals in the UK (and many enterprises) are not going to be targeted by Russian cyber attack, regardless of whether they use Russian products and services.

If your personal laptop uses Kaspersky AV (or other products):

  • it's highly unlikely to be directly targeted
  • it’s safe to turn on and use at the moment.

However, you may need to move to a new AV product if Kaspersky itself becomes subject to sanctions, since the AV product would likely stop getting updates (and AV software is only effective if it's updated regularly).

NCSC recommendations

This conflict has changed the world order, and the increased risk and uncertainty aren't going away any time soon. However, the best thing to do is to make plans, ensure your systems are as resilient as practical and have good recovery plans.

We strongly recommend that:

And obviously, if the situation or our understanding warrants it, we’ll update our guidance and keep you posted.

Ian Levy – technical director, National Cybersecurity Centre

Additional resources

ACCA Cybersecurity Hub

ACCA AML guidance on Russia sanctions