Air Strikes in Syria likely to result in Russian retaliation
Attack Vector: Hack & Data Leaks/Phishing/DDoS/Website Defacement/
Threat Actor: Russian & Iranian APT actors
Summary: On the morning of Saturday 14th April 2018, the US, UK and France launched a number of air and missile strikes against suspected Syrian chemical weapon production sites at Mayssaf near the city of Homs, and Barzeh on the outskirts of Damascus. It is reported that the airstrikes were successful, resulting in no fatalities and only a handful of minor injuries. The attacks were launched in response to the 7th April chemical weapons incident in Dhouma, Eastern Ghouta which have been laid at the door of the Assad regime by Western politicians. Prime Minister Theresa May also stated that UK support for the action was also as a consequence of the alleged Novichok attack on Sergei Skripal on 4th March 2018 in Salisbury. Despite the limited nature of Western action, Russia has reacted angrily and has vowed there will be as yet unspecified consequences.
Risk assessment summary: It continues to be assessed that Russian state-sponsored actors and allied groups present a 2a HIGH threat to a number of sectors including health, telecoms, government, defence, energy and finance. Organisations outside these sectors may also be targeted or become “collateral damage” in any campaign of service disruptive attacks.
Recent reconnaissance activity by Russian actors is entirely consistent with earlier threat intelligence reports which suggested that the ongoing crisis which began with the Skripal poisoning, would directly impact on the cyber threat environment.
Rhetoric by senior Russian actors such as Sergei Lavrov who have promised retaliation, should not be considered idle threats. Whilst direct military conflict between Russia, the UK and the US has been avoided for the time being, the situation remains highly tense and it may be that Moscow will consider cyber-attacks one way of responding to the Syrian air strikes without risking further military escalation. There is also a strong possibility that non-state actors such as hacktivist groups or “patriotic hackers” will become active in response to the situation which will complicate attribution.
System administrators are therefore advised to remain highly vigilant over the short to medium term and be aware that DDoS, website defacement and hacks and data leaks may also be a growing threat in addition to ongoing APT activity. Monitoring of the threat environment will continue in order to identify further actionable intelligence.