10 Steps to Take Now to Guard Against Russian Cyber Attacks

The world is watching closely as Russia’s invasion of Ukraine evolves with each passing day. The conflict, combined with geopolitical tensions prompted by the disapproving responses from NATO, the United States and many other countries, have made organizations within those countries high targets of offensive Russian and associated nation state cybersecurity attacks.

The U.S., European Union, United Kingdom and other allies and partners have announced multiple waves of financial and other business sanctions against Russia in response to the invasion of Ukraine. In a largely coordinated and complementary effort, despite somewhat differing approaches, these sanctions include both symbolic actions unlikely to deter Russia as well as more extreme actions aimed at imposing immediate disruption on the Russian economy. Exacerbating the conflict, many major U.S.-based companies, along with companies around the world, have recently discontinued all business operations in Russia, expressing their disapproval of the Russian actions.

Russia has threatened a “painful” response and we fully expect the country and its associated nations to escalate offensive cybersecurity threat actions, which may increase the number and severity of cyber attacks intended to disrupt government, business and critical infrastructures of any country issuing sanctions or businesses discontinuing operations.

In this post, we outline recommendations and materials for any enterprise to consider when increasing their cyber threat protection, cyber incident response and enterprise resilience.

Cybersecurity is a priority

As part of the invasion, Ukrainian computer networks have been hit with a data-wiping malware program as Russia invades. Several Ukraine government and banking websites have been targeted with distributed-denial-of-service attacks, reportedly to distract the public and government cybersecurity workers and hamstring Ukrainian communications. As a countermeasure, Ukraine has called for “digital talents” to create “an IT army” of hackers to hit Russian targets.

As Ukrainian systems are targeted, critical infrastructure and businesses around the world are at risk. The malware affecting Ukraine’s systems could spread, adding risk of increased ransomware attacks.

Historically, Russian state-sponsored advanced-persistent-threat (APT) actors have used sophisticated cyber capabilities to target a variety of U.S. and international critical infrastructure organizations, including those in the defense industrial base as well as the healthcare and public health, energy, telecommunications, and government facilities sectors.

On the cyber front, it would be a mistake to focus exclusively on cyber activity coming out of Russia. Ukraine and the West must recognize that the proxy web is central to the Kremlin’s cyber strategy and operations, and so is the Russian government’s deployment of hackers based abroad. As deniability is important to the Kremlin, the West should consider focusing its intelligence forces on identifying Russian proxies operating in cyberspace when assessing and preparing for Russian state cyber threats.

It is unlikely that Putin will take the hits from the SWIFT sanctions and the potential actions against Russia’s Central Bank without responding with reprisals. These sanctions have increased the likelihood of cyberattacks, which could widen the Russian invasion of Ukraine into a much broader conflict. NATO Secretary General Jens Stoltenberg has warned Russia that a serious cyberattack could trigger Article 5 of NATO’s founding treaty, in which “an attack against one ally is treated as an attack against all.” Businesses and governmental agencies responsible for critical infrastructure and high-profile targets should ensure they are adequately prepared with best practice prevention, detection and incident response measures to deal with Russian advanced persistent threats.

The 10 steps to take now to avert a Russian cyber attack

Do Now:

  1. Address Assumptions: Assume sophisticated cyber attackers are already inside your environment and are positioned to disrupt businesses at any time. Additionally, leverage credible cyber threat intelligence to determine if your organization would typically be targeted by Russian adversaries and for what reasons.
  2. Rally Communications: Ensure all relevant cyber and resilience teams are on high alert. This includes providing notice to corporate communications, legal, senior leadership and key third parties that everyone should be prepared to act as well as alerting employees to remain vigilant, especially for phishing and other social engineering attacks.
  3. Confirm Restoration: Take any immediate steps available to confirm key restoration and recovery activities, including a review of the completeness and integrity of key backups and ensuring recovery processes are accurate, known to all necessary parties and ready for action.
  4. Review Third-Party Engagement: Review existing agreements with key third parties, such as forensics and response partners, law firms and insurers.
  5. Stay Informed: Stay current on latest news. Leverage existing threat intelligence and information sharing sources as much as possible (e.g., CISA’s “Shields Up” site, industry ISACs, Microsoft, etc.). Additional resource links are shared at the end of this post.

Do Soon:

  1. Reinforce and Secure Environments: Reinforce key controls and secure high-risk areas. This includes a review of current patching levels (and likely short-term increase in scanning frequency), validation of your Internet-facing attack surface, and ensuring MFA and other dual-path access verification controls are active and appropriately configured.
  2. Evaluate Capabilities: Test, simulate and confirm all crisis management and incident response capabilities. Crisis management extends beyond incident response and includes confirming all key personnel understand their role.
  3. Review Current Recovery Playbooks: Perform a comprehensive review of existing continuity and recovery plans to confirm they are complete and up to date. Specific focus should be given to internal and external resource availability, dependencies on key third parties that provide business services, and communication protocols for external stakeholders (e.g., employees, regulators, customers).
  4. Assess Technologies: Increase focus on and revisit all technologies supporting any hybrid workforce. Confirm all remote or external access points are hardened and covered with current versions of end-point detection technologies.
  5. Set Expectations: Set – or reset – expectations with senior leaders and board members on the potential for disruption of services due to a cyber attack, and the current steps taken to manage those risks.

While the actions outlined above help manage risks around the current situation with Russia, forward-looking companies should consider these actions a long-term investment against extreme events occurring in an increasingly volatile world – environmental, pandemic, cyber or otherwise. Furthermore, diligent organizations need to ensure their current strategies position their cyber programs to better repel adversaries, increase detection and response agility and expand existing resilience capabilities. Proper funding, leadership and vision are all key to ensuring your cyber program is both business- and threat-aligned and ready to face the challenges that lay ahead.

Additional resources: Recent CISA recommendations

President Biden has designated the Department of Homeland Security (DHS) as the lead federal agency to coordinate domestic preparedness and response efforts related to the current Russia-Ukraine crisis. DHS is taking appropriate steps to ensure federal efforts are coordinated should the need arise for specific threats. The Cybersecurity and Infrastructure Security Agency is available to help organizations prepare for, respond to and mitigate cyber attacks.

Below are links to several recent CISA resources:

For more information on recent and historical Russian state-sponsored malicious cyber activity, see the referenced products below or go to cisa.gov/Russia.

Nick Puetz, Andrew Retrum, Perry Keating and Tricia Callahan also contributed to this post.

To learn more about our cybersecurity solutions, contact us.

Terry Jost

Managing Director
Security and Privacy

Subscribe to Topics

What is #SyntheticData and how has it been used? Protiviti’s Kim Bozzella provides insight into synthetic data and potential use cases for businesses looking to get the most out of their AI systems. Learn more: https://ow.ly/r5S650Qa59p #ProtivitiTech #AI

More potential customers are seeking cybersecurity partners whose values in the areas of #Diversity, #Equity and #Inclusion (#DEI) correspond with their own. Learn more: https://ow.ly/hIqS50Q91nn #ProtivitiTech

Protiviti’s Joe Marcum and Shy Cohen will join #Microsoft and #Pathlock presenters to talk about “Security, Compliance and Identity - How to Include Risk Management in Your Identity Security Strategy” on Dec. 7 at 11 am CST. Register today: https://ow.ly/Wn7n50Q9YK0 #ProtivitiTech

Protiviti’s Garrett Burnell and Ryan Briscoe will present “Defining, identifying & managing system changes in Oracle Cloud” on Dec. 6, 2023, during the Pathlock Innovation Series. https://ow.ly/ZUgr50Q9CyE #ProtivitiTech #Webinar #Pathlock

Where is #GenAI in business today? Where will it be tomorrow? And how to start incorporating Gen AI into your business now. Learn more in our latest Technology Insights Blog: https://ow.ly/jsXo50Q91cR #ProtivitiTech #TechnologyInsights

Load More