The world is watching closely as Russia’s invasion of Ukraine evolves with each passing day. The conflict, combined with geopolitical tensions prompted by the disapproving responses from NATO, the United States and many other countries, have made organizations within those countries high targets of offensive Russian and associated nation state cybersecurity attacks.
The U.S., European Union, United Kingdom and other allies and partners have announced multiple waves of financial and other business sanctions against Russia in response to the invasion of Ukraine. In a largely coordinated and complementary effort, despite somewhat differing approaches, these sanctions include both symbolic actions unlikely to deter Russia as well as more extreme actions aimed at imposing immediate disruption on the Russian economy. Exacerbating the conflict, many major U.S.-based companies, along with companies around the world, have recently discontinued all business operations in Russia, expressing their disapproval of the Russian actions.
Russia has threatened a “painful” response and we fully expect the country and its associated nations to escalate offensive cybersecurity threat actions, which may increase the number and severity of cyber attacks intended to disrupt government, business and critical infrastructures of any country issuing sanctions or businesses discontinuing operations.
In this post, we outline recommendations and materials for any enterprise to consider when increasing their cyber threat protection, cyber incident response and enterprise resilience.
Cybersecurity is a priority
As part of the invasion, Ukrainian computer networks have been hit with a data-wiping malware program as Russia invades. Several Ukraine government and banking websites have been targeted with distributed-denial-of-service attacks, reportedly to distract the public and government cybersecurity workers and hamstring Ukrainian communications. As a countermeasure, Ukraine has called for “digital talents” to create “an IT army” of hackers to hit Russian targets.
As Ukrainian systems are targeted, critical infrastructure and businesses around the world are at risk. The malware affecting Ukraine’s systems could spread, adding risk of increased ransomware attacks.
Historically, Russian state-sponsored advanced-persistent-threat (APT) actors have used sophisticated cyber capabilities to target a variety of U.S. and international critical infrastructure organizations, including those in the defense industrial base as well as the healthcare and public health, energy, telecommunications, and government facilities sectors.
On the cyber front, it would be a mistake to focus exclusively on cyber activity coming out of Russia. Ukraine and the West must recognize that the proxy web is central to the Kremlin’s cyber strategy and operations, and so is the Russian government’s deployment of hackers based abroad. As deniability is important to the Kremlin, the West should consider focusing its intelligence forces on identifying Russian proxies operating in cyberspace when assessing and preparing for Russian state cyber threats.
It is unlikely that Putin will take the hits from the SWIFT sanctions and the potential actions against Russia’s Central Bank without responding with reprisals. These sanctions have increased the likelihood of cyberattacks, which could widen the Russian invasion of Ukraine into a much broader conflict. NATO Secretary General Jens Stoltenberg has warned Russia that a serious cyberattack could trigger Article 5 of NATO’s founding treaty, in which “an attack against one ally is treated as an attack against all.” Businesses and governmental agencies responsible for critical infrastructure and high-profile targets should ensure they are adequately prepared with best practice prevention, detection and incident response measures to deal with Russian advanced persistent threats.
The 10 steps to take now to avert a Russian cyber attack
- Address Assumptions: Assume sophisticated cyber attackers are already inside your environment and are positioned to disrupt businesses at any time. Additionally, leverage credible cyber threat intelligence to determine if your organization would typically be targeted by Russian adversaries and for what reasons.
- Rally Communications: Ensure all relevant cyber and resilience teams are on high alert. This includes providing notice to corporate communications, legal, senior leadership and key third parties that everyone should be prepared to act as well as alerting employees to remain vigilant, especially for phishing and other social engineering attacks.
- Confirm Restoration: Take any immediate steps available to confirm key restoration and recovery activities, including a review of the completeness and integrity of key backups and ensuring recovery processes are accurate, known to all necessary parties and ready for action.
- Review Third-Party Engagement: Review existing agreements with key third parties, such as forensics and response partners, law firms and insurers.
- Stay Informed: Stay current on latest news. Leverage existing threat intelligence and information sharing sources as much as possible (e.g., CISA’s “Shields Up” site, industry ISACs, Microsoft, etc.). Additional resource links are shared at the end of this post.
- Reinforce and Secure Environments: Reinforce key controls and secure high-risk areas. This includes a review of current patching levels (and likely short-term increase in scanning frequency), validation of your Internet-facing attack surface, and ensuring MFA and other dual-path access verification controls are active and appropriately configured.
- Evaluate Capabilities: Test, simulate and confirm all crisis management and incident response capabilities. Crisis management extends beyond incident response and includes confirming all key personnel understand their role.
- Review Current Recovery Playbooks: Perform a comprehensive review of existing continuity and recovery plans to confirm they are complete and up to date. Specific focus should be given to internal and external resource availability, dependencies on key third parties that provide business services, and communication protocols for external stakeholders (e.g., employees, regulators, customers).
- Assess Technologies: Increase focus on and revisit all technologies supporting any hybrid workforce. Confirm all remote or external access points are hardened and covered with current versions of end-point detection technologies.
- Set Expectations: Set – or reset – expectations with senior leaders and board members on the potential for disruption of services due to a cyber attack, and the current steps taken to manage those risks.
While the actions outlined above help manage risks around the current situation with Russia, forward-looking companies should consider these actions a long-term investment against extreme events occurring in an increasingly volatile world – environmental, pandemic, cyber or otherwise. Furthermore, diligent organizations need to ensure their current strategies position their cyber programs to better repel adversaries, increase detection and response agility and expand existing resilience capabilities. Proper funding, leadership and vision are all key to ensuring your cyber program is both business- and threat-aligned and ready to face the challenges that lay ahead.
Additional resources: Recent CISA recommendations
President Biden has designated the Department of Homeland Security (DHS) as the lead federal agency to coordinate domestic preparedness and response efforts related to the current Russia-Ukraine crisis. DHS is taking appropriate steps to ensure federal efforts are coordinated should the need arise for specific threats. The Cybersecurity and Infrastructure Security Agency is available to help organizations prepare for, respond to and mitigate cyber attacks.
Below are links to several recent CISA resources:
- The Cybersecurity and Infrastructure Security Agency’s “Shields Up” webpage provides information on how to improve cybersecurity and protect critical assets, along with immediate recommendations of cyber attack prevention actions for all U.S. businesses. Given the increased population working with hybrid arrangements, these recommendations and actions should be extended to all U.S. and global entities.
- This recent CISA insight titled, Preparing for and Mitigating Foreign Influence Operations Targeting Critical Infrastructure, offers a solid checklist of cybersecurity threat management and data protection actions.
- CISA Insights: Implement Cybersecurity Measures Now to Protect Against Potential Critical Threats from January 2022.
- A recently published alert, Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure | CISA provides details for which product vulnerabilities Russia is known to utilize. Their attack vectors, capabilities and approaches are included.
For more information on recent and historical Russian state-sponsored malicious cyber activity, see the referenced products below or go to cisa.gov/Russia.
- Joint FBI-DHS-CISA CSA Russian Foreign Intelligence Service (SVR) Cyber Operations: Trends and Best Practices for Network Defenders
- Joint NSA-FBI-CISA CSA Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments
- Joint FBI-CISA CSA Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets
- Joint CISA-FBI CSA APT Actors Chaining Vulnerabilities against SLTT, Critical Infrastructure, and Elections Organizations
- CISA’s webpage Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise
- CISA Alert Russian Government Cyber Activity Targeting Energy Sector and Other Critical Infrastructure Sectors
- CISA ICS Alert: Cyber-Attack Against Ukrainian Critical Infrastructure
Nick Puetz, Andrew Retrum, Perry Keating and Tricia Callahan also contributed to this post.