Russian Invasion of Ukraine Could Mean Increase in Cyberattacks

Since Vladimir Putin invaded Ukraine there have been widespread global warnings of an increase in Russian cyber-attacks.

It’s not as if such warnings are without precedent. In fact, cybercriminal ties to Russia have been so linked to high-profile cybercrime that the phrase “Russian hacker(s)” has nearly overtaken the unqualified “hacker” in common vernacular.

“Some of the biggest cyberattacks against US infrastructure in the past two years have been linked to suspected Russian hackers.

The list includes the SolarWinds hack that infiltrated several government agencies in 2020, the ransomware attack that forced a shutdown of one of America's largest fuel pipelines for several days last year and another attack on one of the world's largest meat producers, JBS,” CNN reported.

Even as the Russian military offensive into Ukraine gathered momentum, researchers identified scores of computers across multiple organizations infected with a new data-wiper malware known as Hermetic Wiper, timed within hours of Ukraine government and financial websites having been crippled by distributed DDoS episodes.

Hermetic Wiper has been linked to Russia’s Sandworm group, an alleged unit of Russia’s cybermilitary and DDoS attack is a known Russian tactic used in both Georgia and Crimea incursions, 2008 and 2014, respectively, according to Silicon Republic.

US Cybersecurity and Infrastructure Security Agency (CISA) recommends “Shields Up” in its article of the same name: “While there are no specific or credible cyber threats to the U.S. homeland at this time, we are mindful of the potential for Russia’s destabilizing actions to impact organizations both within and beyond the region, particularly in the wake of sanctions imposed by the United States and our Allies. Every organization—large and small—must be prepared to respond to disruptive cyber activity.”

The CISA article goes on to recommend that organizations of all sizes adopt a vigilant cybersecurity posture and provides a list of recommended actions that companies can take to protect their most critical assets (the following extracted from “Shields Up”):

Reduce the likelihood of a damaging cyber intrusion

• Validate that all remote access to the organization’s network and privileged or administrative access requires multi-factor authentication.
• Ensure that software is up to date, prioritizing updates that address known exploited vulnerabilities identified by CISA.
• Confirm that the organization’s IT personnel have disabled all ports and protocols that are not essential for business purposes.
• If the organization is using cloud services, ensure that IT personnel have reviewed and implemented strong controls outlined in CISA's guidance.
• Sign up for CISA's free cyber hygiene services, including vulnerability scanning, to help reduce exposure to threats.

Take steps to quickly detect a potential intrusion

• Ensure that cybersecurity/IT personnel are focused on identifying and quickly assessing any unexpected or unusual network behavior. Enable logging in order to better investigate issues or events.
• Confirm that the organization's entire network is protected by antivirus/antimalware software and that signatures in these tools are updated.
• If working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic.

Ensure that the organization is prepared to respond if an intrusion occurs

• Designate a crisis-response team with main points of contact for a suspected cybersecurity incident and roles/responsibilities within the organization, including technology, communications, legal and business continuity.
• Assure availability of key personnel; identify means to provide surge support for responding to an incident.
• Conduct a tabletop exercise to ensure that all participants understand their roles during an incident.

Maximize the organization's resilience to a destructive cyber incident

• Test backup procedures to ensure that critical data can be rapidly restored if the organization is impacted by ransomware or a destructive cyberattack; ensure that backups are isolated from network connections.
• If using industrial control systems or operational technology, conduct a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted.

By implementing the steps above, all organizations can make near-term progress toward improving cybersecurity and resilience. In addition, while recent cyber incidents have not been attributed to specific actors, CISA urges cybersecurity/IT personnel at every organization to review Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure.

CISA also recommends organizations visit StopRansomware.gov, a centralized, whole-of-government webpage providing ransomware resources and alerts.

Acknowledging the important role which corporate leaders play in establishing amplified security posture, CISA urges all senior leaders, including CEOs, to take the following steps. The following is extracted from “Shields Up”:

• Empower Chief Information Security Officers (CISO): In nearly every organization, security improvements are weighed against cost and operational risks to the business. In this heightened threat environment, senior management should empower CISOs by including them in the decision-making process for risk to the company and ensure that the entire organization understands that security investments are a top priority in the immediate term.
• Lower Reporting Thresholds: Every organization should have documented thresholds for reporting potential cyber incidents to senior management and to the U.S. government. In this heightened threat environment, these thresholds should be significantly lower than normal. Senior management should establish an expectation that any indications of malicious cyber activity, even if blocked by security controls, should be reported, as noted in the Shields-Up website, to CISA or the FBI. Lowering thresholds will ensure we are able to immediately identify an issue and help protect against further attack or victims.
• Participate in a Test of Response Plans: Cyber incident response plans should include not only your security and IT teams, but also senior business leadership and Board members. If you’ve not already done, senior management should participate in a tabletop exercise to ensure familiarity with how your organization will manage a major cyber incident, to not only your company but also companies within your supply chain.
• Focus on Continuity: Recognizing finite resources, investments in security and resilience should be focused on those systems supporting critical business functions. Senior management should ensure that such systems have been identified and that continuity tests have been conducted to ensure that critical business functions can remain available subsequent to a cyber intrusion.
• Plan for the Worst: Senior management should ensure that exigent measures can be taken to protect your organization’s most critical assets in case of an intrusion, including disconnecting high-impact parts of the network if necessary.