Cyberattacks have been front and center in the Ukraine crisis, as the country is not just suffering from conventional warfare as it fights with Russia. The country’s critical infrastructure has been repeatedly attacked, purportedly by hackers working for their next door adversary.
These attacks have targeted government websites, infrastructure and more with DDoS attacks and destructive malware. Cybersecurity firm Symantec has a detailed writeup of the latter, calling it a new form of disk-wiping malware that has targeted finance, defense, aviation and IT services.
Now, U.S. agencies and cybersecurity experts say those Russian cyberthreats against Ukraine may very well make their way to elsewhere in Europe or the U.S. if retaliatory sanctions and other non-military actions provoke them. There are no specific threats, but officials and experts are issuing warnings nonetheless.
Especially for critical infrastructure organizations including IT, healthcare, transportation, financial services, energy, defense, water and more as defined by the U.S. government, IT and security personnel should take these steps immediately.
- Scrutinize information. CISA is warning critical infrastructure organizations to be wary of misinformation, disinformation and malformation (MDM) as a means to compromise specific sectors and lead to social engineering attacks against sensitive accounts.
- Accelerate security projects now. The Krebs Stamos Group, headed by former CISA Director Chris Krebs, recommends switching from long-term goals to short-term priorities. Security projects like multifactor authentication should be accelerated by adding resources and removing bureaucratic barriers.
- Ensure systems are up to date. CISA keeps a list of vulnerabilities that it knows to be actively exploited, and it continues to grow. Many of the vulnerabilities listed are several years old, which highlights the importance of implementing security patches as soon as possible.
- Conduct vulnerability scans. CISA says a handful of vulnerabilities are routinely leveraged by Russian state-sponsored hackers, so prioritize those specific patches.
- Deploy antivirus/antimalware solutions. Confirm that an organization’s IT environment is completely protected by antivirus/antimalware tools and that signatures in the tools are updated.
- Develop and test an incident response plan. Identify key stakeholders and IT/security personnel who will be responsible for responding to a cybersecurity incident. Conduct penetration tests and simulations to test those plans.
- Ensure your backups are secure and operational. There have been reports that ransomware is accompanying that destructive malware used on Ukrainian systems, and notorious Russia-based ransomware group Conti has reportedly pledged to support the Russian government and retaliate in the event of a cyberattack against Russia.
- Implement log collection and retention. CISA and other agencies recommend using native tools such as Microsoft 365 Sentinel, Sparrow, Hawk or CrowdStrike’s Azure Reporting Tool.
- Prioritize protection of critical systems. One of CISA’s recommendations during this period in history includes prioritizing critical business systems to maintain operational continuity. Conduct tests against those systems to ensure they remain available in the event of a cyberattack.
- It is no longer just IT’s job to be aware of cybersecurity threats. Conduct hands-on training on obvious signs of a hacking attempt, deploy phishing tests and share recent cybersecurity news with staff.
For more information on potential attacks, we recommend visiting CISA’s website. For more information on the details of specific attacks, follow this ongoing blog and the Twitter thread below from cybersecurity leader Sophos.
Sophos principal research scientist @chetwisniewski reviews the history of known or suspected Russian state activities in the cyber realm to assess what types of activities to expect and how organizations can be prepared.
— Sophos (@Sophos) February 23, 2022