As the world waits to see what unfolds in Ukraine, cybersecurity professionals are urging western governments and organizations to be prepared for serious cyberattacks coming from Russia and its allies.
These warnings come from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) as well as private sector cybersecurity software providers like Mandiant that have raised awareness of the possibility of large-scale cyberattacks from Moscow.
According to news reports, Russia has amassed over 100,000 troops near the Ukrainian border and could be preparing to invade its neighbor. While military action has yet to unfold, Ukraine has already suffered cyberattacks in recent weeks, including a malware campaign masquerading as ransomware and DDoS attacks that temporarily knocked some government and banking websites offline.
As high-level discussions between Russia and the west continue, cybersecurity experts say organizations should expect to see more cyberattacks.
In a blog post, Sandra Joyce, executive vice president and head of global intelligence at Mandiant, says Russia’s history of aggressive cyberattacks warrants concern. She cites Russia’s cyberattacks against Ukraine’s critical infrastructures and other attacks against Europe and the U.S.
If the West responds to an armed conflict with Ukraine, the risk of Russia conducting cyberattacks will increase, Joyce writes. These potential attacks may manifest as supply chain compromises designed to gain access to multiple network simultaneously, similar to the SolarWinds Orion compromise.
“Many of the same steps defenders might take to harden their networks against ransomware crime will serve to prepare them from a determined state actor, if they take them now,” Joyce writes.
Despite those potential threats, Joyce cautions against panic, saying that the real target of cyberattacks is our perceptions.
“The purpose of these cyberattacks is not simply to wipe hard drives or turn out the lights, but to frighten those who cannot help but notice,” Joyce writes. “The audience of these attacks is broad, but it is also empowered to determine how effective they are. While these incidents can be quite serious for many, we must remain mindful of their limitations. We only do the adversary a service by overestimating their reach.”
Meanwhile, cybersecurity giant CrowdStrike says in a blog that while cyberattacks against Russia’s adversaries during this crisis can’t be discounted, they are unlikely due to the potential for global escalation.
“However, the incidental targeting of international businesses operating within Ukraine may be used by Russian-nexus adversaries to dissuade business operations and investment and destabilize the local economy,” the company said.
In addition to Mandiant, CrowdStrike and several other high-profile cybersecurity providers advising customers to harden networks, CISA issued an advisory this week urging U.S. organizations to take steps now to harden its networks. The advisory includes several recommendations for preparing for a cyberattack and responding to one, as well as other CISA resources, including its catalog of known exploited vulnerabilities.
Here are CISA’s recommendations, in its entirety:
Reduce the likelihood of a damaging cyber intrusion
- Validate that all remote access to the organization’s network and privileged or administrative access requires multi-factor authentication.
- Ensure that software is up to date, prioritizing updates that address known exploited vulnerabilities identified by CISA.
- Confirm that the organization’s IT personnel have disabled all ports and protocols that are not essential for business purposes.
- If the organization is using cloud services, ensure that IT personnel have reviewed and implemented strong controls outlined in CISA’s guidance.
- Sign up for CISA’s free cyber hygiene services, including vulnerability scanning, to help reduce exposure to threats.
Take steps to quickly detect a potential intrusion
- Ensure that cybersecurity/IT personnel are focused on identifying and quickly assessing any unexpected or unusual network behavior. Enable logging in order to better investigate issues or events.
- Confirm that the organization’s entire network is protected by antivirus/antimalware software and that signatures in these tools are updated.
- If working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic.
Ensure that the organization is prepared to respond if an intrusion occurs
- Designate a crisis-response team with main points of contact for a suspected cybersecurity incident and roles/responsibilities within the organization, including technology, communications, legal and business continuity.
- Assure availability of key personnel; identify means to provide surge support for responding to an incident.
- Conduct a tabletop exercise to ensure that all participants understand their roles during an incident.
Maximize the organization’s resilience to a destructive cyber incident
- Test backup procedures to ensure that critical data can be rapidly restored if the organization is impacted by ransomware or a destructive cyberattack; ensure that backups are isolated from network connections.
- If using industrial control systems or operational technology, conduct a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted.