Post Credit: Austin Miller
After a highly controversial week on the Ukrainian-Russian border, it didn’t take long for warfare to spill over into cyberspace. Many of the largest ransomware attacks that organizations all around the world face on a day-to-day basis have been designed to “pass through” systems which have CIS-aligned language packages installed, so it’s probably a surprise to no one that Ukraine and NATO-aligned nations have already started to face cyberattacks.
Whether these are endorsed by the Russian state or not, these cyberattacks have quickly become a worrying sign for many people working in the world of cybersecurity.
Cyberattacks on Ukraine and Russia – what we know so far
In the media storm that has occurred over the last few days, numerous reports of targeted DDoS attacks have been identified. While this is obviously concerning for Ukrainian organizations, cybersecurity and IT teams should familiarize themselves with the known dangers that they could be facing too.
The first known large-scale cyberattack in the region was a joint takedown of the websites for:
- The Ukrainian Ministries of Foreign Affairs, Defense, and Internal Affairs
- The Ukrainian Security Service
- The Ukrainian Cabinet of Ministers
- The Armed Forces of Ukraine
- Privatbank, the largest bank in Ukraine
- Oschadbank, the State Savings bank
The State Service of Special Communication and Information Protection of Ukraine stated that these were massive DDoS attacks and the White House linked the DDoS attacks to Russia’s General Staff of the Armed Forces.
In retaliation (but from an unknown source), Russia is also experiencing DDoS attacks against:
Although it may be easy to presume that Ukraine is behind the attacks, some commentators have also pointed fingers in the direction of the US, a Ukrainian ally such as Germany, Anonymous, or possibly even a would-be hacktivist (much like P4x in the case of North Korea).
Understanding the CISA advice
In reaction to the conflict on the Ukrainian-Russian border, the American Cybersecurity and Infrastructure Security Agency (CISA) has released two documents to help IT teams to harden their cybersecurity defenses.
The American government’s position now is that all organizations which have the capability to do more should be going shields up. The suspected threat of cyberattacks to essential services is a real concern and that’s why the US government has presented a four-point plan to follow.
Shields Up Guide for All Organizations
- Reduce the likelihood of a damaging cyber intrusion.
Best practices include validating remote access to the network, reviewing access control lists, updating software, and disabling all nonessential ports and protocols.
- Take steps to quickly detect a potential intrusion.
Best practices include directing cybersecurity personnel to identifying and assessing unexpected or unusual activity, ensuring protection through an updated antivirus/antimalware, and taking care with traffic coming from Ukrainian organizations.
- Ensure that the organization is prepared to respond if an intrusion occurs.
Best practices include creating a crisis-response team, making sure key personnel are available when needed, and running war games on your incident response tactics.
- Maximize the organization’s resilience to a destructive cyber incident.
Best practices include creating and testing backups as regularly as possible and (if using industrial control systems/operational technology) running tests on the manual controls.
Like most of the cybersecurity community, I’m sure some of you are thinking “shouldn’t we already be doing that?” While that may be true, this advice is aimed at all organizations – from SMBs to large enterprises. Smaller to medium sized businesses face the most risk of failure to deal with a cybersecurity incident, so this advice is important for organizations which have no standing security team.
If you want to read the full report, click this link.
Preparing for and Mitigating Foreign Influence Operations Targeting Critical Infrastructure
Although the calls to go shields up are mostly concerned with best practices and defensive posture, the supporting document has a broader scope. Within the threat overview, CISA notes that misinformation, disinformation, and malinformation (MDM) is a tool used by many threat actors. Recognizing MSM is important for organizations to avoid undermined security, potential unrest, and disrupted markets.
The rest of the CISA Insights document then deals with the best ways for leaders in organizations to coordinate and communicate accurate and trusted information. As geopolitical tensions continue to rise, it is expected that threat actors – including those not associated with either the Russian or Ukrainian government – will attempt to leverage MDM to infiltrate organizations and steal sensitive data.
- Assess the information environment
- Identify vulnerabilities
- Fortify communication channels
- Engage in proactive communication
- Develop an incident response plan
For a deep dive into the content, check out the Preparing for and Mitigating Foreign Influence Operations Targeting Critical Infrastructure document here.
What should cybersecurity professionals do?
Although certain pockets of the internet are calling for hacktivist intervention against the Russian state, that is both a) illegal and b) irresponsible. Even P4x, a security researcher who shut down the North Korean internet earlier this month, faced criticism from the wider cybersecurity community for taking international justice into his own hands. Black hat hacking against any target – even ones you perceive to be the bad guy – is probably against the law in your home country.
For security professionals who are more concerned with the state of their organization’s security posture, now is time to go shields up! Although there is no indication at this point that the risk of cybersecurity attacks on non-Ukrainian soil will rise, it is always good to raise the standard of your security posture in line with best practices.
If you find any cybercriminal activity on your network, reporting it to the authorities is always the best course of action. But the MISP is also a fantastic resources for quickly spreading information about cyberattacks and offering ideas for effective defenses. Check out https://www.misp-project.org/ for more information.