Steps to Mitigate Cyber Risks During Russia-Ukraine

Increase your cyber alert and monitoring sensitivity, stay informed, but don’t over-react.

This is the overarching takeaway from our partner at InfoTech Research Group, a global leader in IT research and advice. Here's what your organization needs to know about the recent attacks, a step-by-step action plan for nation-level and Info-Tech cyber-defense, and resources to reduce your exposure to threats.

The first attacks carried out by Russia toward Ukraine didn't come from a gun, they were fired from a keyboard. To engage the enemy and increase success on the battlefield, Russian military commanders targeted Ukrainian banks and defense networks with destructive cyberattacks. 

In the US, military officials stated that planning and training are underway to detect, respond to, and prevent cyberattacks against critical infrastructure computers that control utilities, electric facilities, and water plants. Recent cyber incidents – such as SolarWinds, Hafnium, Log4j – that showcase the effectiveness of low-effort attacks reminds us of the importance of reliable countermeasures to protect your organization as part of day-to-day operations. Organizations should expect events like this will occur and be prepared to respond. 

Russia has previously and recently been linked to sophisticated cyberattacks; it is likely that cyber-related actions will be exercised in conjunction with military efforts. Although most of the attacks are expected to be directed at Ukraine, collateral damage should be considered. Many cybersecurity and geopolitical experts believe cyberattacks against countries imposing sanctions are soon to follow. 

Types of Attacks  

Denial of Service Attacks

A distributed denial-of-service (DDoS) attack occurs when multiple systems that are usually geographically separated and not under central control consume most/all the bandwidth or resources of a targeted system(s). 

• Distributed Denial of Service attacks are directed towards military, government, financial, telco, and other critical service providers.   
• This type of attack was perpetrated against the websites of the Ministry of Defense and the Armed Forces of Ukraine, as well as the web services of Privatbank and Oschadbank (2/15/22). 

Wiper Attack

A Wiper attack involves destroying (wiping/overwriting/removing) data from the victim. Wiper attacks are destructive and often do not involve a ransom. Wiper malware could also be used as a covert tactic to cover the tracks of a separate exploit, such as data theft. 

• WhisperGate (1/13/2022) and HermeticWiper (2/22/22); more variants expected. 
• As of February 24, 2022, ESET telemetry showed that this malware was installed on hundreds of machines in Ukraine. 

Espionage 

The use of computer networks to gain unapproved/illicit access to confidential information. These attacks are usually targeted at government or other organizations that house sensitive information that could prove damaging or be used for blackmail if disseminated publicly. 

• Directed towards Ukraine, but also internationally. CISA has issued alert AA22-047A on this topic. 
• Ukraine’s Computer Emergency Response Team (CERT-UA) wrote a Facebook post early Friday (2/25/22) about a cyber espionage group targeting Ukraine’s military personnel with phishing attempts. 
• Opportunistic cybercriminals are starting to leverage the high-profile nature of the Russian-Ukraine conflict to push bogus scams and tap into legitimate support efforts. 

Defacement 

Website defacement is a type of attack in which hackers compromise a website and replace content on the site with their messages. The messages are intended to cause harm and usually display a message that the website has been hacked, promoting the hacker group defacing the site. 

• Supply chain attacks (Kitsoft); Log4j 2 attacks. 
• More than 2,100 US-based firms and 1,200 European firms have at least one direct (tier-1) supplier in Russia and more than 450 firms in the US and 200 in Europe have tier-1 suppliers in Ukraine. 
• Software and IT services account for 13% of supplier relationships between US and Russian/Ukrainian companies. 

Disinformation 

Disinformation attacks are the intentional dissemination of false information via social networks or other communication mechanisms with wide reach such as email and SMS, with an end goal of misleading, confusing, or manipulating a large audience.  

• Disinformation using SMS messages, social media, and other platforms.   
• US tech companies like Google, Facebook, and Twitter have started to respond to Russia's invasion of Ukraine by attempting to stop the spread of disinformation and demonetizing ads that run on Russian state media accounts (2/28/22). 

Awareness and Cyber Preparedness 

Be aware of malicious actors and possible state-sponsored cyber activity.  Known threat actors are already perpetrating attacks against Ukraine. Understand the attacks they use and build appropriate defensive measures, in case they shift their attention to the rest of the world.  Follow only official sources of information to help you assess risk. You should stay informed and vigilant of the threat actors currently associated with Russian attributed cyberattacks. The CISA Shields Up site, SANS Storm Center site, and MITRE ATT&CK group site are helpful to receive timely information and understand risks. 

Cyber Recommendations 

1. Improve network monitoring at your perimeter.  Ensure you have visibility for incoming and outgoing traffic with appropriate safeguards. 
   1. Monitor and consider blocking high-risk outbound network traffic: 
   2. Review your WAF (web application firewall) configuration and set to blocking mode to mitigate zero-day attacks. 

2. Create contingency plans to disconnect high-risk external connections.  Preparedness, control, and proactiveness are key in a successful defense. 
   1. Inventory any unfiltered VPNs and other vendor/contractor connections. Make sure you have monitoring in place and understand access risks. 
   2. Limit traffic destinations for high-risk protocols wherever possible (see column to the left). 
   3. Watch for collateral damage and propagation via automation. NotPetya showed us that poorly monitored and unpatched interconnected systems provide reliable attack surfaces. 
   4. Perform tabletop exercises to ensure readiness during any disruptive event and at least annually. Ensure all your key resources have current contact information and can support business continuity on short notice. 
   5. Validate your backup and recovery processes. 

3. Use this event to bolster your security awareness program.  Educating end-users will lower your risk from malware and social attack vectors. 
   1. Implement or execute a simulated phishing campaign. These attacks are usually carried out via email but now are frequently delivered via SMS, phone calls, and social media. Ensure your employees are vigilant. 
   2. Reassess your password standard. Encourage passphrases and strong passwords: easy to remember, hard to guess. Use a secure password manager to reduce call center events due to users who use complex, hard-to-guess passwords. 
   3. Implement MFA on any external ingress points. Consider expanding the scope to those that don’t store or transmit sensitive information. If they pose a risk by being able to pivot to other systems if compromised, assume the worst. 
   4. Timely and effective communication are paramount. Consider the human factor: most people are scared during conflicts. You'll receive the best outcome by keeping your communications simple, actionable, and direct while delivering with calmness.
      
4. Improve your rigor around patching and updating consistently.  Poorly monitored, unpatched assets create additional cyber risk. 
   1. Ensure your assets are patched and up to date (computer systems, mobile devices, applications, etc.). Automatic updates are strongly encouraged. 
   2. Ensure your endpoint detection and response agents are active, receiving threat intelligence feeds, and set to protect/block risks. 
   3. Enable an allow-listing policy on your EDR solution (which files can execute). Recent attacks have shown Russian actors have misused legitimate drivers from trusted vendors, such as EaseUS (Partition Master), to weaponize wiper attacks and in some cases bypass poorly configured or mismanaged EDR/MDR. 
   4. Look for behavioral evidence or network and host-based artifacts from known Russian state-sponsored TTPs. Table 1 from CISA's Alert (AA22-011A) lists commonly observed TTPs.