The Potential ‘Cyber’ Fallout from the Russia – Ukraine Situation, and What You Can Do

Every organization in the United States is at risk of cyber-attacks that can disrupt corporate operations as a result of possible collateral incidents from cyber operations related to the Russian invasion of Ukraine. In a recent release from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), CISA Director Jen Easterly stated:

“We need to be prepared for the potential of foreign influence operations to negatively impact various aspects of our critical infrastructure with the ongoing Russia-Ukraine geopolitical tensions. We encourage leaders at every organization to take proactive steps to assess their risks from information manipulation and mitigate the impact of potential foreign influence operations.”

Current Situation – What We Know

According to a Reuters story Thursday morning, a variety of possible Russian cyber operations associated with the invasion of Ukraine have already begun. Specific examples cited include:

• Wednesday – Targeted denial of service attacks were launched against the websites of Ukraine's government, foreign ministry, and state security service. Each of these sites have been reported offline.

• Thursday – Phishing attacks on public authorities and critical infrastructure, the spread of malicious software, and attempts to penetrate private and public sector networks and further destructive actions have reportedly intensified within Ukraine.

• Thursday – Ukraine computers were hit by data-wiping software as Russia launched a full invasion. These attacks “show signs of a "sophisticated and targeted" operator”, said Brian Kime, vice president at U.S. cybersecurity firm ZeroFox. This newly discovered destructive software has been found circulating in Ukraine having hit hundreds of computers, according to researchers at the cybersecurity firm ESET. Additionally, cybersecurity firm Symantec told Reuters that infections had already spread outside Ukraine to Latvia and Lithuania and possibly others.

Reasons to Worry and Take Immediate Action

The CISA have stated in a recent communication, that the Russian government has used cyber as a key component of their force projection over the last decade, including previously in Ukraine in the 2015. And while there are not currently any specific credible threats to the U.S. homeland, we are mindful of the potential for the Russian government to consider escalating its destabilizing actions in ways that may impact others outside of Ukraine. 

Therefore, the CISA highly recommends all organizations—regardless of size—adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets.

According to a recent BBC story, these allegedly Russian cyber operations are reminiscent of the hugely disruptive NotPetya "wiper" attack, which started in Ukraine but spread globally, causing billions of dollars of damage to computer systems across Europe, Asia, and the Americas. The US, UK and EU have blamed Russia for the NotPetya wiper attack.

Next Steps - What to Do Now

To aid organizations in properly preparing for an intensified cyber-attack environment, we are sharing the following CISA recommendations for all organizations:

Shields Up Guidance for All Organizations

Reduce the likelihood of a damaging cyber intrusion

• Validate that all remote access to the organization’s network and privileged or administrative access requires multi-factor authentication.

• Ensure that software is up to date, prioritizing updates that address  known exploited vulnerabilities identified by CISA.

• Confirm that the organization’s IT personnel have disabled all ports and protocols that are not essential for business purposes.

• If the organization is using cloud services, ensure that IT personnel have reviewed and implemented  strong controls outlined in CISA's guidance.

• Sign up for CISA's free cyber hygiene services, including vulnerability scanning, to help reduce exposure to threats.

Take steps to quickly detect a potential intrusion

• Ensure that cybersecurity/IT personnel are focused on identifying and quickly assessing any unexpected or unusual network behavior. Enable logging in order to better investigate issues or events.

• Confirm that the organization's entire network is protected by antivirus/antimalware software and that signatures in these tools are updated.

• If working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic.

Ensure that the organization is prepared to respond if an intrusion occurs

• Designate a crisis-response team with main points of contact for a suspected cybersecurity incident and roles/responsibilities within the organization, including technology, communications, legal and business continuity.

• Assure availability of key personnel; identify means to provide surge support for responding to an incident.

• Conduct a tabletop exercise to ensure that all participants understand their roles during an incident.

Maximize the organization's resilience to a destructive cyber incident

• Test backup procedures to ensure that critical data can be rapidly restored if the organization is impacted by ransomware or a destructive cyberattack; ensure that backups are isolated from network connections.

• If using industrial control systems or operational technology, conduct a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted.

By implementing the steps above, all organizations can make near-term progress toward improving cybersecurity and resilience. In addition, while recent cyber incidents have not been attributed to specific actors, CISA urges cybersecurity/IT personnel at every organization to review  Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure.

CISA also recommends organizations visit StopRansomware.gov, a centralized, whole-of-government webpage providing ransomware resources and alerts.

Recommendations for Corporate Leaders and CEOs

Corporate leaders have an important role to play in ensuring that their organization adopts a heightened security posture. CISA urges all senior leaders, including CEOs, to take the following steps: 

• Empower Chief Information Security Officers (CISO): In nearly every organization, security improvements are weighed against cost and operational risks to the business. In this heightened threat environment, senior management should empower CISOs by including them in the decision-making process for risk to the company, and ensure that the entire organization understands that security investments are a top priority in the immediate term.

• Lower Reporting Thresholds: Every organization should have documented thresholds for reporting potential cyber incidents to senior management and to the U.S. government. In this heightened threat environment, these thresholds should be significantly lower than normal. Senior management should establish an expectation that any indications of malicious cyber activity, even if blocked by security controls, should be reported, as noted in the Shields-Up website, to CISA or the FBI. Lowering thresholds will ensure we are able to immediately identify an issue and help protect against further attack or victims.  

• Participate in a Test of Response Plans: Cyber incident response plans should include not only your security and IT teams, but also senior business leadership and Board members. If you’ve not already done, senior management should participate in a tabletop exercise to ensure familiarity with how your organization will manage a major cyber incident, to not only your company but also companies within your supply chain.  

• Focus on Continuity: Recognizing finite resources, investments in security and resilience should be focused on those systems supporting critical business functions. Senior management should ensure that such systems have been identified and that continuity tests have been conducted to ensure that critical business functions can remain available subsequent to a cyber intrusion.  

• Plan for the Worst: While the U.S. government does not have credible information regarding specific threats to the U.S. homeland, organizations should plan for a worst-case scenario. Senior management should ensure that exigent measures can be taken to protect your organization’s most critical assets in case of an intrusion, including disconnecting high-impact parts of the network if necessary.

As the nation’s cyber defense agency, CISA is available to help organizations improve cybersecurity and resilience, including through cybersecurity experts assigned across the country. In the event of a cyber incident, CISA is able to offer assistance to victim organizations and use information from incident reports to protect other possible victims. All organizations should report incidents and anomalous activity to CISA and/or the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

Gradient Cyber’s Offer to Assist

As a cybersecurity company, Gradient Cyber believes that good people in the world make a difference and don’t stand idly by. To put this belief into action, we are offering to conduct a complimentary an “Introductory Risk and Threat Assessment” for any small business or midsize enterprise that would like to understand the risks and threats facing your organization right now; or maybe you just want a second opinion on your current security posture.