Quick Answer: What Does the Russian Invasion of Ukraine Mean for Cybersecurity Leaders?

More Detail

On 24 February, 2022 the Russian invasion of Ukraine escalated with the use of conventional warfare, but coordinated cyber conflict has been underway for much longer. All organizations, particularly ones in critical infrastructure sectors, could be impacted directly or indirectly. Security and risk management leaders can learn from attacks currently unfolding to prepare for future crises.

Reported attacks already underway:

• Volumetric distributed denial of service (DDoS) attacks on media companies, banks and government websites.

• Increased malware activity such as data wiping.

• Targeted and persistent phishing attacks by groups such as Gamaredon.

• Disinformation campaign via SMS messages to induce panic.

Attacks likely to happen:

• Exploitation of dormant exploits and access, such as BlackEnergy, which was used to target Ukraine’s electric grid in 2014 and 2015.

• Cyber-physical systems (CPS) running operations in critical infrastructure are attractive targets.

• Cloud providers and undersea cables that underpin internet connectivity are also targets due to the potential for large-scale international disruption. In 2019, Russia successfully tested the capability of its internet infrastructure at being isolated from the rest of the world.

• Automated exploits on security infrastructure, especially firewalls and public-facing remote access gateways. For example, researchers have warned that the Sandworm group has developed a new Cyclops Blink hacking tool using botnets to target firewalls.

• Exploitation of the crisis for phishing by impersonating “figures of authority” such as government agencies or humanitarian help during mass evacuations.

• DDoS to generate chaos or as a “smoke screen” to hide lower and slower attacks.

• With these geopolitical topics, activism runs high and insider threats might rise for organizations working in defense and critical infrastructure

Longer-term, economic damage in Russia resulting from sanctions may increaseransomware activity, as a retaliatory measure, to provide income for the state and the tech savvy newly unemployed. Geo-fencing will have little effect as most attacks are delivered via U.S. proxies.

In the initial phases of the crisis, the “fog of war” will also challenge situational awareness and panic will increase the risk of mistakes. As soon as the intent of the invasion was announced by the U.S. and EU, organizations with staff, operations, data processing and suppliers in Ukraine should have readied their crisis management teams. It is too late after the invasion to invoke business, disaster and third-party recovery plans. The benefits of invoking early include the ability to shift operations to other operating locations as well as sending in personnel evacuation services to extract employees. These plans along with cyberattack incident response plans should have been tested in advance, there is no time during a crisis to develop and test something new.

Business disruption, particularly supply chain disruption, are likely. Expect that some of your partners may be incapacitated if they become targets of cyberattacks or are impacted by sanctions. Also expect lead times to be even more impacted for suppliers in high risk regions.

Recommendations:

Cybersecurity leaders should ensure they or their team is represented on the cross-organizational crisis management team. Many stakeholders are required to establish situational awareness and to give their approval for decisions made.

Immediate response:

• Demonstrate calm and control in the communication about threats and incidents. Ensure everyone in the security and risk management teams do the same and avoid adding to the FUD.

• Show discipline when setting up the list of “immediate” actions. Favor an “immediate,” “short-term” and “midterm” program to help with planning, workload and stress management.

• Assess and strengthen, if necessary, primary and out-of-band communication channels with your security, IT staff, business stakeholder, employees and supply chain staff providers. Consider use cases where the core communication services (email, corporate internet, telephony) are down. Ensure that everyone knows about them.

• Review your crisis management, business continuity, disaster recovery, downtime procedures and supply chain/third-party contingency plans associated with Ukraine operations to ensure they align to current business and IT activities.

• Work with the team for immediate additional due diligence to prevent user mistakes, starting with changes on critical security and IT infrastructure (eg., select use of the four-eyes principles).

• Prepare for incident response, as there might still be time to get/increase some threat detection, incident response retainer and services capabilities.Structure IR personnel schedules to avoid burnout and develop comprehensive shift handover and communication processes.

• Implement the “in case of emergency” feature of DDoS providers to blunt sudden volumetric attacks on public-facing assets.

• Prepare an executive presentation/one page report template as these types of crises trigger update requests from board members or C-level executives.

Short-term (days/one to two weeks):

• Establish/maintain a governance and legal process that includes the CEO, the board and key operational staff. Decide who will take the lead should an incident occur.

• Update inventory to identify missing security controls, detection signature and threat intelligence updates.

• Invoke your supply chain/third-party contingency plans for Ukraine-based providers.

• Review government agency recommendations for preventative actions.

• Communicate about the risk of multichannel phishing (i.e., email, voicemail, IM, Teams/Slack, SMS etc.) and social engineering related to the ongoing events. Don’t run phishing tests targeted at this scenario. Employees are your allies in this. Encourage virtuous behaviors such as reporting anomalies.

• Set up a task force to monitor the peak of vulnerabilities and advisories to be released in the coming days. Prioritize patches for public-facing infrastructure. Use resources such as CISA’s Known Exploited Vulnerability Catalog to focus efforts and scarce resources on actively targeted vulnerabilities such as Zabbix.

• Prioritize threat intelligence analysis toward most-likely threat actors and threat vectors.

• Implement threat hunting processes as if an incident recently happened: monitor and hunt for specific tactics, techniques and procedures (TTPs) by following government agencies recommandation. Scrutinize alerts related to C2 communication and credential access.

• Analyze existing DDoS protections not only for critical public-facing assets but also for any ingress or egress internet point of presence.

• Review network segmentation enforcement strength and zoning based on potential change in relative trust between segments and offices impacted by the crisis.

• Look to manage burnout/fatigue in your team. Provide resources for alleviation of stress in collaboration with HR, for example mindfulness exercises, recharge breaks or focus time.

Midterm (two to four weeks):

• Reevaluate risks of single-point-of-failure providers — actively prepare for redundancies, especially when the providers operate in the region impacted by the crisis.

• Strengthen crisis communications by using emergency/mass notifications services (EMNS).

• Identify “single-region/point of presence (POP)” infrastructure and smaller regional SaaS that might be at higher risk of disruption, and evaluate backup options.

• Revise your security plans to account for safety and operational resilience considerations. As cyber-physical systems (CPS) have emerged due to operational technology (OT)/IT system integration and new automation efforts, human safety and resilience are as important as information security.

• Remain available for cross-organizational workforce meetings when they start feeling less crucial. Business disruption might take more time but then require immediate involvement from security teams.

• Cross-train IT security personnel in the inner workings of CPS to increase security in mission-critical environments.

What to ignore for the next weeks:

• Attribution. There will be opportunistic activities from multiple nation states and cybercriminal organizations.Targeted assets, attack techniques and available threat intelligence are helpful, attribution might be useful much later.

• Non-critical business operations and activities.

• Macro business disruption. Some industries will be directly impacted by the Russian invasion of Ukraine but there are no immediate actions that can change that. Watch for pivots, rebudgeting and reprioritization of projects.

Recommended by the Authors

Evidence

Cyberattack Hits Ukrainian Banks and Government Websites, CNBC, 23 February 2022.

Ukraine Computers Hit by Data-Wiping Software as Russia Launched Invasion, Reuters, 23 February 2022.

Cyberattack Was Attempted Against a Western Government “Entity” in Ukraine, Researchers Say, VentureBeat, 3 February 2022.

Disturbing Mass Text Operation Terrorizes Ukraine as Russian Troops Move In, The Daily Beast, 23 February 2022.

Throwback Attack: BlackEnergy Attacks the Ukrainian Power Grid, Industrial Cybersecurity Pulse, 11 November 2021.

Russian Spy Ship Yantar Loitering Near Trans-Atlantic Internet Cables, Naval News, 19 August 2021

Russia “Successfully Tests” Its Unplugged Internet, BBC, 24 December 2019.

Russia’s Sandworm Hackers Have Built a Botnet of Firewalls, Wired, 23 Feb 2022.

Four Eyes Principle, European Commission.

Shields Up, CISA.

Known Exploited Vulnerabilities Catalog, CISA.

CISA Warns of Actively Exploited Vulnerabilities in Zabbix Servers, Bleeping Computer, 25 February 2022.

Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks, CISA.