UPDATE MARCH 23, 2022: On Monday, President Joe Biden urged U.S. businesses to take added precautions amid “evolving” intelligence that Russia could target American companies with cyberattacks as it continues its war on Ukraine, according to Yahoo News.
“The magnitude of Russia’s cyber capacity is fairly consequential, and it’s coming. The federal government is doing its part to get ready,” he said, imploring companies to invest “as much as you can” in beefing up technology capacity.
Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, echoed the president, urging “all organizations, large and small, to act now to protect themselves against malicious cyber activity.”
UPDATE FEB. 16, 2022: European and U.S. regulators are warning banks they should be prepared for a possible Russian-sponsored cyber attack as tensions with Russia increase over its massive build up of troops at the Ukrainian border. The warning comes more than two weeks after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned all organizations in the U.S. to be on guard against possible cyber attacks coming from Russia.
While military action has yet to unfold, Ukraine has already suffered cyberattacks in recent weeks, including a malware campaign masquerading as ransomware and DDoS attacks that temporarily knocked some government and banking websites offline.
In a blog post, Sandra Joyce, executive vice president and head of global intelligence at Mandiant, says Russia’s history of aggressive cyberattacks warrants concern. She cites Russia’s cyberattacks against Ukraine’s critical infrastructures and other attacks against Europe and the U.S.
If the West responds to an armed conflict with Ukraine, the risk of Russia conducting cyberattacks will increase, Joyce writes. These potential attacks may manifest as supply chain compromises designed to gain access to multiple networks simultaneously, similar to the SolarWinds Orion compromise.
“Many of the same steps defenders might take to harden their networks against ransomware crime will serve to prepare them from a determined state actor, if they take them now,” Joyce writes.
Despite those potential threats, Joyce cautions against panic, saying that the real target of cyberattacks is our perceptions.
“The purpose of these cyberattacks is not simply to wipe hard drives or turn out the lights, but to frighten those who cannot help but notice,” Joyce writes. “The audience of these attacks is broad, but it is also empowered to determine how effective they are. While these incidents can be quite serious for many, we must remain mindful of their limitations. We only do the adversary a service by overestimating their reach.”
Meanwhile, cybersecurity giant CrowdStrike says in a blog that while cyberattacks against Russia’s adversaries during this crisis can’t be discounted, they are unlikely due to the potential for global escalation.
“However, the incidental targeting of international businesses operating within Ukraine may be used by Russian-nexus adversaries to dissuade business operations and investment and destabilize the local economy,” the company said.
In addition to Mandiant, CrowdStrike and several other high-profile cybersecurity providers advising customers to harden networks, CISA issued an advisory this week urging U.S. organizations to take steps now to harden its networks. The advisory includes several recommendations for preparing for a cyberattack and responding to one, as well as other CISA resources, including its catalog of known exploited vulnerabilities.
ORIGINAL JANUARY 25, 2022 ARTICLE:
Last week the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) warned that every organization in the U.S. is at risk from cyber threats that can disrupt essential services and potentially result in impacts to public safety.
The warning comes as more than 100,000 Russian troops are gathering at the Ukrainian border, and the Biden administration is weighing its military options if Russia invades. Russia could conduct a cyberattack against the U.S. if it believes it’s threatened by the U.S. response to a Russian invasion.
CISA said organizations should take the following steps to reduce the likelihood of a damaging cyber intrusion:
- Validate that all remote access to the organization’s network and privileged or administrative access requires multi-factor authentication.
- Ensure that software is up to date, prioritizing updates that address known exploited vulnerabilities identified by CISA.
- Confirm that the organization’s IT personnel have disabled all ports and protocols that are not essential for business purposes.
- If the organization is using cloud services, ensure that IT personnel have reviewed and implemented strong controls outlined in CISA’s guidance.
- Sign up for CISA’s free cyber hygiene services, including vulnerability scanning, to help reduce exposure to threats.
The agency also urges organizations to take the following steps to quickly detect potential intrusions:
- Ensure that cybersecurity/IT personnel are focused on identifying and quickly assessing any unexpected or unusual network behavior. Enable logging in order to better investigate issues or events.
- Confirm that the organization’s entire network is protected by antivirus/antimalware software and that signatures in these tools are updated.
- If working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic.
Recommended response steps include:
- Designate a crisis-response team with main points of contact for a suspected cybersecurity incident and roles/ responsibilities within the organization, including technology, communications, legal and business continuity.
- Assure availability of key personnel; identify means to provide surge support for responding to an incident.
- Conduct a tabletop exercise to ensure that all participants understand their roles during an incident.
The following steps are recommended to maximize an organization’s resilience to a cyber attack:
- Test backup procedures to ensure that critical data can be rapidly restored if the organization is impacted by ransomware or a destructive cyberattack; ensure that backups are isolated from network connections.
- If using industrial control systems or operational technology, conduct a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted.
CISA’s warning comes on the heels of new research from WatchGuard Technologies, which found that despite a drop in third-quarter malware and ransomware activity, 2021 was an exceptional year for these kinds of attacks, reports MyTechDecisions.com.
The researchers also found that nearly half of zero-day malware is now delivered via encrypted connections, with Transport Layer Security (TLS)-delivered malware jumping from 31.6% to 47%. This suggests that many organizations aren’t decrypting these connections and have poor visibility into the amount of malware hitting their networks.
The report also sheds light on new attack vectors as users upgrade to new versions of Microsoft Windows and Office, with attackers focusing on new vulnerabilities while still leveraging older, unpatched bugs. Additionally, the report confirms the increasing proliferation of ransomware, finding that 2021 ransomware attacks are on pace to reach 150% of 2020 volume when full-year data becomes available.
Russian-linked cyber gangs have a long history of launching cyber attacks against the U.S., including last year’s damaging SolarWinds attack.