US-led sanctions on Russia for its invasion of Ukraine earlier this week have sparked considerable concern about retaliatory and spillover cyberattacks from the region on US organizations and those based in other allied nations.
Many expect the attacks to run the gamut from destructive campaigns involving the use of disk-wipers and ransomware, to distributed-denial-of-service attacks, phishing, disinformation, misinformation and influence campaigns. Security experts expect that some of the attacks will be targeted and executed by state-backed Russian threats. Others are likely going to launched by actors sympathetic to Russian interests, and yet others will likely just spill over from Ukraine and cause collateral damage in the same way that NotPetya malware did a few years ago.
Here are seven measures that security experts say organizations need to take right now to be prepared for these attacks. Most of the advice includes measures that organizations should have in place already. But if they don't, now is a good time to implement them, say the experts.
1. Assess Your Exposure: Not Everyone Faces the Same Risks
Chester Wisniewski, principal research scientist at Sophos, says the exposure that organizations face to Russian cyberattacks varies significantly.
Companies that have done or are doing business in Ukraine should expect the worst and make sure that all their security controls are as up to date as possible. Monitoring for credential abuse is especially key. "You should expect communications to be unreliable and have backup plans for how to communicate via other means if you intend to continue operating during the conflict," Wisniewski says.
The US Cybersecurity and Infrastructure Security Agency has recommended that organizations working with Ukrainian counterparts take special care to "monitor, inspect, and isolate traffic from those organizations" and to review access controls for that traffic. The advice is one in a long list of tips that CISA has assembled in a document called Shields Up.
There's a reasonable chance of organizations that do business in the region, but not specifically Ukraine — such as Poland, Romania, Estonia, Latvia, Lithuania, or Moldova — becoming victims of collateral damage from attacks designed to impact Ukraine. Wisniewski points to indicators that Sophos observed Thursday of a disk-wiping malware tool called HermeticWiper impacting some contractor locations in Latvia and Lithuania although it was targeted at Ukrainian entities.
"I don't expect Russia will directly target NATO members, but we saw similar fallout from the NotPetya attacks, which were intended to mostly impact Ukraine," Wisniewski says.
Organizations with no connection to the region are at heightened risk of becoming victims of independent Russia-based threat actors looking to cause harm to the west and perceived enemies of the Russian state. "We were concerned about this outcome before the conflict began and noticed that the Conti ransomware group has come out and declared their 'full support of the Russian government,'" Wisniewski says.
2. Minimize Your Attack Surface
It's a good idea also to deploy Sysmon within the environment, Warner says. "Sysmon can provide broad visibility across your environment that you won't get with default Windows logging. In that sense it essentially mimics what EDR is trying to do," he says. However, organizations often can get good fidelity and detections by looking into Sysmon data. "Oftentimes Sysmon detects behaviors even before an endpoint detection and response (EDR) tool will," Warner says.
Monitor outbound traffic for signs of malware on the network calling out to a command-and-control destination. Though nation-state malware can be extremely hard to spot, in most cases the malware has to communicate somehow, BreachRX said.
A week before the Russian invasion of Ukraine, the National Security Agency issued an advisory on the need for organizations to use strong password types to protect credentials in device configuration files on Cisco routers.
"The rise in the number of compromises of network infrastructures in recent years is a reminder that authentication to network devices is an important consideration," NSA noted, not making any reference to Russian attacks or the current conflict in Ukraine.
3. Execute the Basics
Russian APTs follow similar playbooks to other highly effective groups, says Warner. Their techniques, tactics, and procedures (TTPs) are not secrets, he notes. It's also significant that many of the cyberattacks reported in Ukraine — such as those involving disk-wiping malware like HermeticWiper — have involved systems to which the attackers appear to already have had access previously.
So, preparing for these threats requires paying attention to the security basics — as it always does. "Sadly, the advice doesn't vary from the normal around patching, using multi-factor authentication, etc.," Wisniewski says. "Backups are likely more critical than ever considering that we have seen more activity from wipers recently, even by ransomware gangs like Conti who may choose to wipe your environment if you don't pay, as revenge."
Warner recommends that organizations pay attention to their Windows environments by, for instance, enabling MFA across Microsoft 365, G Workplace, Okta, and other similar environments; disabling legacy authentication; and blocking macros from running in Microsoft Office environments.
Ensure your routers are updated, have a secure password, and do not expose the admin interface to the world, says Johannes Ullrich, dean of the SANS Technology Institute.
"It's also a good time for entities that believe they may be targeted to act as if they have already been breached in some form or fashion," says Casey Ellis, founder and CTO at Bugcrowd. Even if it's just a tabletop exercise, do it. And ensure that intruder detection and incident response plans are up to date, Ellis says.
CISA has recommended that organizations designate a crisis-response team with main points of contact in the event of a cybersecurity incident or suspected incident.
4. Watch Those B2B VPN Connections
A big risk that organizations face is becoming a victim of collateral damage from the cyberattacks in Ukraine. One example is the 2017 NotPetya outbreak that started off as Russian attacks targeting Ukraine but ended up impacting thousands of organizations worldwide. "B2B VPN connections that are unfiltered by security controls such as firewall rules are the mostly likely paths for such spillover," says John Pescatore, director of emerging security trends at the SANS Institute, which has established a resource center for helping organizations navigate potential Ukraine-related cyber threats. SANS recommends that organizations immediately find all B2B VPN connections in the environment and take measures to prevent them from being an initial entry point for attackers, he says.
SANS' advice for B2B VPNs include blocking high-risk protocols on all of them or limiting traffic destinations for high-risk protocols if business requirements do not allow any protocol blocking on B2B VPNs. It also recommends netflow monitoring at all B2B VPN egress points and having plans to disconnect them in a hurry if something happens.
"At least make sure known dangerous protocols are blocked and ideally that only the minimum necessary ports, protocols, and applications are allowed," Pescatore says.
There's only so much organizations are going to be able to do by way of implementing security controls that they do not already have in place to prepare for potential Ukraine-related cyberattacks. So, alerting employees about the likelihood of advanced phishing attacks, misinformation campaigns, and attempts by Russian cyber attackers to compromise corporate systems is key to reducing exposure to these vectors. "Notify all employees to be more aware and cautious and to report any concerning emails or files ASAP," Warner says.
"Send out a reminder to your entire company on how people are the most likely vector of attack," BrightRX said in a blog on how organizations should prepare for potential attacks. "For example, remind them of phishing attacks and tell them to report unusual activity."
Security teams should check executive connections to or communications about politically sensitive topics — such as social media posts critical of Russia. "You might be a target because of those views and not because of your business," BrightRX said. Consider also putting an insider playbook in place to address potential security issues from malicious insiders, the incident response and readiness firm said.
6. Minimize Changes
IT should minimize changes and investigate all new software/executables, new accounts established, and accounts with high privileges in the environment, Pescatore says. Also, he recommends increasing use of strong authentication, especially on privileged accounts, and increasing change control and change monitoring.
"If this conflict gives you management’s attention, make gains in basic security hygiene, even if temporary," Pescatore advises.
7. High-Risk Organizations Should Consider an ISAC Membership
Organizations in the oil, natural gas, and electricity sectors are at high risk of attacks focused on disrupting the flow of oil, gas, and reliable electricity, the ABS Group said this week. Business and technology leaders in these sectors should engage with their information technology (IT) and operational technology (OT) teams to ensure membership in their appropriate industry information sharing and analysis centers (ISAC), the ABS Group said. ISACs are designed to help operators of critical infrastructure keep abreast of industry-specific cyber threats and how to prepare for, defend against, and mitigate them.
ABS Group also recommended that organizations in these sectors practice response procedures and immediately report all attempted or confirmed cyber intrusions to their respective ISAC, the organization's security chief, and Department of Energy (DOE) or the Federal Bureau of Investigation (FBI).
Many organizations likely perceive themselves as being at low risk from Russian cyberattacks. But while it might be true that they are not specific targets, they are just as likely as others to get caught up in opportunistic attacks by Russia-sympathetic threat actors or become victims of collateral damage as was the case with NotPetya.
That's why it's a good idea for all organizations to review and tighten their security posture, security experts said.