On Feb. 24, the Russian invasion of Ukraine escalated with the use of conventional warfare, but coordinated cyber conflict has been underway in the region for much longer.
In 2014, Ukraine's Central Election Commission was targeted by threat actors. In December 2015, an attack on the power grid plunged parts of the country into darkness. In June 2017, an attack on tax preparation software in Ukraine using malware dubbed "NotPetya" affected organizations including banks, newspapers, and even radiation monitoring systems at Chernobyl. The effects of NotPetya were not limited to organizations in Ukraine, however, and several global companies faced billions of dollars of impacts.
Most recently, significant threats have emerged since Russia invaded Ukraine. This includes high volumes of distributed denial-of-service (DDoS) attacks; increased malware activity, such as data wiping; targeted and persistent phishing attacks; and disinformation campaigns via SMS messages to induce panic.
All organizations, particularly ones in critical infrastructure sectors, could be affected directly or indirectly by these threats and others likely to arise. While it's too late to create and test business, disaster, and third-party recovery plans during this crisis, existing plans should be invoked. Security and risk management leaders should also apply lessons from previous attacks as well as those currently unfolding to respond to the crisis and prepare for future threats.
Immediate Actions: Demonstrate Calm and Control
In the initial phases of the crisis, the "fog of war" will challenge situational awareness, and panic will increase the risk of mistakes. Security and risk management leaders must ensure they do not add to that fear, uncertainty, and doubt, and instead concentrate on what they can control.
Focus immediate responses on increasing awareness and vigilance to detect and prevent potential threats. Remember, it's just as important to be mindful of the increased stress and pressure facing the organization during this time. A human error due to these forces may have a greater impact on the organization than an actual cyberattack.
Immediate actions for security and risk leaders to undertake include:
- Review crisis management, business continuity, disaster recovery, downtime procedures, and supply chain/third-party contingency plans associated with Ukraine operations to ensure they align with current business and IT activities.
- Prepare for incident response (IR), as there might still be time to acquire or increase some threat detection and IR services capabilities. Structure IR personnel schedules to avoid burnout and develop comprehensive shift handover and communication processes.
- Implement the "in case of emergency" feature of DDoS providers to blunt sudden high-volume attacks on public-facing assets.
- Prepare an executive presentation/one-page report template, as these types of crises will likely trigger update requests from board members and C-level executives.
Short-Term Actions: Monitor Threats and Act Accordingly
As new cyberattacks unfold over coming days and weeks, it will be critical to rely on threat intelligence tailored for your organization. Threat actors will likely leverage the situation to propagate attacks using known techniques such as targeted phishing, but new techniques may also emerge.
Subscribe to the US Cybersecurity and Infrastructure Security Agency (CISA) (or similar regional government security agency) feeds for updates on threats, and watch for government guidance to prepare for attacks that the organization may not be ready to handle. Set up a task force to monitor vulnerabilities and advisories.
Additional actions in this phase include:
- Establish/maintain a governance process that includes the CEO, the board, and key operational staff. Decide who will take the lead should an incident occur.
- Update inventory to identify missing security controls, detection signature, and threat intelligence updates. Prioritize patches for public-facing infrastructure and focus efforts and resources on actively targeted vulnerabilities.
- Implement threat-hunting processes as if an incident recently happened; monitor and hunt for specific tactics, techniques, and procedures by following government recommendations.
- Review network segmentation enforcement strength and zoning based on potential change in relative trust between segments and offices affected by the crisis.
Longer-Term Actions: Learn From Previous Attacks
The NotPetya attack of 2017, which originated in Ukraine but had reverberating effects across the globe, offers lessons for security and risk management leaders on how to act in the mid- to long-term period following the current crisis in Ukraine.
A huge lesson from NotPetya was the need for resilience thinking. When fighting such an attack, organizations must make decisions with incomplete data. No one can initially grasp the full picture of an attack as it's happening, so risk-based analysis with the data at hand will be essential to drive business decisions.
NotPetya also demonstrated the nature of the interconnectedness of assets, both in enterprise and operational settings. Many firms with minute footprints in Ukraine became collateral damage following the NotPetya attack, halting business operations across the globe and causing billions of dollars in damages. It's very likely that there will be similar collateral damage from the ongoing attack. Security and risk leaders must revise security plans to account for interconnected systems and prioritize safety and operational resilience.
Finally, NotPetya showed that alert and operational fatigue will must be managed appropriately. This is a stressful period that may lead to burnout. Mindfulness techniques and work-life balance practices will support efficient decision-making during a challenging time.
Security and risk leaders should consider medium- to long-term actions such as:
- Reevaluate risks of single-point-of-failure providers and actively prepare for redundancies, especially when the providers operate in the impacted region.
- Cross-train IT security personnel in the inner workings of cyber-physical systems to increase security in mission-critical environments.
- Remain available for cross-organizational workforce meetings. Business disruption might take more time but will require immediate involvement from security teams.
Unknown consequences of a crisis like this test the value of business continuity management efforts as well as incident response plans, but it may also highlight their gaps. This is a critical time for security and risk management leaders to remain calm, maintain control, and triage responses to ensure that the organization can remain resilient against threats during this crisis and through others in the future.