The escalating conflict between Russia and Ukraine may lead to a rise in Russian cyberattacks across the globe. Ukraine itself suffered a denial of service attack this week that temporarily blocked access to some banks and defense agencies. It’s too early to tell who is responsible, but the U.S. government acknowledges that Russia has a history of carrying out similar attacks.
CISA recently issued a joint statement with the NSA and FBI urging U.S. organizations to increase their vigilance in guarding against state-sponsored attacks. Attacks like these often target third party infrastructure and software (like Solar Winds). So even entities that are not typically threatened by geopolitical issues can sustain collateral damage.
While they cited no specific threat, the Cybersecurity and Infrastructure Security Agency recently issued both an alert and a “Shields Up” advisory regarding the potential for increased Russian cyberattacks.
CISA warns that cyber threats can disrupt business and essential services, as well as impact public safety. These threats apply to all U.S. businesses and citizens, even if they do not perceive themselves to be a target in geopolitical matters.
While state-sponsored attacks are frequently quite sophisticated, the entry points are often simple. Many attacks start as simple email phishing campaigns or via easily guessed passwords. Once attackers have access to a system, they are a persistent presence with long-term access and abundant patience to wait for a strike. It’s likely that many systems have already been infiltrated.
Russian hackers have previously had success targeting healthcare and public health entities, energy companies, telecommunications providers, and government facilities. These are not the only possible targets of state-sponsored attacks. But if you do business in these industries, you are strongly urged to improve your resilience against attacks.
Minimum Actions to Take Now
The good news is that the standard security advice that Asylas always gives applies to our current threats. Simple steps can give you added protection today.
First, you need to patch all of your systems. Do it today. Prioritize patching known exploited vulnerabilities. Then, patch everything else.
Follow up your patching spree with the following items. Implement multi-factor authentication. Install and use endpoint detection and response software. Develop internal contact lists and surge support teams in case a threat is detected.
The CISA alert recommends a “heightened state of awareness” and “proactive threat hunting” during this time of increased threats.
The following mitigations are advised:
- Be prepared. Confirm reporting processes and minimize personnel gaps in IT/OT security coverage. Create, maintain, and exercise a cyber incident response plan, resilience plan, and continuity of operations plan so that critical functions and operations can be kept running if technology systems are disrupted or need to be taken offline.
- Enhance your organization’s cyber posture. Follow best practices for identity and access management, protective controls and architecture, and vulnerability and configuration management.
- Increase organizational vigilance. Stay current on reporting on this threat. Subscribe to CISA’s mailing list and feeds to receive notifications when CISA releases information about a security topic or threat.
Be Aware of Previously Exploited Vulnerabilities
The following vulnerabilities have been exploited by Russian state-sponsored advanced persistent threat actors in the past.
Oracle WebLogic Server
Exim Simple Mail Transfer Protocol
VMWare (note: this was a zero-day at time.)
Think of improving your security posture as akin to maintaining a victory garden during the first half of the 20th century. You’re helping yourself/your business sustain normal operations. And by maintaining a strong perimeter around your own assets, you’re also keeping critical resources dedicated to national security.