During the past few weeks, tensions have again escalated on the border of Russia and Ukraine. Russia has built up its military presence, bracketing Ukraine on three sides with close to 100,000 troops, tanks, and heavy artillery. All the while, Russian state-sponsored cyber operations targeting Ukrainian websites and critical infrastructure with cyberattacks have increased significantly.
These recent cyberattacks by Russia, its allies, and rogue actors should be cause for concern for the U.S. government and U.S. businesses. Successive worldwide threat assessments from the Director of National Intelligence highlight the cyber capabilities and capacity of Russia, and unclassified assessments from 2021 and 2019 underscore the ongoing threat. Russia continues to target U.S. critical infrastructure and industrial control systems to establish a presence and hold networks at cyber risk or cause substantial damage during a crisis
Additionally, in mid-January 2022, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the NSA have encouraged “the cybersecurity community—especially critical infrastructure network defenders—to adopt a heightened state of awareness and to conduct proactive threat hunting.”
Why This Matters
Considering this heightened state of awareness and “shields up” posture, U.S. government agencies and cybersecurity firms such as Mandiant have outlined actions businesses, especially the owners and operators of critical infrastructure, should be taking right now, if they haven’t already, to reduce the risk of a destructive cyberattack on their infrastructure.
While there are reports of active measures (e.g., cyber-enabled espionage, information/influence operations) and campaigns against Ukrainian targets, the recommendations we outline in this article are to mitigate destructive attacks, like the “wiper attacks” Microsoft observed earlier this month. Microsoft observed destructive malware attacks on Ukrainian organizations that masqueraded as ransomware but instead wiped or overwrote master boot records or file contents.
John Hultquist, Vice President of Intelligence Analysis for Mandiant, spoke with the U.S. Chamber of Commerce about what his company is seeing vis-à-vis the Russia-Ukraine cyberattacks and how they could impact businesses globally.
“We've been telling our customers to specifically be aware of destructive attacks masquerading as ransomware, and that's precisely [what we have seen so far],” Hultquist said. “There is no reason to believe this is the end of the game. This crisis is going to continue to unfold.”
In line with Mandiant’s most recent report (Proactive Preparation and Hardening to Protect Against Destructive Attacks), Hultquist recommended four major steps businesses should take to ensure their systems are secure during this period of heightened cyberattack threats. We’ve outlined them below.
Harden External Facing Assets
To secure their systems, companies should protect against the risk of threat actors leveraging external applications and services for unauthorized remote access. Companies should constantly be scanning for vulnerabilities and patching them. Additionally, they should be enabling and enforcing multi-factor authentication, which can help protect systems when passwords are stolen or hacked.
Protect High-Value Infrastructure and Backups
All organizations should verify that backups have been created for critical assets and that those backups are protected from unauthorized actors. Backups can be stored both online and offline, with advanced protections.
Limit Lateral Movements
Companies and governments should create guardrails to protect against malicious actors moving laterally if they are able to penetrate a system. They should also work to harden against remote desktop protocol (RDP) that often can allow overly broad access to systems.
Organizations should work to protect against the exposure of privileged credentials to unauthorized actors. This includes identifying all privileged accounts and access, with access increased on an as-needed basis. Conversely, organizations need to reduce access by individual accounts when such access is no longer needed. Finally, organizations should consider creating a “protected users” security group to effectively manage credential exposure.
Hultquist notes that the Ukraine-Russia situation has created an important moment for the U.S. government and businesses because of the speed at which the situation is developing. He highlights the possibility of the U.S. becoming drawn in further as the current crisis unfolds.
“You’ve got to be proactive,” Hultquist said. “The good news is we know quite a bit about Russia’s cyber capability, and there are many steps we can take to harden our security posture. But we have to take them now.”
In addition to the defensive measures, we outline here, the Chamber encourages all businesses to be prepared, to adopt a heightened risk posture, and to report suspicious activity to CISA, the FBI, a sector risk management agency, or local law enforcement.
For additional information on cybersecurity best practices, businesses can contact Christopher D. Roberti, senior vice president for cyber, intelligence, and supply chain security policy at CISD@uschamber.com.