There is already a well-documented history of cyber attacks targeting organizations in Ukraine – including the attack attributed to members of the Russian military intelligence group GRU – NotPetya.
This threat actor has previously conducted attacks known as NotPetya, BlackEnergy, and has targeted high-profile events such as the Olympics, as well as perpetrated destructive attacks against Georgia.
As many news and industry commentators are pointing out, it is plausible that cyber attacks will combine with the kinetic efforts of the Russian armed forces in that region, as politically motivated attacks by hacktivists and other cybercrime affiliates look to target Western allied interests.
According to an advisory from The UK National Cyber Security Centre (NCSC), the same Russian-linked threat actor, Sandworm, recently began using a new “large-scale modular malware framework” to cause disruptive attacks on critical organizational targets within Ukraine.
The US Cybersecurity & Infrastructure Security Agency (CISA) recommends that every organization in the US applies “Shields Up” and, given the ever-growing threat landscape, organizations should already be on the lookout for adversarial activity and ransomware.
As always, adversarial activity WILL attempt to take advantage of the situation through disinformation, social engineering or phishing, and other attack tactics and techniques that may leverage established or novel and sophisticated cyber tools. Although the likelihood of direct aggression from nation-states remains low, your organization’s threat model and planning should include the possibility, for example, that your infrastructure will be targeted as a way to gain access to someone in your north or south supply chain.
As we witnessed with previous supply-chain attacks, including NotPetya, collateral damage to unintended targets can be significant.
It’s important to remember that almost any organizations could be a target for direct action or fallout from cyber attacks at any time – either targeted or opportunistically – which means the fundamentals of cybersecurity are always critical, not just during a time the cyber threat is heightened.
All Organizations Should Prioritize the Following
Create a Response Plan
- Designate a crisis-response team with main points of contact for a suspected cybersecurity incident and roles/responsibilities within the organization, including technology, communications, legal, and business continuity. Identify the decision makers for each department to avoid confusion in the heat of an incident.
Educate Users
- Cyber training and security awareness can be an effective step to preventing social engineering attacks, as the first line of defense is usually your employees and users.
Deploy MFA (Multi Factor-Authentication)
- If you cannot yet deploy MFA to all users for all activity, at least validate that all remote access to the organization’s network and privileged or administrative access requires multi-factor authentication.
Patch Vulnerable Software
- Ensure that software is up to date, prioritizing updates that address known exploited vulnerabilities identified by CISA, and those that are internet-facing. You should also audit what devices and applications are available from the internet and ensure that nothing is accessible unnecessarily.
Test Ransomware and Disaster Readiness
- Test your backup procedures to ensure that critical data can be rapidly restored if the organization is impacted by ransomware or a destructive cyber attack; ensure that backups are isolated from network connections.
- Include extreme scenarios such as power outages or critical infrastructure disruptions in your planning.
We understand that many organizations may not know how to proceed. If you need help preparing or improving your cybersecurity capabilities, there are resources available, including CISA’s Cyber Hygiene Services and—from the UK—National Cybersecurity Centre (NCSC).
No matter which country you are in, there is a broad community of service providers and security vendors that are here to help you, including Arctic Wolf.
If you have additional questions or believe you may need assistance, contact us.
