CISA Warns US Businesses: Prepare Now for Russian Cyberattacks

UPDATE:

On April 20, 2022, CISA reported that the cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom have released a joint Cybersecurity Advisory (CSA) to warn organizations that Russia’s invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity from Russian state-sponsored cyber actors or Russian-aligned cybercrime groups.

 

Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure, drafted with contributions from industry members of the Joint Cyber Defense Collaborative, provides an overview of Russian state-sponsored advanced persistent threat groups, Russian-aligned cyber threat groups, and Russian-aligned cybercrime groups to help the cybersecurity community protect against possible cyber threats.

U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities urge critical infrastructure network defenders to prepare for and mitigate potential cyber threats by hardening their cyber defenses as recommended in the joint CSA.

Russia has ratcheted up the threat of cyber warfare against the United States in response to sanctions being placed on Russian assets after their invasion of Ukraine. Senior FBI cyber officials are warning all businesses in the United States to remain vigilant in anticipation of cyberattacks against Americans. The conflict in Ukraine presents perhaps the largest cyber risk the U.S. has ever faced. This may result in ransomware attacks on the nation’s infrastructure, as well as banking and financial services sectors.

Experts predict that Russia might try to disrupt financial systems and the nation’s critical infrastructure such as the power grid or oil production to put pressure on the U.S. to relent on sanctions. There’s already evidence to support these attacks, as well as previous examples that state-sponsored threat actors are waging increasingly more sophisticated cyber warfare, including the infamous attacks on SolarWinds and the Colonial Pipeline. 

In fact, attacks against the Ukrainian government have already begun. The Russian military has been known to use cyberattacks against Ukraine to disrupt the electrical grid, communications capabilities, and financial institutions. Expected targets include third-party infrastructure, third-party software, as well as deploying custom malware (so-called “zero-day attacks”). These threat actors have also proven their persistence by using legitimate credentials to go undetected and accessing compromised environments, including cloud environments.

These attacks on the Ukrainian government come just days after multiple U.S. agencies alerted banks and financial institutions to be on heightened awareness in retaliation to sanctions. As dramatic sanctions are imposed on Russia, it will not stand by, but instead, respond asymmetrically with cyberattacks against the nation's infrastructure and the financial services industry. 

CISA Warns Businesses To Put “Shields Up”

The Cybersecurity and Infrastructure Security Agency (CISA) has released a cyber “Shields Up” warning last week to the U.S. private sector, including health care, based on the increased cyber threat posed by the Russian government.

The advisory recommends businesses give attention to security protocols, giving them the necessary support to defend their organization. Phishing attacks are one of the most common methods of attack, and still, malicious emails are bypassing built-in security. To combat this, organizations should implement multi-factor authentication across the organization, security monitoring, endpoint detection and response (EDR) and staff should alert security if they come across something suspicious.

Every organization could be negatively impacted and should be prepared, as ransomware actors aren’t necessarily strategic on who they target, and instead are opportunistic. In order to keep from a loss of network control, networks must be configured properly and systems must be patched otherwise a ransomware actor can hack and encrypt your network. This also entails updating software or implementing additional security measures, such as multi-factor authentication.

Potential Threats and Targeted Victims

The possibility of a cyberattack on the United States, members of Nato, or other countries that could have an impact is a growing concern. Michael Daniel, the former cybersecurity adviser to President Barack Obama, warned that any company in business with Ukraine could be vulnerable to potential damage. 

In the past, Russian cyber attackers were known to target large-scale U.S. infrastructure, so it is important that individuals patch any vulnerabilities in their devices. For example, in 2017 Russian hackers sent the malware variant NotPetya into Ukrainian computer networks which led to outages of every Windows machine in a U.S. hospital system. Russian malicious actors are also well known for previously engaging in spear-phishing attacks, specifically with compromised accounts. However, it is also common to see phishing scams linking to malicious websites disguised as news, or other fraudulent content. 

Recently, researchers have recently discovered a new data wiping malware called HermeticWiper that was able to affect a number of Ukrainian machines within the last two months. This malware, like NotPetya, is intended to be destructive and compromise the infected assets. Over the past few days, the malware was deployed and installed in Ukraine, but due to the network architecture, it spread to wherever the network has connections. In this case, that included Lithuania and Latvia.

The available information is based on history, such as the sectors targeted in the past, as well as the incitement that we may see from sanctions. Herb Lin, the senior research scholar for cyber policy and security at the Center for International Security and Cooperation at Stanford University, noted that the US banking system may be particularly vulnerable to attacks as well as other industries such as energy companies, transportation, and the aviation sector. President Biden's sanctions have been aimed at crippling the Russian financial system, positioning American banks as a target for retaliation, especially if efforts continue to cut off Russia from global financial networks. The common factor is that each of these is a critical lifeline vector with engagement between government and industry.

Multi-Layered Security Solutions to Mitigate Risks

Protective measures should be taken before potential risks become a reality. Effective cyber defense is a long game requiring sustained strategic investment, not a last-minute bolt-on.

To do this, organizations should consider that over 90% of modern cyberattacks begin with phishing emails. Threats such as spear phishing, fileless malware, and zero-day exploits are also a possibility that no single security feature is sufficient in fortifying email against. To defend against damaging attacks and breaches, businesses should implement an adaptive, multi-layered solution that is capable of protecting against advanced and emerging threats.

With innovative real-time protection powered by Open-Source Intelligence (OSINT), Artificial Intelligence (AI), and Machine Learning (ML), the solution should safeguard users and sensitive data against credential phishing, account takeovers, and other damaging attacks.

CISA’s Advisory

The advisory from CISA recommended that organizations of all sizes adopt a more cautious position when it comes to cybersecurity and protecting their most critical assets. Recommended actions include:

Reduce the likelihood of a damaging cyber intrusion.

• Validate that all remote access to the organization’s network and privileged or administrative access requires multi-factor authentication.
• Ensure that software is up to date, prioritizing updates that address known exploited vulnerabilities identified by CISA.
• Confirm that the organization’s IT personnel have disabled all ports and protocols that are not essential for business purposes.
• If the organization is using cloud services, ensure that IT personnel have reviewed and implemented strong controls outlined in CISA's guidance.
• Sign up for CISA's free cyber hygiene services, including vulnerability scanning, to help reduce exposure to threats.

Take steps to quickly detect a potential intrusion.

• Ensure that cybersecurity/IT personnel are focused on identifying and quickly assessing any unexpected or unusual network behavior. Enable logging in order to better investigate issues or events.
• Confirm that the organization's entire network is protected by antivirus/antimalware software and that signatures in these tools are updated.
• If working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic.

Ensure that the organization is prepared to respond if an intrusion occurs.

• Designate a crisis-response team with main points of contact for a suspected cybersecurity incident and roles/responsibilities within the organization, including technology, communications, legal and business continuity.
• Assure availability of key personnel; identify means to provide surge support for responding to an incident.
• Conduct a tabletop exercise to ensure that all participants understand their roles during an incident.

Maximize the organization's resilience to a destructive cyber incident.

• Test backup procedures to ensure that critical data can be rapidly restored if the organization is impacted by ransomware or a destructive cyberattack; ensure that backups are isolated from network connections.
• If using industrial control systems or operational technology, conduct a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted.

Key Takeaways

The risk to the digital threat environment can be heightened for as long as the crisis in Ukraine exists, if not longer. Daniel has stated, “There are things that could occur through cyberspace that have an impact on the physical world that could take weeks, months, years to actually recover from.” In the worst-case scenario that America is a victim of an attack or collateral damage, it pays to be protected with a multi-layered cloud email security solution.