Cybersecurity threats are a growing concern amid the Russia-Ukraine conflict.
Over the past two weeks, Russia has continued its invasion of Ukraine using a hybrid of both physical and cyberattacks. As Russia continues to ramp up attacks and sanctions escalate against the country, organizations must remain on high alert for cyberattacks. For example, in the United States, the Cybersecurity and Infrastructure Security Agency has warned that every organization is at risk from cyberthreats that can disrupt essential services and potentially result in impacts to public safety from Russian actors, nonaffiliated groups (state or organized) or hacktivists who are taking advantage of the situation.
What to expect from Russian cyber actors
Russian cyber actors have a history of targeting critical infrastructure entities with targeted attacks. Financial and health care institutions have long been the subject of focused cyberattacks, and successful attacks on defense contractors have increased in recent years.
Russian cyber actors continue to use common tactics to gain access to networks in several ways, including:
- Spear phishing
- Credential harvesting
- Password spray techniques/brute-force attacks
- Known vulnerability exploitation
In addition to data exfiltration attempts, organizations should be on heightened alert for other types of destructive attacks, such as ransomware, distributed denial of service (DDoS) and destructive malware. Cyber actors have already demonstrated these types of attacks during the current conflict in Ukraine, where data-wiping malware was found on hundreds of Ukrainian machines, wiping the affected systems' master boot record, and a wave of DDoS attacks continues to target the Ukrainian government and banking services.
How to respond
Organizations, regardless of size, should remain on heightened alert of retaliation from cyber actors from within Russia, as well as others who may take advantage of the situation, and organizations should ensure implementation of key defenses. RSM recommends that organizations focus on resilience when defending against these types of attacks. The recommendations include standard defense-based solutions combined with a clear line of sight into the indicators within your environment. The following outline includes examples of business-focused activities, along with strategic and tactical defenses that can reduce the risk of having a severe impact from a targeted attack. In addition, organizations should adopt a risk-based posture that evolves with the changing threat landscape.
- Cyber resiliency—have an established business continuity plan that includes defined roles and responsibilities. In addition, maintain an inventory of systems and their established criticality, allowing for decisions to be made by prioritization. Review or develop playbooks for warzone operations and identify means to provide surge support for responding to an incident. Conduct a tabletop exercise to confirm that all participants understand their roles and responsibilities and test backups for critical assets.
- Crisis communications—have established internal communication procedures, including consistent expectations of regular updates and rapid messaging to employees during a crisis. External communications should focus on brand protection, engaging with a public relations firm with international experience if necessary.
- System and software updates—ensure all systems and software remain up to date, prioritizing updates that address known vulnerabilities.
- Extended detection and response—ensure that endpoint and network protection solutions, including anti-malware and endpoint detection and response solutions, are installed on all organization devices, remain up to date and are monitored for unauthorized changes.
- Increase maturity of identity and access management (IAM)—reduce the attack surface by utilizing the principle of least privilege, including the review and removal of unnecessary administrative rights for users and/or shared administrative passwords across devices. Confirm that alerting is configured to detect changes within the IAM system, including privilege escalations and role changes. Utilize multifactor authentication, where possible, on externally accessible systems, such as email, portals and remote access technologies.
- Security awareness training—enhance employee training, confirming that employees are aware of current common threats and how they are delivered. Establish blame-free employee reporting, ensuring that employees know who to contact during an instance of suspicious activity.
- Review third-party relationships—the following measures can be taken to reduce third-party risk:
- Identify critical vendors with operations or personnel in affected areas.
- Collaborate with providers to ensure that you understand their contingency plans, and they are properly managing their cybersecurity risks.
- Review contractual language to ensure that it includes appropriate security controls, appropriate logging and monitoring requirements, and notification of a security event.
- Document current inventory levels, including on-site and in-transit materials, identifying alternate sources as appropriate. Utilize analytics to engage with affected suppliers or logistics process owners.
- Identify alternate providers as appropriate.
- Maintain operations—from a business perspective, review staffing plans for locations affected by the current conflict to maintain critical operational activities, assuming a high percentage of staff absenteeism. Consider retaining outside legal counsel, focused on the continuity of processes, and ensure that the procedures for paying staff in sanctioned countries are reviewed and approved to avoid loss of resources.
For more information, contact our cybersecurity team.