Ukraine invasion: This may be the quiet before the cyber-storm, IT staff warned
Now is the time to be a prepper – the computer security kind
Updated As the invasion of Ukraine heads into its third week with NATO allies ratcheting up sanctions against Russia, infosec vendors have urged Western governments and businesses to prepare for retaliatory cyberattacks.
According to Mandiant, Ukraine remains the top target for destructive or disruptive cyberattacks. That said, several US and EU sectors including government, financial services, energy and utilities, and transportation face a "moderate-high" risk of attack from Kremlin-backed miscreants. Media outlets, meanwhile, face a "moderate" risk.
So far, apart from a few standout moments – such as web systems being knocked over, wiper malware infecting machines, and satellite communication terminals coming under attack – there's been little indication of a serious, widespread escalation in cyberwarfare between Russia and Ukraine and its allies.
"The nature and length of NATO and Western sanctions and responses likely will heavily influence Russia's perception of high-priority targets for retaliation," warned Mandiant, which sells cyber-defense products and services.
"Organizations making public statements condemning Russian aggression and/or supporting Ukraine and organizations taking actions to restrict Russian participation in international commerce, competitions, and events face elevated risk of future reprisal."
This warning comes as a slew of tech companies have pledged to drastically scale back sales in Russia and Belarus, if not quit both countries altogether. Others, including Cloudflare and Akamai, have said they'll keep their networks up and running in Russia to provide its citizens with connectivity to the rest of the world — but they've also said they stand with Ukraine.
- Second data-wiping malware found in Ukraine, says ESET
- Internet backbone Cogent cuts Russia connectivity
- Ragnar ransomware gang hit 52 critical US orgs, says FBI
At the very least, as we've previously reported, Western governments and organizations should prepare for Russian cyber-espionage, according to soon-to-be-Google-owned Mandiant. However, threat actors like Sandworm and the Conti ransomware gang may also "conduct additional destructive or disruptive cyber attacks," it warned.
More wiper attacks likely
Palo Alto Networks' Unit 42 threat intelligence team also expects Russian-backed cyberattacks to spread beyond Ukraine.
"We think the most likely attack that an organization is going to see is a defacement or other wiper-type attack," said Ryan Olson, VP of Unit 42 threat intelligence, during a briefing this week. "That doesn't mean there couldn't be another type of intrusion, but our recommendation is to prepare for some sort of data disruption."
Unit 42 and others documented escalating cyber-activity in Ukraine, including a series of DDoS attacks against government agencies and banks plus a new file-destroying software nasty named HermeticWiper. This malware targets Windows machines and allows its operators to erase all data from a victim's systems. After HermeticWiper spread, another round of website defacement attacks against Ukrainian government organizations soon followed.
Western governments and businesses "should be prepared for the types of attacks that we have been seeing" in Ukraine, Olson said. "Not the same malware, not the same infrastructure that was used inside of Ukraine, but the same kind of tactics."
How to prepare
And the first thing organizations should do to prepare themselves is to lock down their networks, he added.
For example, Russian-backed groups used two popular messaging platforms Discord and Trello to distribute malicious files on Ukrainian devices.
"If you're not using an application like Discord for legitimate purposes inside your network, disabling access to it only provides you a security benefit," Olson said. "Even if you're not using it legitimately, even if you don't have a business use case, if it's allowed in the network, an attacker could still abuse it to deliver some malware."
Where are the serious Russian cyberattacks?READ MORE
Organizations should also stay up-to-date with patches for their internet-facing and business-critical software, Olson added. Because, per usual, preparing for any potential attack usually comes down to basic security hygiene and version management.
When it comes to preparing more specifically for a ransomware or wiper attack, companies should develop a business continuity plan. "Plan for if your systems are shut down, and getting the business stakeholders involved so that they know what the impact could be if one of their critical databases or other systems is shut down," Olson said.
Especially in the case of data-wiping malware, "you're going to need to recover, and you won't have the ability to just pay some bitcoin to get your files back," he said.
Finally, be prepared to respond quickly to an attack. "Time is always of the essence, especially when you have a threat actor who's trying to have a broad impact against organizations, against critical infrastructure," Olson said. "The sooner you're able to isolate hosts and take action, the better."
Perform tabletop exercises, run through playbooks and communication plans, and have an incident response team waiting in the wings, he added.
That is to say, though it appears to be relatively quiet at the moment on the cybersecurity front, it's probably best to have a plan in place than lapse into complacency and cynicism. ®
Updated to add
"Atlassian has already deployed detections to identify these malicious campaigns, which has allowed us to immediately suspend suspicious Trello boards and accounts. Our security team continues to monitor for any signs of further abuse," an Atlassian spokesperson told The Register.
"It should be noted that most apps on the internet that allow users to share text or files (including email, WhatsApp and Twitter) can be misused to spread malicious links and attachments. The campaigns were not enabled by Trello product vulnerabilities, and Trello user data has not been compromised."