Trustwave SpiderLabs Uncovers Critical Cybersecurity Vulnerabilities Exposing Manufacturers to Costly Attacks. Learn More

Trustwave SpiderLabs Uncovers Critical Cybersecurity Vulnerabilities Exposing Manufacturers to Costly Attacks. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Trustwave’s Action Response: Russia-Ukraine Crisis – Defending Your Organization From Geopolitical Cybersecurity Threats

Feb. 28 Update: The latest economic sanctions imposed upon Russia could inspire that nation or cyber groups working to support Russia to lash out against Western targets. With that in mind, Trustwave SpiderLabs wants to reiterate that all organizations must remain vigilant and, if they have not already done so, redouble their efforts to fortify their networks against a cyberattack due to the ongoing Russian attack on Ukraine.

Trustwave security and engineering teams are on heightened alert and are actively monitoring malicious cyber activity associated with and adjacent to the escalating military conflict between Russia and Ukraine. Trustwave is working closely with its clients around the world to enhance cyber preparedness during this time.  

Organizations that operate in high-value, critical industries such as banking, critical infrastructure (energy, oil and gas, etc.) and supply chain should especially elevate their cyber posture during this time. 

We have engaged our security teams across our global footprint to continuously harden our own cyber resilience and ensure service continuity for our clients as events unfold.  

As the situation evolves and additional threat intelligence becomes available, we will continue to proactively detect and respond to emerging threats.  

In addition to monitoring for cyberattacks and malware use during this time, the elite Trustwave SpiderLabs team is actively monitoring for phishing, social engineering techniques and Dark Web chatter associated with these events to further enhance cyber detection and response for our clients. For MSS clients that have managed solutions by Trustwave, we are validating available detective and preventative policies are deployed and are conducting historical searches for associated activity. 

Trustwave is prepared to issue a swift response and assist any organizations that fall victim to cyberattacks associated with these geopolitical events.  

Act Now: Government Agency Guidance to Prepare for Potential Threats  

The Cybersecurity and Infrastructure Security Agency (CISA) recently issued multiple alerts associated with potential malicious nation-state cyber activity. CISA recommends all organizations – regardless of size – adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets. 

Trustwave encourages all organizations to follow CISA’s “Shields Up” guidance, which can be found here

CISA has specifically provided guidance and resources for critical infrastructure organizations, which could be particularly targeted during this time:  

"The Russian government understands that disabling or destroying critical infrastructure – including power and communications – can augment pressure on a country's government, military and population and accelerate their acceding to Russian objectives," CISA said. 

Organizations across regions should also review the following guidance from CISA’s partner agencies:  

What Type of Organizations Are at a Higher Risk During this Time 

Organizations with business dealings with Ukrainian and Russian firms should take extra care to monitor, inspect and isolate traffic from organizations in that geography and closely review access controls for that traffic. Again, organizations that operate in high-value, critical industries such as banking, critical infrastructure (energy, oil and gas, etc.) and supply chain should especially elevate their cyber posture during this time. 

Nation-state or associated actors may have capabilities and intentions beyond those of a run-of-the-mill cybergang that are just looking to make a profit. With enough time and money, a nation-state is likely to succeed in gaining access, so it is imperative that organizations have a robust plan to detect and respond to a breach or major event. 

It is also essential to keep in mind that threat actors do not always have financial gain in mind when launching an attack. There are times when a threat actor simply wants to break something, hinder operations, and cause chaos for geopolitical or ideological reasons. 

All organizations should practice their response plans and remain vigilant. 

Stay Alert: New Malware and Malicious Tooling Emerging  

Organizations should also be aware of the new or repurposed malware tools now in the wild. The Russian-linked threat actor, dubbed Sandworm or Voodoo Bear, is using a “large-scale modular malware framework” that the cyber agencies have dubbed Cyclops Blink. Cyclops Blink has largely replaced the VPNFilter malware in Sandworm’s activities since at least June 2019. You can read the advisory from the National Cyber Security Centre here

Additionally, according to ESET Research, Ukrainian organizations have been hit by a cyberattack that involved new data-wiping malware called HermeticWiper. The malware has impacted hundreds of computers across networks.  

This malware attack followed a wide-scale distributed denial-of-service (DDoS) that took many important Ukrainian websites offline.  

Trustwave Nation-State Threat Defense Insights and Recommendations

The playbook organizations should use to keep safe from a nation-state or associated cyberattack during this time remains the same. Having the cyber fundamentals in place is critical now more than ever. Here are some of our top recommendations for organizations, in line with the guidance provided by leading government cyber agencies:   

  • Ensure that cybersecurity/IT personnel focus on identifying, detecting, assessing and responding to any unexpected or unusual network behavior.   
  • Conduct proactive threat hunting to ensure unknown threats are not lurking within your environment. 
  • Conduct an asset audit focusing on assets that have external access; eliminate stale accounts and check privileged access. 
  • Conduct a third-party vendor / supply chain assessment. Focus on those places where third parties have access to your environment. Ensure no old entry points are left open.  
  • Institute multi-factor authentication (MFA) for internal and external users. Check that passwords are strong. 
  • Bring your workers to a higher state of alert, tell them to triple check links and attachments in emails before clicking to guard against phishing attacks.
  • Deploy an effective endpoint detection and response (EDR) solution.
  • Conduct crisis simulations to ensure all parts of your organization are prepared to respond to a major cyber event, not just IT staff. 

The Long-Term Cyber Impact Trustwave is Keeping an Eye On 

There is a possibility that the malware and other techniques attackers use will eventually make their way into the hands of conventional threat actors. 

It is not uncommon for malicious code to get sold, traded, dispersed and then used for attacks against targets across industries like retail, e-commerce, etc. This activity might not take place for several months. Trustwave is actively monitoring for malicious techniques and code collaborations and sales on the Dark Web.   

Latest SpiderLabs Blogs

Trustwave SpiderLabs Report: LockBit 3.0 Ransomware Vs. the Manufacturing Sector

As the manufacturing sector continues its digital transformation, Operational Technology (OT), Industrial Control Systems (ICS), and Supervisory Control and Data Acquisition (SCADA) are becoming...

Read More

Overview of the Cyberwarfare used in Israel – Hamas War

On October 7, 2023, the Palestinian organization Hamas launched the biggest attack on Israel in years, resulting in numerous casualties and hostages taken. Israel responded with a large-scale ground...

Read More

The 2023 Retail Services Sector Threat Landscape: A Trustwave Threat Intelligence Briefing

The annual holiday shopping season is poised for a surge in spending, a fact well-known to retailers, consumers, and cybercriminals alike. The latter group, however, is poised to exploit any...

Read More