The ongoing war between Russia and Ukraine has placed organizations worldwide on full alert due to the possibility that cyberattacks related to the conflict may impact organizations outside of the region.
Trustwave's Darren Van Booven, Lead Principal Consultant, and Grayson Lenik, Director of Consulting and Professional Services, Trustwave Government Solutions, recently conducted a webinar “Russia-Ukraine Crisis – Defending Your Organization from Geopolitical Cybersecurity Threats” that looked at the current threat landscape and made cyber defense recommendations for organizations.
Malicious Cyber Activity During This Time
After several weeks of warfare between Russia and Ukraine, an equivalent scale confrontation on the cyber front has not been opened. However, there have been some notable activities. For example, Russian-tied hackers have utilized wiper malware against Ukrainian organizations, and the notorious Conti ransomware gang and the Anonymous hacker group took sides.
Trustwave SpiderLabs researchers also saw Dark Web chatter with threat actors attempting to gather forces to defend Ukraine. These discussions included launching Distributed Denial of Service (DDoS) attacks against the Russian government and military websites.
Another possibility comes in the form of widespread malware. An attacker could release a malware variant like Not Petya equipped with a wormable functionality and, even though the attacker aimed the malware at a specific target, it could spread. If the malware developers don't put controls in the software to limit how it spreads, it can then end up being disbursed worldwide over the Internet striking any system that's vulnerable.
Hacking groups also seem to be taking advantage of the chaos during this time. The Lapsus$ ransomware gang has recently attacked NVIDIA, Samsung and Vodafone and is looking to bolster its ranks by putting a call out for recruits and access to other organizations.
Russia-Ukraine Crisis – Defending Your Organization from Geopolitical Cybersecurity Threats
As the geopolitical stage becomes increasingly tumultuous, organizations across the globe need to be in a heightened state of alert regarding their cybersecurity. Watch this session as our security experts share their commentary and advice in response to potential state-sponsored attacks from Russia.
Take These Proactive Preventive Steps Today
These cyber fundamentals are not only pertinent during a time of crisis. The best practices we've outlined that align with CISA's Shield Up recommendations continue to prove effective and necessary for a strong cybersecurity posture. Organizations today already operate in a state of continual threat, and they should immediately implement the actions noted below if they have not done so already.
- Multifactor Authentication (MFA): The number one recommendation we make is for all organizations to enable multifactor authentication.
We respond to events from organizations and clients where they were exploited by not having multifactor authentication. MFA is something that we say is the bare minimum requirement that you must have and if you don't have that enabled for all of your users today, that alone creates an immediate, high-risk situation for your organization.
- Cyber Insurance: Having cyber insurance is key. However, the fact that a major war taking place right now has a cyber component could cause a problem even for those with general coverage.
First, make the call today to see if you are covered or exposed. If you have insurance, check to see if the policy contains any exclusions. Today, many organizations have cyber insurance policies that cover the impact on your business if an attacker brings down your system with a cyberattack. However, some policies have an exclusion stating that the insurance policy does not cover acts of war.
Exactly what an "act of war" is can be broadly interpreted, and it’s good to know what other exclusion the policy includes, so reach out today and ask your underwriter.
- Threat Intelligence: There are two layers to conducting threat intelligence within your organization.
At the top level, speak to your staff about what is going on in the world. This communication can vary from a new malware making the rounds that workers should be aware of or a major event like the Russia-Ukraine conflict. This internal monitoring will help staffers "tune in" to what they might see on their system so they can alert the proper team to take action.
On a more technical note, when it comes to vulnerabilities and malware, speed is key.
With new malware, it doesn't take long for someone to start exploiting the threat in the wild. To be on top of that, you need to obtain the indicators of compromise and any other information you can about what's going on and perhaps who may be the focus of an attack. Once the IoCs are in hand, you can apply the necessary defenses to your organization. There are many places to obtain this information, such as the Cybersecurity and Infrastructure Security Agency, the National Security Agency and commercial threat intel companies.
- Phishing Tests: Runphishing tests using the latest techniques that attackers employ. Here you can use your threat intel skills to develop a plan. For example, if security folks have spotted threat actors using a wiper-type malware in a phishing campaign, you can build a test around how the attacker is presenting the malware in emails.
If you conduct this test properly, you will get an accurate indication of how your staff will react. For example, in one recent case, a client ran such a test on 1,200 workers; 250 did in fact, click on the link, and 100 of those gave their username and password. So, while these numbers are alarming, it was a good test of what can happen, and now the company knows where to focus its efforts.
- Threat hunting: We recommend looking into your environment using the IOCs you have gathered regarding current threats. Conducting these exercises is a good habit regardless of the geopolitical situation. For example. if you are worried about a specific weakness or have a new IoC in hand, you can conduct a scan to ensure your system is safe.
- Vulnerability Scanning: For the most part, we have noticed many organizations do conduct vulnerability scans. Sometimes it's done to comply with regulations or part of a vulnerability management program that is in place.
A good scan should review your ingress and egress traffic controls, look at your access control list on your web application firewalls, next-generation firewall, and router control lists. It's never too late to go back through and take a deep dive look at what you are and are not restricting.
- Backup Data: Ransomware can spread and encrypt backups, so it's imperative these are checked for malware.
- Pen and Red Team Testing: Conducting these exercises essentially puts your security team and its response plans through all the points previously mentioned.
A good penetration test or Red Team will include threat intelligence, a phishing test vulnerability scanning, and review ingress and egress controls. So, if you're not doing Red Team or penetration testing, we would highly recommend finding a solid provider. However, if you do have a provider, it might be good to schedule your quarterly a little bit early.
Trustwave Continues to Stay Vigilant
All organizations should be operating in a state of heightened alert. Organizations particularly in critical infrastructure, supply chain, healthcare and financial services should take extra precautions.
As the situation evolves and additional threat intelligence becomes available, we will continue to proactively detect and respond to emerging threats for our clients.
Remember, while cyberattacks can happen at any time, hacking groups typically strike when organizations are short-staffed -- Friday afternoons, weekends or during holiday breaks. Have a plan in place for when an attack happens outside of business hours. Ensure your organization has configured its environment for that possibility and is executing the cyber fundamentals correctly.
Many organizations just throw technology at the issue but don't have the staff to execute the plan. Harden your cyber defenses by having the right people with the right skills.