Cybersecurity Snapshots #27 - Organizations Are Urged to Be On the Lookout for Potential Russian Cyberattacks

Cybersecurity Snapshots #27 -

Organizations Are Urged to Be On the Lookout for Potential Russian Cyberattacks

The US Cybersecurity and Infrastructure Security Agency (CISA) is urging organizations to strengthen their security stance and stay on alert for potential Russian cyberattacks. According to CISA, all organizations in the US are at risk from cyberattacks that could disrupt essential services and impact public safety. CISA is not currently aware of a specific threat to US organizations but stated that due to the increasing tensions at the Ukraine border, the Russian government might consider "escalating its destabilizing actions" to impact entities outside of Ukraine. CISA is warning that the Russian government understands that disabling or destroying critical infrastructure, including power and communications, can augment pressure on a country's government, military and population and accelerate their acceding to Russian objectives. Russia has conducted cyberattacks in the past to help accelerate their agenda.

In 2017 NotPetya cyberattack was directed initially at Ukrainian private companies before it spilled over and destroyed systems worldwide. NotPetya masqueraded as ransomware, but in fact, it was a purely destructive and highly viral piece of code. The destructive malware used in January against Ukraine to deface and disable more than 70 government websites, now known as WhisperGate, also pretended to be ransomware while aiming to destroy critical data that renders machines inoperable. Russian threat actors were behind both NotPetya and WhisperGate, according to researchers. The White House said the NotPetya attack caused more than $10 billion in global damage and deemed it "the most destructive and costly cyberattack in history." In 2015 and 2016, Russian hackers attacked Ukraine's power grid and turned out the lights in the capital city of Kyiv. During the invasion and seizure of Crimea in 2014, Russian hackers shut down telecommunications systems in the region, including through jamming the mobile phones of Ukrainian members of parliament. In 2008, the Russian invasion of Georgia was preceded by a swarm of digital attacks that overwhelmed Georgia government websites with traffic and temporarily disabled them, including the website of the country's president. Russia also launched cyberattacks that overwhelmed the websites of Estonian government agencies and other national institutions in 2007 over disagreements around Estonia's decision to move a Soviet-era World War II statute. While intelligence agencies worldwide have pinned these attacks on Russia, Moscow historically has either denied the incidents or avoided comment.

The Department of Homeland Security believes that if the US imposes sanctions on Russia, they may be prompted to conduct cyberattacks on our critical infrastructure. The past year alone has made it clear how vulnerable key aspects of life in the US are to being disabled by hackers. The ransomware attacks against Colonial Pipeline and JBS disrupted key supply chains, and an unsuccessful attempt by a hacker to hack a water treatment plant to poison the water supply in Oldsmar, Florida, illustrated the ability for cyberattacks to cause harm to millions. Christopher Painter, the former coordinator for cyber issues at the State Department under the Obama and Trump administrations, stated that if Russia launched massive cyberattacks on the US or other Ukraine allies, it would mark a turning point in cyber warfare and challenge the idea that cyberattacks are less serious than physical assaults.

CISA is currently working with critical infrastructure partners to increase awareness of potential threats and is now urging all organizations to be proactive and make sure their most critical assets are well defended in the event of an attack. CISA recommends that organizations should ensure multi-factor authentication is enabled for all remote access to their environments, including privileged or administrative access; keep all software updated and prioritize patching against known exploited vulnerabilities; disable all unused ports and protocols; and ensure that strong controls are implemented for all cloud services that may be in use. CISA also recommends that organizations should ensure that their cybersecurity/IT personnel can quickly identify and address unusual network behavior; keep their environments protected with security products; make sure that a response plan is implemented in the event of an intrusion; and maximize resilience to destructive cyberattacks. CISA noted that organizations that work with Ukrainian organizations should take extra care to monitor, inspect, and isolate traffic from those organizations.