The cybersecurity authorities of the U.S., Australia, Canada, New Zealand, and the U.K. released a joint Cybersecurity Advisory on April 20, warning organizations based in these countries that Russia’s invasion of Ukraine could expose them to increased rates of malicious cyber activity. This notice comes as a response to the unprecedented economic sanctions imposed on Russia and Russia’s reaction to the U.S. and its allies providing military equipment to Ukraine.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Attacks by Russian-backed cyberthreat groups have included DDoS attacks on Ukraine and destructive types of malware deployed against the Ukrainian government and organizations tasked with upkeep of the country’s critical infrastructure. The CSA notice also provides a comprehensive history of Russia’s state-sponsored attacks as well as what organizations should be on the lookout for as the war continues.
“If you’re a critical infrastructure operator, and you aren’t already paying attention to potential cybersecurity consequences of the war in Ukraine, then this warning is unlikely to make a difference,” said Tim Erlin, vice president of strategy at Tripwire. “On the other hand, if you’re a critical infrastructure operator and you’re looking for a concrete reason to convince someone else in your organization to care about these threats, then this is a very useful advisory.”
Countries supporting Ukraine should be wary of cyber attacks
Some cybercriminal groups vowing to support Russia in its attack on Ukraine have expressed threats against countries providing material support to Ukraine as well. These collectives of Russian-sponsored cyberterrorists are believed to be carrying out attacks based on perceived virtual offenses against the country of Russia and its people, according to the briefing.
The cyber threat groups in question have a multitude of offensive hacking weapons at their disposal, ranging from malware and ransomware to DDoS attacks and cyber espionage, warns the CSA. Cyber threat actors from the following organizations are believed to have carried out attacks against IT and OT networks:
- The Russian Federal Security Service
- Russian Foreign Intelligence Service
- Russian General Staff Main Intelligence Directorate
- GRU’s Main Center for Special Technologies
- Russian Ministry of Defense
One particular group CSA has been monitoring is Berserk Bear. This group has been known to specifically target organizations in the areas of energy, transportation and defense within western Europe and North America. The Berserk Bear hacking collective has been known to conduct scans with the intent to attack internet-facing infrastructure and network appliances, conducting brute-force attacks against public-facing web applications and leveraging compromised infrastructure, according to the report.
What organizations can do to prepare for potential attacks
As Russian-backed hacking groups ramp up their cyber offensive against countries supporting Ukraine, the advisory urges organizations to protect their critical information and infrastructure against any impending attacks. Four main tips are provided by the CSA to enterprises strengthening against a possible attack:
- Patch all systems: Prioritize patching known exploited vulnerabilities
- Enforce multi-factor authentication
- Secure and monitor Remote Desktop Protocol and other risky services
- Provide end-user awareness and training
Erlin adds that these suggestions align with his recommendations.
“There is an incredible, and quite possibly overwhelming, amount of detail in this joint advisory,” he said. “If you’re looking for a history of Russian-aligned threat groups and activity, this advisory is a good place to start. With a broad threat like this, it’s difficult to lay out a single mitigating activity that’s likely to make a difference. So much of what needs to be done falls into the category of foundational best practices, but that reality shouldn’t prevent critical infrastructure organizations from taking action. The best time to implement these controls may be in the past, but the second best time to do so is right now.”
Subscribe to the Cybersecurity Insider Newsletter
Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays