According to a number of cyber security officials in the United States, Australia, Canada, New Zealand and the United Kingdom, Russia’s invasion of Ukraine has prevented organizations within and outside the region from receiving cyber threats from Russian state-sponsored threat actors or Russian-aligned cybercrime groups. Attacks may increase. ,
The malicious activity may have occurred as a reaction to the unprecedented economic sanctions imposed on Russia, as well as on the U.S. and assistance provided by Ukraine’s allies, notes the Joint Cyber Security Advisor (CSA).
The CSA points to recent Russian-state-sponsored cybersecurity operations involving distributed denial-of-service (DDoS) attacks. Older operations have involved deploying destructive malware against the Ukrainian government and critical infrastructure organizations.
In addition, some cybercriminal groups have publicly pledged their support for the Russian government, as well as threatened to conduct cyber operations for alleged crimes against the Russian government. Other cybercrime groups have recently launched disinformation attacks against Ukrainian websites, possibly supporting a Russian military offensive.
In addition, the CSA provides an overview of technical details on several Russian state-sponsored cyber operations and Russian-aligned cyber threat and cybercrime groups, including:
Russian Federal Security Service (FSB) including Center 16 and Center 18 of the FSB
Russian Foreign Intelligence Service (SVR)
Russian General Staff Main Intelligence Directorate (GRU), 85th Main Special Service Center (GTSS)
GRU’s Main Center for Specialized Technologies (GTSST)
Russian Ministry of Defense, Central Scientific Institute of Chemistry and Mechanics (TsNIIKhM)
Preparedness is the key to mitigating cyber threats from Russian-state-sponsored or criminal actors. All cyber authorities encourage organizations to implement a number of steps to further prepare and mitigate risks:
Build, maintain, and use the continuity of cyber incident response and operations planning. Make sure the cyber incident response plan includes ransomware- and DDoS-specific attachments. For information on preparing for DDoS attacks, see NCSC-UK Guidance on Preparing for Denial of Service Attacks.
Maintain offline (ie, physically disconnected) backups of data. Backup procedures should be conducted on a frequent, regular basis (at least every 90 days).
Ensure that all backup data is encrypted, immutable (i.e., cannot be changed or deleted), and covers the entire organization’s data infrastructure, focusing on key data assets.
Develop recovery documentation that includes configuration settings for common devices and critical equipment. Such documentation can enable a more efficient recovery after an incident.
Identify the attack surface by mapping and accounting for all outside-facing assets (applications, servers, IP addresses) vulnerable to DDoS attacks or other cyber operations.
For OT assets/networks, identify a resiliency plan that states if you want to test data backup procedures, recovery procedures, manual controls, and OT and IT network interdependence.
It’s always important for organizations to take warnings seriously, says CISO Joseph Carson, chief security scientist and advisor at Delinia.
“In addition to traditional security practices, while organizations have invested in an incident response plan, many incident responses are far from ready. Every organization needs to have a well-defined and tested incident response plan to deal with cyberattacks. Carson explains. “How well you define and test your plan can make the difference between simply creating a plan and reacting quickly and effectively to a cyberattack. Let’s face it: The world can change in the blink of an eye, so you can no longer shut down high-priority security projects. It is time to move from reactive security to proactive security and secure your security decisions for the future. Take the time now to test your security resilience and responsiveness.”