Shields up! No, we are not quoting one of the many Star Trek scripts that included that command, nor are we referring to Star Wars Episode V. We are directly quoting the Shields Up Alert issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on February 23 as the Russian-Ukrainian conflict came to a head. The alert began with the following warning:
“While there are no specific or credible cyber threats to the U.S. homeland at this time, Russia’s unprovoked attack on Ukraine, which has involved cyber-attacks on Ukrainian government and critical infrastructure organizations, may impact organizations both within and beyond the region, particularly in the wake of sanctions imposed by the United States and our Allies. Every organization—large and small—must be prepared to respond to disruptive cyber activity.”
Jen Easterly, who heads the CISA added that the nation should brace itself for an uptick in ransomware. On March 4th, USA Today described the potential Russian cyberthreat against small businesses in the west as a “ticking timebomb.” While there have been warnings before, its obvious that this time things are different.
Just as military planners across the globe are preparing for heightened awareness and possible war escalation, its time for every digitally connected organization to prepare as well for another type of warfare, one in which national borders and sovereignty have no place. It is the cyberwar, the hidden war that is developing underneath the roar of tanks and gunfire. Even those who feel they have no dog in the fight are not exempt.
Early Threats
As part of the alert, the CISA provided a list of 95 vulnerabilities that Russian cyber threat actors have been known to exploit. Users are encouraged to update their systems to harden them against attack. Within three hours of the military invasion by Russia, Microsoft joined the cyber fray after detecting new virus strains including a new Trojan dubbed FoxBlade that had infected Ukrainian government systems. FoxBlade is used to distribute denial-of-service attacks as well as wipe the data of infected systems. Microsoft has created a patch for this latest threat that is available for download. The CISA and FBI issued a joint advisory concerning two other destructive malware variants named WhisperGate and HermeticWiper. Both implement wiper attacks as they set out to erase the entire hard drive of an infected computer, thus making it inoperable.
Global Hacker Volunteers Involved
In the same way that new stories have mentioned volunteer militia soldiers that have come to Ukraine to aid them in the fight, hackers from around the world are also stepping up to partake in the conflict across the digital plains of battle. Ukraine’s Minister of Digital Transformation announced the creation of a volunteer cyber army that now has 290,000 followers on its Telegram. The assembly of hackers on both sides is adding a new layer of chaos and disruption as the warring factions knock out government websites on both sides and leak data from rival hacking operations. In an article in the New York Times, the Director of Threat Intelligence at Cisco Talos described the situation as bonkers and unprecedented. He went on to say, “This is not going to be solely a conflict among nations. There are going to be participants that are not under the strict control of any government.” One such groups refers to themselves as Anonymous and openly declared cyberwar on Russia. They have since taken credit for hacking the Russian Ministry of Defense and taking down the official websites of the Kremlin. They are also believed to have hacked multiple state TV channels across Russia to post pro-Ukrainian content. Another pro-Ukrainian cyber group called Network Battalion 65 claims to have breached the Russian Nuclear Institute and released over 40,000 pages of documents to prove it. The exfiltrated documents could be used to aid future attacks and sabotage operations on the institute.
Limited Damage as of Yet
Just prior to their military invasion of Ukraine, Russian hackers lodged attacks on 70 Ukrainian government websites and disrupted operations of the country’s two largest banks – – PrivatBank and Oschadbank. Shortly after the attack, customers of the two banks confirmed they were unable to access their online accounts. Cybersecurity company, Avanan, reported that since February 27, it has witnessed an 8x increase in email-born attacks originating from Russia. They went on say that a large volume of the attacks was targeting sea shipping companies and auto manufacturers.
Outside of these events however, the Russians appear to be holding back thus far. Security experts believe that because Putin expected a swift takeover, he purposely held back his cyber forces from actively engaging against the west to not trigger an all-out cyberwar. Concerns are growing however that the lack of military progress coupled with the crippling economic sanction initiated by the west will encourage him to take additional measures to put pressure on NATO and their allies.
Preparedness and an Incident Response Plan is the Key
The initial success of the Ukrainian forces is a vivid example of how it pays to be prepared. It is a good idea to operate with a heightened awareness of cyber hygiene. This includes measures such as taking greater diligence in patching and updating everything in your enterprise and encourage greater vigilance of your user base when clicking on things or believing content received from anonymous sources.
You should also dust off your incident response plan (IRP) and ensure that it is up to date. You should also test it out with a rehearsal. Your incident response plan should outline your chosen plan of action to contain an attack. A Florida Hospital was recently able to contain ransomware quickly enough to effectively contain it thanks to the quick initiative of its Director. In the field of battle, there is little time to ponder. You also need defined roles for everyone involved going up to the top levels of your organization including C-level management. Your IRP should outline when to summon local law enforcement as well the contact information for forensic specialists, public relation, or legal teams as well as additional team members to assist in remediation. It will also define who takes on the face of the organization during the time of crisis through PR efforts.
What You can Do
An Incident Response Plan is key in overcoming the disruptions, reputational damage, and costs of a cyber incident. Review your existing incident strategy. HALOCK has been assisting companies develop their incident response plans to ensure they are prepared for that unthinkable event. As international tension accelerates, your incident response readiness should reviewed and refined.
HALOCK Breach Bulletins
Recent data breaches to understand common threats and attacks that may impact you – featuring description, indicators of compromise (IoC), containment, and prevention.