Russia-Ukraine Tensions Escalate​

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is encouraging increased cyber security awareness in a new “Shields Up” advisory released last week as tensions escalate between Ukraine and Russia.

Russia has threatened new invasions against Ukraine as an escalation of the Russo-Ukrainian War that began in 2014. The cyber security implications of these threats have already been felt, as Ukrainian tech companies are ramping up for potential conflict. In addition, CISA reported last month that Ukraine was being hit with destructive malware attacks, though these attacks were not directly connected with a specific entity.

Whilst the advisory is directed towards organisations in the U.S., experts have speculated any cyber warfare from Russia is likely to target organisations across the West, specifically key allies of the U.S. such as the UK.

The Russian government have used cyber warfare as a key component of their force projection over the last decade, including previously in Ukraine in the 2015 timeframe. The Russian government understands that disabling or destroying critical infrastructure—including power and communications—can augment pressure on a country’s government, military and population, and accelerate their acceding to Russian objectives.

While there are not currently any specific credible threats to the UK, the Russian government may consider escalating its destabilising actions in ways that may impact others outside of Ukraine. Based on this situation, CISA has been working closely with critical infrastructure partners over the past several months to ensure awareness of potential threats—part of a paradigm shift from being reactive to being proactive.

CISA recommends all organisations—regardless of size—adopt a heightened posture when it comes to cyber security and protect their most critical assets. Recommended actions include:

Maximise the organisation’s resilience to a destructive cyber incident

  • Test backup procedures to ensure that critical data can be rapidly restored if the organisation is impacted by ransomware or a destructive cyber attack; ensure that backups are isolated from network connections.
  • If using industrial control systems or operational technology, conduct a test of manual controls to ensure that critical functions remain operable if the network is unavailable or untrusted.

Reduce the likelihood of a damaging cyber intrusion

  • Validate that all remote access to the organisation’s network and privileged or administrative access requires multi-factor authentication.
  • Ensure that software is up to date, prioritising updates that address known exploited vulnerabilities.
  • Ensure that signatures for detection software are up to date.
  • Confirm that the organisation’s IT personnel have disabled all ports and protocols that are not essential for business purposes.
  • If the organisation is using cloud services, ensure that IT personnel have reviewed and implemented strong controls as per good security practices.
  • Keep abreast of the latest developments in the ever-evolving cyber threat landscape, to help reduce exposure to emerging threats.

Take steps to quickly detect a potential intrusion

  • Ensure that cyber security/IT personnel are focused on identifying and quickly assessing any unexpected or unusual network behaviour; enable logging to better investigate issues or events.
  • Confirm that the organisation’s entire network is protected by antivirus/antimalware software and that signatures in these tools are updated.
  • If working with Ukrainian organisations, take extra care to monitor, inspect, and isolate traffic from those organisations; closely review access controls for that traffic.

Ensure that the organisation is prepared to respond if an intrusion occurs

  • Designate a crisis-response team with main points of contact for a suspected cyber security incident and roles/responsibilities within the organisation, including technology, communications, legal and business continuity.
  • Assure availability of key personnel; identify means to provide surge support for responding to an incident.
  • Conduct tabletop exercises to ensure that all participants understand their roles during an incident.

ITC’s SOC continues to be vigilant on the rapidly evolving threat and is performing threat hunting exercises across our customers’ environments to establish if there has been any malicious activity relating to the ongoing activities.