Russia’s invasion of Ukraine could expose organizations within and beyond the region to increased cyberattacks from Russian state-sponsored threat actors or Russian-aligned cybercrime groups, according to several cybersecurity authorities in the United States, Australia, Canada, New Zealand, and the United Kingdom.
Malicious activity may occur as a response to unprecedented economic sanctions imposed on Russia, as well as the support provided by the U.S. and allies to Ukraine, the joint Cybersecurity Advisory (CSA) notes.
The CSA points to recent Russian-state-sponsored cybersecurity operations that have included distributed denial-of-service (DDoS) attacks. Older operations have included deploying destructive malware against the Ukrainian government and critical infrastructure organizations.
In addition, some cybercriminal groups have publicly pledged their support for the Russian government, as well as threatened to conduct cyber operations for perceived offensives against the Russian government. Other cybercrime groups have recently conducted disruptive attacks against Ukrainian websites, likely supporting the Russian military offensive.
In addition, the CSA provides an overview of technical details on several Russian state-sponsored cyber operations and Russian-aligned cyber threat and cybercrime groups, including:
- The Russian Federal Security Service (FSB), including FSB’s Center 16 and Center 18
- Russian Foreign Intelligence Service (SVR)
- Russian General Staff Main Intelligence Directorate (GRU), 85th Main Special Service Center (GTsSS)
- GRU’s Main Center for Special Technologies (GTsST)
- Russian Ministry of Defense, Central Scientific Institute of Chemistry and Mechanics (TsNIIKhM)
Preparation is key to mitigating cyber threats from Russian-state-sponsored or criminal actors. All cyber authorities encourage organizations to implement several steps to further prepare for and mitigate risks:
- Create, maintain, and exercise a cyber incident response and continuity of operations plan. Ensure the cyber incident response plan contains ransomware- and DDoS-specific annexes. For information on preparing for DDoS attacks, see NCSC-UK guidance on preparing for denial-of-service attacks.
- Maintain offline (i.e., physically disconnected) backups of data. Backup procedures should be conducted on a frequent, regular basis (at a minimum every 90 days).
- Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure, focusing on key data assets.
- Develop recovery documentation that includes configuration settings for common devices and critical equipment. Such documentation can enable more efficient recovery following an incident.
- Identify the attack surface by mapping and accounting for all external-facing assets (applications, servers, IP addresses) vulnerable to DDoS attacks or other cyber operations.
- For OT assets/networks, identify a resilience plan that addresses how to operate if you lose access to — or control of — the IT and/or OT environment, including data backup procedures, recovery procedures, testing of manual controls, and identifying OT and IT network interdependencies.
Joseph Carson, chief security scientist and Advisory CISO at Delinea, says it’s always important for organizations to take warnings seriously.
“In addition to traditional security practices, while organizations have invested in an incident response plan, many are far from being incident response ready. Every organization needs a well-defined and tested incident response plan to combat cyberattacks,” Carson explains. “How well you define and test your plan can make the difference between simply having a plan and responding quickly and effectively to a cyberattack. Let’s face it: the world can change in the blink of an eye, so you can no longer put off high-priority security projects. It is a time to move from reactive security to proactive security and future-proof your security decisions. Take the time now to test your security resilience and responsiveness.”