While nearly every organization is under constant attack, Russia’s invasion of Ukraine adds an important new dimension to the cybersecurity landscape. While the attacks are generally focused on Ukrainian infrastructure and pro-Ukrainian sites, the weapons impact zone can expand and sometimes be more scattershot, and quite voluminous. Which poses a problem for CIOs and CISOs around the world: During this time of intense aggression and global discord, it’s hard to know precisely how to prepare.
Where we stand today
Russian cyber activity so far appears to be focused on denial-of-service (DNS) attacks and the random and widespread deployment of malware that erases data from databases and devices. Because of their “cut it loose and see what sticks” approach, it’s difficult to ascribe specific attacks to Russian hackers. But clear evidence shows a long-term focus on attacks in Ukraine that target communications, financial institutions and critical infrastructure, and lately coordinated with real-world attacks. One particular piece of malware, dubbed “Whispergate,” has been wiping data from computers in banks, government agencies and other organizations in those countries.
Direct attack on U.S. companies — or even those in western Europe — may still seem remote, but circumstances of these recent attacks targeting Russia’s eastern European foes are eerily similar to the “NotPetya” attack of 2017. NotPetya was intended to disrupt power grids and communications in Ukraine, but quickly spread to a number of cloud data centers and cost Fed Ex, Merck and other global enterprises more than $1B.
Emerging concerns present threats to western companies
The U.S. State Department identified two groups within the Russian central intelligence organization (called the “GRU”) that it believes were responsible for NotPetya — as well as similar attacks on the 2018 winter Olympics and a sustained campaign to interrupt Emmanuel Macron’s (eventually successful) bid for the French presidency. There is evidence that one of these groups, called Sandworm, is preparing to target satellite communications in the U.S., as well as some western European countries. Like the 2017 NotPetya attack, the effects of an attack like this could quickly spread into data centers and networks around the world and impact hundreds of organizations — particularly those in the aviation, media and energy sectors. A $10M bounty has been placed on these two GRU groups, but it seems no progress has been made on slowing them, much less capturing them.
If Sandworm and other Russian hacker units are indeed voraciously pushing out malware and initiating DNS attacks, there is a strong likelihood that we’ll see the same kind of viral pattern we saw in 2017. Attacks could easily make their way into public cloud data centers or even private clouds, indiscriminately wiping out high-value data for businesses all over the world.
Growing cyber risk demands cyber defense readiness checks
For CISOs and CIOs the small-but-real possibility of a Russian-initiated attack makes it worth the time it takes to review the Cybersecurity and Infrastructure Security Agency (CISA )risk mitigation recommendations. Even if you’re not directly subjected to one of these attacks in the coming weeks and months, deploying CISA’s recommendations will improve your ability to withstand inevitable attacks from a wide range of threat actors. Here is a quick summary of CISA’s advice for corporate leaders and CEOs, which have been aptly titled, “Shields Up.”
- Empower Chief Information Security Officers (CISO):In this heightened threat environment, senior management should empower CISOs by including them in the decision-making process for risk to the company, and ensure that the entire organization understands that security investments are a top priority in the immediate term.
- Lower Reporting Thresholds:Every organization should have documented thresholds for reporting potential cyber incidents to senior management and to the U.S. government. In this heightened threat environment, these thresholds should be significantly lower than normal.
- Participate in a Test of Response Plans:Cyber incident response plans should include not only your security and IT teams, but also senior business leadership and Board members…senior management should participate in a tabletop exercise to ensure familiarity with how your organization will manage a major cyber incident, to not only your company but also companies within your supply chain.
- Focus on Continuity:Investments in security and resilience should be focused on those systems supporting critical business functions. Senior management should ensure that such systems have been identified and that continuity tests have been conducted to ensure that critical business functions can remain available subsequent to a cyber intrusion.
- Plan for the Worst:Senior management should ensure that exigent measures can be taken to protect your organization’s most critical assets in case of an intrusion, including disconnecting high-impact parts of the network if necessary.
In addition to following the CISA guidelines, developing a proactive cyber-defense strategy should be a priority for any organization with high-value digital assets.
Defending your terrain: Protecting your digital infrastructure
War is, unfortunately, a fitting metaphor for the growing cyber risk. Considering the volume and viciousness of the attacks, it’s clear that organizations are fighting a war every day to protect data and other critical assets. So, it might make sense to view your digital infrastructure as your terrain. Think of it as a thriving digital landscape that you’ve built — and one that is under constant attack by various threat actors.
In theory, because you’ve built your infrastructure, you should know it better than any unwanted intruder.
You should know precisely where your most valuable assets reside. And you should be able to predict where threat actors might try to access your network. Acting on this knowledge should give you the high ground. It should give you the upper hand in building defenses, managing identities, encrypting data, training security teams, mitigating intrusions — and even laying traps for attackers once they’re inside your network.
Part of the payoff of following CISA guidelines and building a proactive plan is to avoid the costs of making ransomware payments or suffering the financial blow of disruptions to your business continuity. But the bigger payoff is confidence: the ability to build a digital-first business, then pursue your goals without fear.