Community Advisory: Escalating Russian Cyber Threats Due to Conflict
U.S. officials are warning of potential cyberattacks due the Russia/Ukraine conflict and U.S. sanctions against Russia. “Every organization—large and small— must be prepared to respond to disruptive cyber activity,” warned CISA in a “SHIELDS UP” advisory. The attacks raise the risk for all U.S. organizations for two general reasons:
- Collateral damage – Russian malware designed for the Ukraine may affect U.S. entities
- Direct targeting of U.S. entities – In retaliation for the sanctions, the Russian government may directly target U.S. victims
Researchers have already discovered destructive new “wiper” malware installed on hundreds of Ukrainian systems. This new malware destroys the victim’s data and may damage device Master Boot Record (MBR), making access and recovery very difficult or impossible. The malware’s behavior is similar to the infamous NotPetya “faux-ransomware” launched in the Ukraine in 2017.
U.S. and international businesses were devasted by NotPetya, which caused billions of dollars in damage around the world. The latest wiper malware is likely to have massive impact beyond Ukraine. Watch our video for more information.
Direct Targeting of U.S. Entities
In response to U.S. sanctions, Russian officials have warned of a “strong response” against Americans. This may involve compromising new victims or leveraging access to victims where Russian cybercriminals have already gained a foothold. Attackers may exploit unpatched software vulnerabilities or leverage new zero-day attacks, which has been a trend during the past year. In addition, any login interfaces that are not protected by multifactor authentication may be easy targets.
In some cases, Russian hackers may have already compromised and established persistent access to organizations which they could leverage to cause damage or steal data.
What You Need to Do
- Make sure you are patched against known vulnerabilities—attackers could leverage existing vulnerabilities to conduct mass compromise. Read our Log4j and Exchange alerts for more information, and check the CISA Known Exploited Vulnerabilities Catalogue for critical patches your organization needs to apply.
- Check for existing threats in your network using Endpoint Detection & Response (EDR) and Threat Hunting tools
- Configure your endpoint detection and IDS/IPS systems to detect suspicious activity.
- Carefully monitor and respond to all vulnerability and security alerts relating to affected software and systems.
- Use a web application firewall that is configured to automatically update and block attacks.
- Ensure that multifactor authentication (MFA) is deployed and used, especially for Internet-facing login interfaces.
- Use a password manager to support users in choosing strong, unique passwords, especially for Internet-facing interfaces and high-value systems.
- Stay vigilant against phishing attacks and ask your team to do the same. Download and share our tip sheets for more information: How to Stop Phishing Attacks, How to Spot a Phishing Email
- Ensure that your backups are working properly and can’t be overwritten. Make sure to backup server configuration files in addition to data repositories.
- Talk to your key suppliers to make sure they are prepared for potential impacts. Identify suppliers that store or process sensitive data on your behalf, or which have a high degree of access to your IT resources and focus on following up with these organizations first.
LMG will continue to monitor the developing situation and provide updates as they become available. If you have any questions or suspect that your network may have been compromised, contact us immediately for assistance.
Email: [email protected]; Hotline: 406-830-3165 x 1