Special Advisory: Russia’s Invasion of Ukraine and Preparing for Potential Cyber Attacks

03.02.22 | Blog Post

As has been widely reported, the turmoil and devastation caused by Russia’s unprovoked invasion of Ukraine may not be limited to the two nation-states. While direct, immediate attacks on US and allied countries are not expected, the interdependency of the global supply chain – and the global software supply chain – presents serious risks. As Forgepoint portfolio company Interos revealed in their analysis, Russia and Ukraine are key to our shared economy, with multi-tier supplier relationships opening up a multitude of vulnerabilities now ripe for exploitation by bad actors either perpetuating or taking advantage of this conflict. Governments and companies around the world could easily become collateral damage, given the malevolent power of malware in triggering widespread infection and resulting business disruptions, with devastating consequences. So how can organizations protect their people, data, and assets?

The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA) issued this guidance to businesses and organizations on how to prevent and respond to cyberattacks. Building on their recommendations, here are key measures we advise for any organization to heighten its security posture, mitigate risk, and ensure employee safety, data security, and operational continuity:

  1. Refresh employee cybersecurity awareness on the dangers of phishing, malware, and ransomware, and how to protect against and respond to attacks.
  2. Turn off network access points when not in active use (e.g. end of day/over the weekend). This will defend against intruders.
  3. Turn off any computers, devices, and printers when not in use (or at least go into “airplane mode”). This will defend against lateral movement as well as unknown backdoors initiating outbound connections.
  4. Enable multi-factor authentication (MFA) on every app (email, banking, Affinity, SAP, Concur, Salesforce, etc.) they log into. This will defend against impersonators and account takeover.
  5. Backup to a cold storage (off network) critical business information and databases, and update at least weekly. This will enable restoration of business with minimal loss of service in the event of ransomware or wipers or other events.
  6. Have IT staff enable logging on apps and endpoints, and periodically ship those logs to a storage (ultimately to an extended detection and response (XDR) service but at minimum storage). This will enable threat hunting and evidence preservation as IOCs
    emerge and are released and shared – for collective defense.

 

Once 1 through 6 are in order, we also strongly recommend the following to shore up defenses
  • updating endpoint detection and response (EDR) and ensuring maximum coverage
  • implementing privileged access management (PAM) for just in time admin and services access
  • using browser isolation with MFA enforcement (like Island does)
  • double checking certificate and DNS expiration dates and verifying email filtering protections, and subscribing to SASE/SD-WAN segmented access to networks and apps

 

At Forgepoint, we’re honored to partner with innovative, mission-driven companies actively working to help organizations and their people protect against cyberattacks and enable secure and viable innovation. Many of our portfolio companies are actively monitoring the Ukraine Russia conflict while providing guidance on how to achieve cyber readiness and hands on support to get there. We’ve highlighted several below – to learn more, please follow Forgepoint on LinkedIn.

 

IRONNET

IronNet, which is transforming cybersecurity through Collective Defense, is working tirelessly to unite organizations across sectors, geographies, and industries to share threat data and collaborate anonymously and in real time. The IronDefense network detection and response (NDR) platform then identifies unknown threats utilizing behavioral analytics, while automating threat enrichments including alert severity so that every organization and stakeholder can act. In addition to posting this guidance on Preparing enterprise networks for destructive Russian cyber attacks, IronNet maintains this blog on Russian invasion: ongoing updates of cyber actions to track. For more information, we highly recommend following IronNet on LinkedIn for ongoing updates – including the latest insights from Founder, Chairman & Co-CEO Gen. (Ret.) Keith Alexander, a four-star general with a 40-year career in the military including standing up US CyberCommand, and serving as the Director of the National Intelligence Agency and Chief of the Central Security Services. Per his recent interview on CNBC’s Squawk on the Street,

“Cyber is an element of national power. It will be used in this conflict against countries, it’s already being used against Ukraine. I think it will be used against [the U.S.], in Europe, against finance, energy, and the government. It will be used to break the will of the people, to stay in this contest of sanctions versus the physical assault that Russia has going against Ukraine. This is a new form of warfare, where the public and private sector have to work together. We have to work together.” – Gen. (Ret.) Keith Alexander, CEO of IronNet

Interested in joining the movement? Access threat intelligence or become a partner. You can also follow IronNet on LinkedIn.

 

ATTIVO NETWORKS

Attivo Networks: expert providers of identity security and lateral movement attack prevention across endpoints, Active Directory, and cloud environments Attivo Networks just published this illuminating blog on HermeticWiper: A New Data Wiper Malware Targeting Ukraine Systems. This is just the beginning.

“The impact of the Russian invasion of Ukraine will have a significant impact on cybersecurity challenges for companies and governments in the U.S., allied with the U.S., and especially for the Ukraine. We can expect to see more frequent attacks against the U.S. financial sector, the U.S. Treasury Department, the U.S. State Department and many others focused on actions around sanctions. Previous ground gained in pushing the Russian government to shutdown criminal ransomware gangs focused on targeting U.S. companies will likely evaporate and it’s possible those same gangs will be encouraged to increase their illicit activity.” – Tony Cole, CTO of Attivo Networks

For more insight, follow Attivo Networks on LinkedIn.

 

CONSTELLA

Constella, which provides digital risk protection solutions to enable organizations everywhere to defend their employees and executives from cyber threats, outlined how the Ukraine Crisis might impact organizations and employees and asked company leaders in this blog, Is Your Critical Infrastructure Protected from Cyberattacks? As quoted in this Security Magazine op-ed Global hybrid warfare introduces cyber threats to companies amid the Russia-Ukraine crisis,

“Proactive defensive cybersecurity actions, including ensuring that your company has advanced monitoring, threat detection, and response capabilities in place, must be taken to prevent companies, executives and employees from paying the price of global hybrid warfare.” – Kailash Ambwani, CEO of Constella

Constella’s Threat Intelligence Team continues to analyze the impact of the invasion across the entire digital threat landscape and will provide regular updates. To learn more, check out this special microsite they created on The Crisis in Ukraine and follow Constella on LinkedIn.

 

CYBERCUBE

CyberCube delivers powerful cyber insurance risk analytics for the global insurance industry, enabling greater profitability by equipping insurers with the ability to make insight-driven risk decisions, see trends before they become claims, and tackle critical challenges. In this recent report “War in Ukraine creates fundamental shift in the cyber threat landscape“, CyberCube encourages insurers and reinsurers to urgently re-evaluate their exposures and stress test their portfolios against the threat of conflict-related cyber attacks.

“The risk of a cyber disaster impacting (re)insurers’ portfolios is higher as a result of Russia’s intent, opportunity, and capability to compromise single point of failure (SPoF) targets that give them widespread and unfettered access to critical computer networks and data. Hacktivist coalitions and cyber criminals are taking sides, with prolific groups pledging services to aid the Russian government’s war machine.” – Darren Thomson, Head of Cyber Security Strategy at CyberCube

To learn more about the report, read this announcement. You can also follow CyberCube on LinkedIn.

 

INTEROS

Interos: operational resilience and supply chain risk management platform Interos continues to share insightful analysis and call for greater global transparency through their blog, asking important questions every business leader should answer to ensure resilience and maintain employee and customer trust. In addition to the post above, see Supply Beacon Vol. 5 – Russian Invasion of Ukraine Spurs Supply Chain and Cyber Concerns and Critical Questions for Business Leaders with Commercial Ties to Russia and Ukraine. These are challenging times but organizations will persevere with the right preparation.

“With proper analysis, planning, and unyielding compassion for every person and business caught up in this tragedy, it is possible to mitigate significant risk, ensure operational resilience, and avoid supply chain disruption.” – Jennifer Bisceglie, CEO of Interos

To learn more, follow Interos on LinkedIn.

 

NOWSECURE

NowSecure: leading mobile app security software company NowSecure points out that 70% of all digital time and traffic is spent on mobile apps, and attackers are exploiting it. Are your mobile employees and your mobile data safe?

A few years ago Russian hackers tracked Ukrainian artillery units using an Android mobile app implant. The NSO group more recently exploited the Apple iMessage app. With built in GPS and numerous sensors, mobile apps are ideal targets for tracking users and harvesting data. NowSecure finds that few organizations test and monitor their mobile app supply chain, unaware if their mobile apps from app stores or components used by mobile app developers are from Russia or transmit data to Russia, China, or other risky nation states.

“With mobile as a soft underbelly of IT and security teams, every organization should include mobile apps in their risk management program. More importantly today, if you have employees, partners and suppliers in or near the active region in eastern Europe consider warning them about mobile app risks and testing your mobile app portfolio.” – Alan Snyder, CEO of NowSecure

To learn more, check out the live data in the NowSecure MobileRiskTracker™ and follow NowSecure on LinkedIn.

 

SOLCYBER

SolCyber, the modern managed security services provider (MSSP), just published this Security Advisory for the Russia-Ukraine conflict outlining observations about increased hacker activity and the potential for peripheral attacks, along with guidance for users and organizations alike on communications and misinformation, critical updates and backups, and how else to stay protected.

“SMEs should be on heightened alert during this period. While so far there doesn’t seem to be a significant escalation of attacks to these organizations, they may end up being caught directly in the crossfire. It would be logical for hackers and/or nation states to take advantage of the situation to target businesses and employees alike. Obviously, it is important to be vigilant and make sure employees are briefed and updated on the situation, especially around conflict-related phishing.” – Scott McCrady, CEO of SolCyber

For more information, follow SolCyber on LinkedIn.
 

UPTYCS

Uptycs, which provides a unified cloud-native security analytics platform for endpoint and cloud, authored this blog on CISA Shields Up: Quick Teardown, outlining to corporate leaders and CISOs how to best implement, measure, and report on controls across critical asset categories including productivity endpoints (Windows and MacOS laptops) and cloud infrastructure (Linux, containers, and cloud service providers). In their related CISA Shields Up webinar, they’ll walk through all the guidance and address implementation across the four phases of hardening, detection, response and resilience. Buttoning down these controls is critical as we confront the known and unknown in the days ahead.

“The nature of these threats is beyond the traditional research-driven prescriptive solutions offered by security vendors. It is likely that new toolkits and malicious software [are] being developed and released, which [are] not known to the vendor community yet for analysis and detection.” – Uptyc’s Threat Research Team

They also posted this blog on Destructive Wipers: What You Need to Know detailing this debilitating form of malware currently being deployed against Ukraine and potential spillover. For more information, follow Uptycs on LinkedIn.

We’ll update this blog on an ongoing basis and provide additional guidance as needed. Ultimately, it’s vital that every organization revisit their crisis-response plans together with their key stakeholders and adopt a proactive approach to defense and cybersecurity preparedness.

You may also enjoy: