Updated: Firms Encouraged to Remain Vigilant Due to Heightened Cybersecurity Concerns Over the Current Situation in Ukraine
This post was updated on February 25.
The rising geopolitical tensions between Russia and Ukraine, which resulted in heightened cybersecurity concerns in the region, boiled over on February 24, 2022, as Russia mobilized forces across the border and launched a series of airstrikes. In the weeks preceding the invasion, Ukrainian government, bank, and commercial websites experienced wave after wave of cyber-attacks. Accordingly, both the UK’s National Cyber Security Centre (NCSC) and the US Cybersecurity & Infrastructure Security Agency (CISA) have released guidance on action steps firms can take to bolster and protect their cyber programs. The following provides a contextual background of the cyber threat landscape surrounding the conflict in Ukraine and outlines recommended action steps to mitigate risk to your organization.
Current cyber threat landscape surrounding Ukraine
The volatile situation between Russia and Ukraine has resulted in a wave of cyber-attacks against Ukrainian organizations in recent weeks.
January 14, 2022
- Hack of the Ukrainian government
- Distributed Denial of Service (DDoS) wave impacting and defacing nearly 80 different sites
January 15, 2022
- Microsoft Threat Intelligence Center publishes information detailing a data-wiping malware targeting multiple organizations such as government agencies, non-profits, and IT companies in Ukraine
February 1, 2022
- U.S. dispatched a top cybersecurity official to deter and disrupt Russian cyber-attacks
February 15, 2022
- Wave of DDoS attacks against Ukraine defense ministry and army, as well as sites of two of Ukraine's largest banks
- Likely cost millions of dollars
February 21, 2022
- The EU activated a team of cybersecurity experts in their Cyber Rapid Response Team to help fend off Russian cyberattacks
February 23, 2022
- Ukrainian government (Parliament, Security Service, and Cabinet Ministers) and bank websites became inaccessible during mass outage from suspected wave of DDoS
- New, more sophisticated "wiper" malware attack detected, which destroys data on infected machines
While these attacks have generated some level of panic, they have thus far been fairly isolated from the region and relatively mild in terms of damages. However, the concern voiced by many is that these attacks could grow in intensity and severity as the conflict progresses, resulting in far greater damages and global impact. A senior official from the U.S. Department of Homeland Security warned that transport networks and broadcast media could be shut down by cyber-attacks, while the Ukrainian Minister of Economic Development, Trade, and Agriculture Pavlo Kukhta warned of attacks on the power grid.
History between these two countries suggests that the possibility of escalating cyber-attacks and cyber warfare is not unfounded. In 2017, the Russian military unleashed a malware campaign, known as the NotPetya attack, which brought significant damages to the Ukrainian financial system while also wreaking global havoc upwards of $10 billion in damages. The Security Service of Ukraine (SBU) reported more than 2,200 cyber-attacks on critical Ukrainian infrastructure in 2021 alone.
With globally connected financial systems and supply chains, it is important firms, especially those with business ties in the region, are aware of the possibility of this conflict spreading beyond the physical borders of Ukraine and Russia and into organizations’ networks.
Action steps to take
Both the UK’s NCSC and the U.S. CISA have issued guidance on immediate action steps organizations should take to insulate their firms from escalating cyber-attacks surrounding the conflict in Ukraine. While neither agency has detected any direct threats to date, they recommend firms follow the action steps outlined in their guidance to remain resilient and stay ahead of possible future attacks. Key takeaway: firms who work with Ukrainian organizations should be especially diligent about monitoring and isolating traffic from those specific entities. Below summarizes the guidance put forward by NCSC and CISA.
Secure access controls
- Ensure staff are using strong and unique passwords that are not shared across other, non-business systems.
- Carefully review any accounts that have privileged or administrative access and remove old, unused, or unrecognized accounts. Ensure that accounts that have privileged access or other rights are carefully managed and, where possible, use multi-factor authentication (MFA). Privilege can refer to system administration, but also to access to sensitive resources or information, so ensure resources are also adequately protected.
- Validate that all remote access to the organization’s network and privileged or administrative access requires MFA.
- Confirm that the organization’s IT personnel have disabled all ports and protocols that are not essential for business purposes.
- Ensure your users’ desktops, laptops, and mobile devices are all patched, including third-party software such as browsers and office productivity suites. If possible, turn on automatic updates. Prioritize updates that address known exploited vulnerabilities identified by CISA. CISA also published a digital catalog of free tools dedicated to providing critical infrastructure owners ways to combat cyber threats amidst rising tensions.
- Ensure your internet-facing services are all patched for known security vulnerabilities.
- Ensure, where possible, that your key business systems are all patched. Where there are unpatched vulnerabilities, ensure that other mitigations are in place.
Test your backups
- Confirm that your backups are running correctly. Perform test restorations from your backups to ensure that the restoration process is understood and familiar.
- Check that there is an offline copy of your backup - and that it is always recent enough to be useful if an attack results in loss of data or system configuration.
- Ensure machine state and any critical external credentials (such as private keys and access tokens) are also backed up, not just data.
Logging and monitoring
- Ensure that cybersecurity/IT personnel are focused on identifying and quickly assessing any unexpected or unusual network behavior. Enable logging in order to better investigate issues or events.
- Understand what logging you have in place, where logs are stored and for how long logs are retained. If possible, ensure that your logs are kept for at least one month.
- If working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic.
- Ensure antivirus software is installed and regularly confirm that it is active on all systems and that signatures are updating correctly.
- Check your firewall rules are as expected – specifically check for temporary rules that may have been left in place beyond their expected lifetime.
- Check that records of your external internet-facing footprint are correct and up to date. This includes things like which IP addresses your systems use on the internet or which domain names belong to your organization. Ensure that domain registration data is held securely in accounts supported by multi-factor authentication.
- Perform an external vulnerability scan of your whole internet footprint and check that everything you need to patch has been patched. Internet-connected services with unpatched security vulnerabilities are an unmanageable risk.
Incident response planning
- Identify critical systems and services (banking, power/utilities, communications) and draft contingency plans specific to them to bolster operational resilience.
- Verify that your incident response plan is up to date and includes:
- Designated crisis-response team with clear roles/responsibilities from members across the organization, including technology, communications, legal, and business continuity.
- How to respond to an event out of normal office hours and/or when business systems are down.
- Conduct a tabletop exercise to ensure that all participants understand their roles during an incident.
- Test backup procedures to ensure that critical data can be rapidly restored if the organization is impacted by ransomware or a destructive cyber-attack; ensure that backups are isolated from network connections.
- If using industrial control systems or operational technology, conduct a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted.
- Ensure that other teams in your organization understand the situation and the heightened threat.
- Make sure everyone in your organization knows how to report suspected security events and why reporting during a period of heightened threat is so important.
Reach out to ACA or other trusted third-party advisors for assistance in reviewing your risk and connections to Ukraine. Stay well-informed of new developments in the conflict as it relates to emerging sanctions and cyber risks/attacks.
In addition to NSCS and CISA’s guidance above, ACA also advises doing the following:
Evaluate your firm’s ties to Ukraine
- Evaluate your business connections to Ukraine, including clients, vendors, and outsourced software development contracts.
- For vendors with connections to Ukraine, assess their business continuity plans to ensure they are taking the necessary steps to mitigate their risks. Likewise, consider how to isolate these connections from your networks to mitigate risk in the event of an attack.
Monitor conflict developments
- Stay abreast of new developments in the conflict as it relates to cyber risks and attacks.
How we help
Reach out to ACA Aponix or other trusted third-party advisors for assistance in reviewing your risk and connections to Ukraine.
ACA provides comprehensive cyber solutions to help provide cybersecurity and technology risk programs, data privacy compliance services, vendor due diligence services, portfolio company oversight, network testing, and advisory services for companies of all sizes.
ACA's ComplianceAlpha AML KYC Solution can assist our clients with their KYC, sanctions, and due diligence efforts, combining ACA’s regulatory technology with ACA’s managed services to help them meet their customers’ data screening, ongoing monitoring, remediation, look back reviews, and reporting needs.
- Business Continuity Planning, Cyber Incident Response Planning, and Business Impact Analysis
- Domain Monitoring
- Payment and Fraud Risk Assessments
- Penetration and Vulnerability Assessments
- Phishing Testing
- Portfolio Oversight
- Risk Assessments
- Tabletop Exercises
- Vendor Diligence and Management
If you have any questions, please contact your ACA Aponix consultant or contact us here.