Russia-Ukraine conflict raises cyber risks for U.S. enterprises


Cybersecurity—which is under constant attack from an unsavory mix of international state actors, paramilitaries, and organized crime—is never that far removed from geopolitics. So when a nation-state like Russia—hardly an unknown in the annals of cybercrime—physically invades another country, there is little doubt the conflict will spill into the cyber world. And while the fighting on land may seem like it is far away, the cyber battle could reach here with only a few clicks.

Let’s be clear. The conventional warfare between Ukraine and Russia—which this week saw the use of artillery, tanks, aircraft, and soldiers engaged battle—will result in the unnecessary loss of human lives, homes, brick and mortar businesses, and physical infrastructure. But the secondary, virtual front also has the potential for significant economic impact and disruptions throughout Europe and the United States.

Since Russia began its aggressions against Ukraine, the United States and other NATO countries have imposed various sanctions on Russia and Vladimir Putin individually, including most recently expelling certain Russian banks from SWIFT, the high-security network that connects thousands of financial institutions around the world. The U.S. government has thus warned that Russia may attack American private industry and infrastructure in response to the sanctions imposed on it. These attacks may not be immediate, and may not always be sophisticated, but Russia has in the past demonstrated the ability to interfere with infrastructure and private industry through supply-chain attacks and other indirect and difficult-to-attribute means. This could bring damage and downtime to U.S. businesses and industries to, in turn, pressure the U.S. and its allies to lift the sanctions.

These sorts of attacks have already targeted Ukraine. In January, for example, Microsoft reported a wiper malware campaign named Whispergate that targeted the IT sector, government agencies, and non-profits in Ukraine under the cover of ransomware to give it the sheen of “hacktivism,” according to BlueVoyant a cyber security firm that FMG works with often. Ukraine also experienced cyberattacks on its two state banks and its defense ministry leading up to the invasion that were viewed as a prologue to military action. Although Russia didn’t claim responsibility, it is believed the attacks originated from Russian groups, whether backed by the government, or only tolerated by it.

Ankura, another cyber group with whom FMG frequently partners in responding to security incidents, similarly reports that it anticipates—in addition to denial-of-service attacks—a concentration of ransomware attacks in which threat actors “double-dip” their targets by extracting ransom payment from the victim but then renege and decrypt only a portion of the assets to extort further payment.

Reports also surfaced over the weekend that proxies have now countered these attacks on behalf of Ukraine. The hacker collective Anonymous announced a campaign against the Russian government and private entities on February 24 according to the Security Affairs blog. Anonymous claimed to have taken down a “Russian propaganda” site. One Russian television network has confirmed denial of service attacks against it. According to the Interfax website, the TV network claims that 27 percent of the email addresses origination are based in the U.S. Russian ransomware groups see an opportunity. Security Affairs quotes a politically overwrought message from the Conti ransomware cartel that its members “will use our full capacity to deliver retaliatory measures in case the Western warmongers attempt to target critical infrastructure in Russia” or Russian-speaking regions. These measures and countermeasures increase the chance that the consequences will spill over to other countries.

While all hope there soon can be a diplomatic resolution to the conflict, businesses, government organizations, and consumers alike should be on guard and prepare for the potential cyber risks that may reach them. The FBI, CISA and the National Security Agency published a joint advisory in January about potential cyberthreats against U.S. critical infrastructure. CISA also warned U.S. companies to protect their IT systems against destructive wiper malware, which has been used against targets in Ukraine.

Additionally, organizations should take extra precautions and exercise heightened vigilance in their cybersecurity efforts, including:

  • Implement endpoint detection and response (EDR) tools on all networks and endpoints
  • Ensure appropriate access controls are in place for access to all data and systems, including strong passwords, multi-factor authentication, and user-based restrictions
  • Apply all current patches to software and review current controls for open ports such as Server Message Block (SMB) Protocol and Remote Desktop Protocol (RDP)
  • Maintain and verify the availability of backups of critical files and data
  • Review incident response plans (or implement one if not created yet)
  • Increase employee awareness of threat risks and the potential for phishing attempts through additional training and reminders in company bulletins, e-mails, or conference calls.

FMG’s Security, Privacy & Technology professionals are available to answer your questions or assist you at any time. Please let us know if we can help you with preparing your organization in response to the current conditions. Or, if you need help with an emergency security incident, please contact us through our emergency assistance program. In the meantime, we will continue to monitor the Russia-Ukraine conflict and update our blog with new information as things develop.