As Talks of Cyberattacks Related to the Ukraine Conflict Intensify, Companies Should Take Steps to Prepare
By Aaron Charfoos, John Binkley, and David Coogan
The rising tensions between Russia and Ukraine not only threaten the people living in the region, but pose a real cyber risk that companies should focus on now. Russia has reportedly used cyberattacks to target Ukrainian businesses and government agencies. Last month, Ukrainian authorities reported that Ukrainian government agencies were the victims of cyberattacks that wiped dozens of computer systems and separate attacks that defaced and disabled 70 Ukrainian government websites. The Ukrainian Digital Transformation Ministry issued a statement that “all the evidence points to Russia being behind the cyber-attack” on the Ukrainian government websites. A Kremlin spokesman denied Russia was involved in the cyberattacks.
The Microsoft Threat Intelligence Center (“MSTIC”) published a detailed blog post on January 15, 2022 about the attack on the Ukrainian government agencies. MSTIC did not describe who was responsible for the attacks but described the malware used in the attack as designed to look like ransomware but is intended to be destructive and render the targeted devices inoperable. MSTIC has found copies of the malware on systems belonging to government, non-profit, and information technology organizations based in Ukraine.
At a press conference on January 19, 2022, President Biden stated that if Russia “continue[s] to use cyber efforts,” the U.S. would respond with its own cyberattacks. Following the press conference, Press Secretary Jen Psaki reiterated the point in a statement that “acts of Russian aggression” including cyberattacks, would be met with a reciprocal response.
On Friday, January 28, 2022, the UK National Cyber Security Centre published an advisory that organizations should bolster their cybersecurity resilience in relation to events in and around Ukraine.
The destructive, fake ransomware attacks described by MSTIC are similar to a technique used in the NotPetya attack in 2017 that initially targeted organizations in Ukraine and spread globally. According to a detailed report by Cisco’s Talos Intelligence Group (“Talos”), the attackers used an unsuspecting Ukrainian software vendor to distribute the payload via a software update to the vendor’s Ukrainian customers, including multinational corporations with operations in Ukraine. Rather than targeting organizations directly, this supply-chain technique provided the attackers with a trusted backdoor into the networks of hundreds of companies that used the vendor’s software.
Neighboring Belarus has also been drawn into the recent cyberattacks and other neighboring countries could be, too. On January 24, 2022, a group calling itself the “Belarusian Cyber-Partisans” claimed on Twitter to have encrypted Belarusian Railways networks. In exchange for decrypting the network, the group demanded the Belarusian government prevent Russian troops from entering Belarus and release 50 political prisoners.
These recent attacks, and Russia’s historical patterns, show that cyberattacks related to regional conflicts can spill over and collateral damage can occur. The following are a series of steps organizations can take to prepare for the possibility of increased cyberattacks arising from the conflict in Ukraine.
What you can do:
- Keep up to date with the latest threat and mitigation information, including the indicators of compromise (“IOCs”) related to recent cyberattacks in Ukraine identified by Microsoft and others to investigate whether the IOCs exist in your environment.
- Enable multifactor authentication and ensure it is enforced for all remote connectivity.
- Review your insurance policy to understand whether a cyberattack that is part of a “cyber war” will impact coverage.
- Examine your organization’s operations in Ukraine and consider whether additional security measures are necessary to isolate any cyberattacks from infecting your larger network.
- Conduct a tabletop exercise that involves a scenario where a cyberattack occurs in Ukraine or its neighboring countries and includes destructive wiping attacks masquerading as ransomware.
- Check your backup up systems and business continuity plan is understood and working.
- Patch your systems. The NotPetya attack exploited a vulnerability for which there was an available patch.
- Consider whether your organization was impacted in the NotPetya attack and has any lessons learned that can be applied to today’s standoff.
If you have any questions related to your cybersecurity or data privacy programs, reach out to one of the members of the Paul Hastings Data Privacy and Cybersecurity Group.