Feb. 28 Update: The latest economic sanctions imposed upon Russia could inspire that nation or cyber groups working to support Russia to lash out against Western targets. With that in mind, Trustwave SpiderLabs wants to reiterate that all organizations must remain vigilant and, if they have not already done so, redouble their efforts to fortify their networks against a cyberattack due to the ongoing Russian attack on Ukraine.
Trustwave security and engineering teams are on heightened alert and are actively monitoring malicious cyber activity associated with and adjacent to the escalating military conflict between Russia and Ukraine. Trustwave is working closely with its clients around the world to enhance cyber preparedness during this time.
Organizations that operate in high-value, critical industries such as banking, critical infrastructure (energy, oil and gas, etc.) and supply chain should especially elevate their cyber posture during this time.
We have engaged our security teams across our global footprint to continuously harden our own cyber resilience and ensure service continuity for our clients as events unfold.
As the situation evolves and additional threat intelligence becomes available, we will continue to proactively detect and respond to emerging threats.
In addition to monitoring for cyberattacks and malware use during this time, the elite Trustwave SpiderLabs team is actively monitoring for phishing, social engineering techniques and Dark Web chatter associated with these events to further enhance cyber detection and response for our clients. For MSS clients that have managed solutions by Trustwave, we are validating available detective and preventative policies are deployed and are conducting historical searches for associated activity.
Trustwave is prepared to issue a swift response and assist any organizations that fall victim to cyberattacks associated with these geopolitical events.
The Cybersecurity and Infrastructure Security Agency (CISA) recently issued multiple alerts associated with potential malicious nation-state cyber activity. CISA recommends all organizations – regardless of size – adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets.
Trustwave encourages all organizations to follow CISA’s “Shields Up” guidance, which can be found here.
CISA has specifically provided guidance and resources for critical infrastructure organizations, which could be particularly targeted during this time:
"The Russian government understands that disabling or destroying critical infrastructure – including power and communications – can augment pressure on a country's government, military and population and accelerate their acceding to Russian objectives," CISA said.
Organizations across regions should also review the following guidance from CISA’s partner agencies:
Organizations with business dealings with Ukrainian and Russian firms should take extra care to monitor, inspect and isolate traffic from organizations in that geography and closely review access controls for that traffic. Again, organizations that operate in high-value, critical industries such as banking, critical infrastructure (energy, oil and gas, etc.) and supply chain should especially elevate their cyber posture during this time.
Nation-state or associated actors may have capabilities and intentions beyond those of a run-of-the-mill cybergang that are just looking to make a profit. With enough time and money, a nation-state is likely to succeed in gaining access, so it is imperative that organizations have a robust plan to detect and respond to a breach or major event.
It is also essential to keep in mind that threat actors do not always have financial gain in mind when launching an attack. There are times when a threat actor simply wants to break something, hinder operations, and cause chaos for geopolitical or ideological reasons.
All organizations should practice their response plans and remain vigilant.
Organizations should also be aware of the new or repurposed malware tools now in the wild. The Russian-linked threat actor, dubbed Sandworm or Voodoo Bear, is using a “large-scale modular malware framework” that the cyber agencies have dubbed Cyclops Blink. Cyclops Blink has largely replaced the VPNFilter malware in Sandworm’s activities since at least June 2019. You can read the advisory from the National Cyber Security Centre here.
Additionally, according to ESET Research, Ukrainian organizations have been hit by a cyberattack that involved new data-wiping malware called HermeticWiper. The malware has impacted hundreds of computers across networks.
This malware attack followed a wide-scale distributed denial-of-service (DDoS) that took many important Ukrainian websites offline.
The playbook organizations should use to keep safe from a nation-state or associated cyberattack during this time remains the same. Having the cyber fundamentals in place is critical now more than ever. Here are some of our top recommendations for organizations, in line with the guidance provided by leading government cyber agencies:
There is a possibility that the malware and other techniques attackers use will eventually make their way into the hands of conventional threat actors.
It is not uncommon for malicious code to get sold, traded, dispersed and then used for attacks against targets across industries like retail, e-commerce, etc. This activity might not take place for several months. Trustwave is actively monitoring for malicious techniques and code collaborations and sales on the Dark Web.