Issue Twelve
March 2022
In the early morning hours of February 24th, Vladimir Putin issued a televised statement declaring Russian forces would begin “special military operations” in Ukraine. The days and hours leading up to the Russian advancement into Ukraine read straight from Putin’s hybrid warfare playbook - almost identical to Russia’s invasions of Georgia in 2008 and Crimea in 2014.
Massive DDoS campaigns began disrupting banking, government, and transportation operations weeks before, growing more intense as the invasion grew closer. Misinformation and disinformation campaigns sought to influence blame and create confusion around Russian military operations. Phishing campaigns targeting public authorities and critical infrastructure aimed to spread malware and disrupt Ukrainian security.
The cyber-diversion tactics were followed by physical strikes on military, transportation, and communications infrastructure. This type of hybrid warfare has proven to be the “go to” for Putin and Russian operatives and, historically, has had lasting impacts well beyond any future cease-fire.
Russia’s nation-state threat actors have devastating capabilities, but for now they appear to be focused on Ukraine and the areas immediately surrounding. What can we expect, and how should we prepare? We’re dedicating this month’s entire issue to providing additional insights and prescriptive counsel for these very questions.
ZEROING IN
How Ukraine became a test bed for cyberweaponry
Over the past eight years, Ukraine has unwittingly become a test bed for cyberweaponry - even being characterized as Russia’s playground. Everything from elections to the power grid have been tested and disrupted on multiple occasions.
In 2017, a small tech firm was infected with malware known as NotPetya - giving threat actors access to the computers of utility companies, banks, airports, and government agencies in Ukraine. This attack took an estimated $10 billion to clean up and remains the most damaging supply-chain-distributed malware on record.
Fast forward to 2022, and the cyber attacks against Ukraine have been characterized as the most sophisticated to date by the Ukrainian government. Prior to the attack, hackers detonated a type of “wiper” malware, similar to NotPetya, which gave the threat actors access to a large swath of telecommunications data, providing them with critical information regarding Ukrainian movements prior to the invasion.
There is no question the Russian nation-state threat actors have perfected their craft over the years. The biggest question points directly at Ukraine’s resilience.
If Ukraine has experienced so many cyber-attacks and received so much support from allied nations, why are they not better equipped to prevent or recover from them? The answer, put simply: Cybersecurity is a long game. It is extremely ineffective to strap on protective and preventative technology to legacy culture and infrastructure.
“The free-for-all environment of a country at war has turned Ukraine into a magnet for players of all types looking to test their cyber capabilities. In addition to hostile Russian hackers, the country has attracted cybersecurity firms looking to get close to the action, Western intelligence agencies seeking to understand the nature of modern conflict and criminals looking to make a buck.”
Ukraine’s modern history should serve as the encyclopedia of cybersecurity for Western Europe and the rest of the world. We can choose to learn from their experiences or pay the price of learning from our own.
What Americans Should Do to Prepare for Russian Cyberattacks
Authorities are cautious to predict a direct threat to American digital infrastructure, as a direct attack would be considered an extreme escalation. However, as the sanctions imposed on Russia begin to squeeze their economy, the concerns of retaliation against our financial institutions and other critical industries are likely to increase.
Herbert Lin, a senior research scholar at Stanford’s Center for International Security and Cooperation states that while American banks have been shoring up their cyber-defenses, “they’ve never had to withstand a full-on, all-in cyberattack by a nation as powerful in cyberspace as the Russians.” Lagging much further behind are the technologies that support our critical infrastructure which are extremely vulnerable due to the challenges of applying modern cybersecurity tools to legacy operational technology (OT).
While these targets are still considered unlikely, they are possible. So, for now and the foreseeable future, we must continue building resilience and preparing our organizations for anything and everything on the table. As we witnessed with NotPetya, devastating threats can still reach the US through interconnected supply chains.
“No one really fully understands how the internet interconnects and operates together at some sort of macro level, so being able to map out all the possible permutations of how something might have an impact is essentially impossible ahead of time.”
CISA Recommends Shields Up Approach For All Organizations
In an effort to address questions and improve communication, the Cybersecurity & Infrastructure Security Agency (CISA) issued guidance for all organizations, regardless of size, to assume a “Shields Up” posture as the war in Ukraine continues to unfold.
The agency’s advice remains centered around building resilience and improving preparedness, stating organizations should move in earnest to identify critical assets and prioritize protection efforts accordingly.
Network and administrative access should be scrutinized and protected by multi-factor authentication. Critical vulnerabilities need to be immediately addressed by applying updates to software and firmware across the entire business ecosystem. Incident response plans need to be formalized, approved, and tested along with data and system backups to ensure business continuity.
CISA goes a bit further to address business leaders and CEOs, specifically, with the following:
Empower Chief Information Security Officers (CISO): Senior management should empower CISOs by including them in the decision-making process regarding risk to the company, and ensure the entire organization understands security investments are a top priority in the immediate term.
Lower Reporting Thresholds: Every organization should have documented thresholds for reporting potential cyber incidents to senior management and to the U.S. government. For now, those thresholds should be lowered to investigate any and all suspicious activity.
Participate in a Test of Response Plans: Cyber incident response plans should include not only your security and IT teams, but also senior business leadership and Board members. If you’ve not already done, senior management should participate in a tabletop exercise to ensure familiarity with how your organization will manage a major cyber incident, to not only your company but also companies within your supply chain.
Focus on Continuity: Recognizing finite resources, investments in security and resilience should be focused on those systems supporting critical business functions. Senior management should ensure that such systems have been identified and continuity tests have been conducted to ensure critical business functions can remain available subsequent to a cyber intrusion.
Plan for the Worst: Senior management should ensure that necessary measures can be taken to protect your organization’s most critical assets in case of an intrusion, including disconnecting high-impact parts of the network if necessary.
The guidance should sound familiar to those already on the path to a more mature cybersecurity posture but reemphasizes the criticality of executive and stakeholder engagement.
