US officials are warning private businesses to be on guard against new destructive Russian cyberattacks.
US cybersecurity officials are warning private businesses to be on guard against new destructive Russian cyberattacks. With hard-hitting economic sanctions taking effect just days after Russia’s invasion of Ukraine, multiple officials and agencies are urging private sector organizations to prepare for retaliatory cyberattacks that can present a direct threat to their daily operations.
While technology security concerns were already top-of-mind issues for organizations—especially following the well-publicized Colonial Pipeline breach and SolarWinds hack—potentially more worrisome is the fact recent cyberattacks are being attributed by the US to the GRU, Russia’s official military intelligence arm. These aren’t angry disorganized hackers testing their skills but trained state-sponsored militants working together in a coordinated effort to fulfill hybrid warfare initiatives by trying to infiltrate networks, compromise critical systems and disrupt important economic markets.
On Saturday, February 26th, the US Cybersecurity & Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) issued a joint Cybersecurity Advisory: Alert AA22-057A. The bulletin confirms malicious threat actors have deployed multiple destructive malware named WhisperGate and HermeticWiper. Symantec and ESET are among the companies confirming the malicious payloads in the wild.
The two malware are designed to destroy computer systems and data and render systems inoperable. The malware target Windows systems and carry origination information suggesting their use has been planned for months as part of a larger coordinated campaign.
According to the bulletin, the malware may be distributed using email, instant messaging and websites, among other traditional methods. A CISA advisory published the same day notes the malware doesn’t just target Ukraine and the surrounding region but could threaten the operation of critical infrastructure in the US, too.
Also concerning is other malicious actors having recently avowed full support for Moscow, according to a report published by the Wall Street Journal. With both state-sponsored cyberattacks and disassociated but sympathetic hacker initiatives possible, private-sector businesses are being urged to redouble fundamental security protections and intensify the monitoring and detection occurring on their networks and systems.
Steps US officials are recommending private business take include common basics, which can help protect against some Russian cyberattack methods. These fundamental steps include:
- Program antivirus and antimalware programs to conduct regular scans
- Enable strong spam filters to guard against phishing emails reaching users
- Require multifactor authentication for interactive logons
- Update software applications
- Patch known vulnerabilities
Cybersecurity experts are also urging private companies to take additional steps, in light of new Russian attack threats, including:
- Lock accounts after two or three failed login attempts
- Lower thresholds for reporting suspicious activity
- Review and tighten network access control lists, where possible
- Practice responding to cyberincidents
- Implement testing procedures to back up and restore data
In its alert announcing the destructive malware used in Ukraine, CISA and the FBI again confirmed the common strategies, too, that strengthen an organization’s security posture against such threats. Among the best practices the alert recommends companies adopt are the following:
- Segment networks properly
- Filter network traffic effectively
- Deny service accounts local or interactive permissions, when possible
- Limit accounts’ ability to access elevated permissions on downstream systems
- Closely audit system, security and network log files for anomalous references
- Ensure network devices log and audit all configuration changes
- Confirm updates are received only from trusted sources
IT security experts are also urging banks and financial institutions—believed to potentially be at even greater risk for cyberattacks given the nature of Western financial sanctions adversely impacting the Russian economy—to take additional actions. The Financial Services Information Sharing and Analysis Center (FS-ISAC) recommends such firms also encrypt network traffic and implement controls limiting user abilities manipulating databases, among other recommendations.
The situation, as expected during such unprecedented periods, is quite fluid. Organizations should prepare for and monitor industry and governmental guidance for additional updates and advisories as the situation develops.