Practical Steps for Responding to the CISA Warning on Russian Cyber Attacks

On February 25, 2022, two days after Russia began its military invasion of Ukraine, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) issued a rare Shields Up warning for U.S.-based organizations, stating: “Every organization—large and small—must be prepared to respond to disruptive cyber activity.”

The Shields Up warning is in direct response to increased Russian cyber aggression against Ukrainian and other targets in the region, including recent distributed denial-of-service (DDoS) and malware attacks. In addition to the possibility of disruptive nation-state activities affecting U.S. targets, CISA also warned of an increase in cyber attack activity against U.S. organizations from Russia or hackers acting on Russia’s behalf.

The need for this warning was amplified by recent events, including the hacking of over twenty U.S.-based natural gas companies by Russian Intelligence two weeks before the Russian Army invaded Ukraine. With the CISA warning, this recent evidence, and what we know from past attacks against Ukraine it would be irresponsible for organizations to ignore CISA’s warning.

To help organizations prepare for a possible attack, it’s important to first, understand the types of attacks organizations should be watching for.

Russian Cyber Attacks to Watch Out For

Given the speed at which the war against Ukraine is progressing, in the immediate future, attacks are likely to be fast, hard-hitting, and focused on disruption and destruction.

Here are some of the attacks to watch out for.

Distributed Denial of Service (DDoS)

DDoS attacks aren’t new or particularly sophisticated, but they’re still effective at stopping work at government agencies and commercial enterprises in its tracks. Russia has used these attacks before. For example, in 2008, during the country’s conflict with Georgia, Russia or another party closely affiliated with the Russian government launched DDoS attacks against the Georgian government and Georgian news agencies.

It’s not surprising, then, that on February 15, 2022, DDoS attacks were launched against two of the largest Ukrainian banks as well as the Ukrainian military. More attacks are likely to follow. Targets could expand to include organizations outside of Ukraine.

Ransomware

While the Russian military effort will probably not include Ransomware attacks, the Russian government has unleashed Russian Criminal Cybercrime Enterprises to engage in unrestricted cybercrime activities, including the Conti Gang. The U.S. has already warned companies to be wary of increased ransomware attacks for two reasons. First, Russia might use them to cause trouble for Ukraine. Second, because of rising tensions with the West, the country might become more tolerant of hackers within its own borders. Ransomware gangs that, a year ago, would have feared prosecution by the Russian government might find themselves free to operate as they wish now—provided they target organizations outside of Russia.

One reason why ransomware attacks are still effective: Too many companies are still using protocols such as RDP and SMBv1 that common ransomware variants rely on for traversing networks. For years, vendors and standards organizations have been urging companies to stop using these outdated protocols, some of which were designed without cybersecurity in mind.

For example, recognizing the protocol’s glaring security shortcomings, Microsoft officially discontinued support for SMBv1 nine years ago. But according to a recent survey by ExtraHop, 68% of organizations were still running SMBv1, leaving themselves vulnerable to dangerous malware variants such as WannaCry and NotPetya.

Organizations should assume that if attackers find these protocols active on networks, they’ll take advantage of them.

Russian Wiper Malware

Living up to its name, Russian wiper malware is designed to be destructive, wiping out data rather than encrypting it for ransom. Russia has been accused of wielding this kind of malware before, most famously in the NotPetya malware attacks of 2017, which, incidentally, targeted Ukrainian government agencies, news organizations, and utility companies.

Probably as part of an attempt to paralyze the Ukrainian response to its invasion, Russia unleashed a new wiper malware to attack Ukrainian government ministries and financial institutions in February. Fortunately, Microsoft detected the attack within three hours and worked on a response. They dubbed the malware “FoxBlade,” updated Microsoft Defender to recognize the malware’s signature, and coordinated responses with government agencies and other organizations to block the attack.

Organizations should be wary of similar wiper attacks against a broader range of targets.

Brute Force Attacks

Attackers use brute force attacks to gain credentials that can be used for exploring networks, exfiltrating data, and gaining access to critical systems. One common type of brute force attack is credential stuffing, in which attackers use scripts to automatically feed thousands of compromised username/password combinations into login fields. These attacks succeed a significant amount of the time because, all too often, people reuse email address/password combinations across multiple sites. Billions of compromised username/password combinations are available for little or no money on the dark web.

If a nation state or its affiliates wants to break into organizations, it makes sense for them to take advantage of brute force attacks. Organizations should assume that Russia might do so.

Phishing

As far back as 2018, CISA issued an alert warning that Russian government cyber actors were launching cyber attacks against U.S. government agencies and critical infrastructure companies. Many of these attacks involved phishing email campaigns sent from compromised email accounts. These phishing attempts become more credible when they come from a compromised account of an organization’s leader.

The goal of phishing attacks—then and now—is often to gain access to privileged accounts on applications and servers, which can then be used for exploring networks, gaining access to operational controls, and spreading malware.

Escalations Among Civilian Hackers

Something that’s new in this war is gangs of volunteer hackers declaring loyalty to Ukraine or Russia and unleashing attacks on their preferred country’s behalf. For Ukraine, these hackers are serving as a volunteer cyber army, guarding digital assets and launching attacks against Russia. For Russia, these volunteers offer more manpower and perhaps some new techniques for waging cyberwar against Ukraine.

For organizations in the U.S., the addition of these volunteers increases the uncertainty of the cyber attacks that may follow. More actors and perhaps more varied attack strategies give security teams all the more reason to ensure their defenses are as strong as possible.

Implementing CISA’s Shields Up Guidance to Prevent Cyber Attacks

All organizations, public and private should stay vigilant and prepare for possible intrusions. To do this, security and business leaders alike should review and heed the advice in CISA’sShields Up, which offers guidance to improve overall hygiene and defenses, detect and respond to potential intrusions, and maximize organizational resilience.

To break down the CISA Shields Up guidance further and help organizations understand what steps they should take to to reenforce their security posture, ExtraHop has released A Practical Guide to Shields Up, a complete analysis of the Shields Up recommendations with detailed expert advice.

This post is also available in: Danish