The worst conflict in Europe for decades began a few hours ago. According to Ukrainian sources, six Russian planes have already been shot down.
Update 12.40 p.m.: Speaking to the British newspaper “Guardian”, Dr. Lennart Maschmeyer from the Center for Security Studies at ETH Zurich that Russia’s cyber strategy has so far seemed rather improvised: “A plausible scenario for more devastating cyberattacks would be that Russia planned this invasion well in advance and placed implants in Ukraine’s critical infrastructure to cause massive disruption to coincide with the military invasion. That doesn’t seem to be the case. The cyber operations that we have seen do not show much preparation, but seem rather random.”
Palo Alto Networks security experts warn that future attacks on US and Western European companies and institutions could come in retaliation for increased sanctions or other policies against the Russian government. Palo Alto Networks advises all organizations to proactively prepare to defend against this potential threat.
Here is the translation of the blog:
Geopolitical tensions between Russia and Ukraine have continued to escalate in recent weeks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged industry to put up their shields in preparation for a cyberattack that could disrupt, disable, or destroy critical infrastructure across the U.S.
The crisis in Ukraine has already led to an increase in Russian cyber activity, which we reported on in our first threat brief last month and in our most recent report on the Gamaredon group. Future attacks could target US and Western European organizations in retaliation for increased sanctions or other policies against the Russian government. We encourage all organizations to proactively prepare to defend against this potential threat. Here you will find information on best practices, as well as specific advice for our customers and clients on how we can help. As new information and recommendations become available, we will update them.
Over the past few months, Unit 42 has undertaken a company-wide effort to gather, analyze and disseminate the latest intelligence on this crisis. We actively work with our industry and government partners to share our analysis and insights based on our global threat telemetry network.
These efforts have allowed us to update our platform almost daily to offer our customers the best possible protection. This includes banning hundreds of domain names, IP addresses, and URLs for our customers related to newly discovered attacks. We’ve updated the WildFire analysis system to improve detection of certain malware families used by Russian threat groups. Our Cortex XDR platform now includes additional signatures to block newly discovered vulnerabilities and malware. Our Threat Prevention product now also covers the OctoberCMS vulnerability exploited in the WhisperGate attacks, and we have published an XSOAR Playbook to help organizations hunt for this threat. Cortex Xpanse can help you understand and manage your organization’s attack surface.
We have published public reports on the WhisperGate attacks and the infrastructure and tactics used by the Gamaredon group. Unit 42’s website also has a free ATOM that provides a structured account of the Gamaredon Group’s tactics, aligned with MITRE’s ATT&CK framework. As the situation continues to evolve, we will update our blog with the latest information. Unit 42 is closely monitoring the situation and we’ve got your back.
How to Prepare for the Cyber Impact of the Escalating Russia-Ukraine Crisis
There is no single action you can take to protect your business from this threat. Other than a new malware family or a vulnerability in the wild, the anticipated attacks could come in many forms. CISA’s recommendations are broad, but appropriate given the variety of tactics Russian actors have employed in the past.
We recommend companies prioritize actions in the following four areas:
Patch exploited vulnerabilities: Install patches for any software that contains vulnerabilities—not just those that are known to be exploited in the wild. This is most urgent for software that connects to the Internet and is necessary for the operation of your business, such as webmail, VPNs and other remote access solutions.
Prepare for ransomware and/or data destruction: A likely form of disruptive cyberattack will use either ransomware or a destructive attack masquerading as ransomware. As we saw with the NotPetya attacks in 2017 and the WhisperGate attacks last month, an attack that demands a ransom might not be “ransomware” at all. The malware used in these attacks destroyed data with no chance of recovery and only used the ransom demand to disguise its true intent. The preparations required to prevent and recover from these attacks are similar in both cases. Testing backup and recovery plans is critical, as is testing your business continuity plan in the event your network or other critical systems are rendered inoperable by the attack.
Be prepared to respond quickly: You don’t want to test your crisis response processes in the heat of an actual crisis. Make sure you identify key contact points within your organization in the event of a cybersecurity incident or critical infrastructure disruption. Test your communication protocol (and backup protocols) to avoid being left without a clear mechanism for disseminating important information. Conduct a table exercise with all key stakeholders to learn how you would react if the worst came to the worst.
Lock down your network: Small policy changes can reduce the likelihood of a successful attack on your network. Recent attacks have used popular chat applications such as Trello and Discord to spread malicious files. The attackers simply used the platforms to host links to the files without requiring users to use the software. Many applications can be abused in this way, and if your business doesn’t need their functionality, blocking these applications can improve your security.
There’s no way to know for sure what form an attack will take, but these steps will help provide comprehensive protection against what we anticipate.