Trustwave’s Action Response: Russia/Ukraine Crisis – Defending Your Organization From Geopolitical Cybersecurity Threats

Trustwave security and engineering teams are on heightened alert and are actively monitoring malicious cyber activity associated with and adjacent to the escalating military conflict between Russia and Ukraine. Trustwave is working closely with its clients around the world to enhance cyber preparedness during this time.

Organizations that operate in high-value, critical industries such as banking, critical infrastructure (energy, oil and gas, etc.) and supply chain should especially elevate their cyber posture during this time.

We have engaged our security teams across our global footprint to continuously harden our own cyber resilience and ensure service continuity for our clients as events unfold.

As the situation evolves and additional threat intelligence becomes available, we will continue to proactively detect and respond to emerging threats.

In addition to monitoring for cyberattacks and malware use during this time, the elite Trustwave SpiderLabs team is actively monitoring for phishing, social engineering techniques and Dark Web chatter associated with these events to further enhance cyber detection and response for our clients. For MSS clients that have managed solutions by Trustwave, we are validating available detective and preventative policies are deployed and are conducting historical searches for associated activity.

Trustwave is prepared to issue a swift response and assist any organizations that fall victim to cyberattacks associated with these geopolitical events.

Act Now: Government Agency Guidance to Prepare for Potential Threats

The Cybersecurity and Infrastructure Security Agency (CISA) recently issued multiple alerts associated with potential malicious nation-state cyber activity. CISA recommends all organizations – regardless of size – adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets.

Trustwave encourages all organizations to follow CISA’s “Shields Up” guidance, which can be found here.

CISA has specifically provided guidance and resources for critical infrastructure organizations, which could be particularly targeted during this time:

CISA Insights: Preparing for and Mitigating Foreign Influence Operations Targeting Critical Infrastructure (pdf) (February 2022)
CISA Insights: Implement Cybersecurity Measures Now to Protect Against Potential Critical Threats   (pdf) (January 2022)
Alert (AA22-011A) Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure  (January 2022)

"The Russian government understands that disabling or destroying critical infrastructure – including power and communications – can augment pressure on a country's government, military and population and accelerate their acceding to Russian objectives," CISA said.

Organizations across regions should also review the following guidance from CISA’s partner agencies:

UK National Cyber Security Centre: NCSC advises organisations to act following Russia’s further violation of Ukraine’s territorial integrity
NZ National Cyber Security Centre:  General Security Advisory: Understanding and preparing for cyber threats relating to tensions between Russia and Ukraine
Canadian Centre for Cyber Security (CCCS): Cyber threat bulletin: Cyber Centre urges Canadian critical infrastructure operators to raise awareness and take mitigations against known Russian-backed cyber threat activity

What Type of Organizations Are at a Higher Risk During this Time

Organizations with business dealings with Ukrainian and Russian firms should take extra care to monitor, inspect and isolate traffic from organizations in that geography and closely review access controls for that traffic.

Nation-state or associated actors may have capabilities and intentions beyond those of a run-of-the-mill cybergang that are just looking to make a profit. With enough time and money, a nation-state is likely to succeed in gaining access, so it is imperative that organizations have a robust plan to detect and respond to a breach or major event.

It is also essential to keep in mind that threat actors do not always have financial gain in mind when launching an attack. There are times when a threat actor simply wants to break something, hinder operations, and cause chaos for geopolitical or ideological reasons.

All organizations should practice their response plans and remain vigilant.

Stay Alert: New Malware and Malicious Tooling Emerging

Organizations should also be aware of the new or repurposed malware tools now in the wild. The Russian-linked threat actor, dubbed Sandworm or Voodoo Bear, is using a “large-scale modular malware framework” that the cyber agencies have dubbed Cyclops Blink. Cyclops Blink has largely replaced the VPNFilter malware in Sandworm’s activities since at least June 2019. You can read the advisory from the National Cyber Security Centre here.

Additionally, according to ESET Research, Ukrainian organizations have been hit by a cyberattack that involved new data-wiping malware called HermeticWiper. The malware has impacted hundreds of computers across networks.

This malware attack followed a wide-scale distributed denial-of-service (DDoS) that took many important Ukrainian websites offline.

Trustwave Nation-State Threat Defense Insights and Recommendations

The playbook organizations should use to keep safe from a nation-state or associated cyberattack during this time remains the same. Having the cyber fundamentals in place is critical now more than ever. Here are some of our top recommendations for organizations, in line with the guidance provided by leading government cyber agencies:

Ensure that cybersecurity/IT personnel focus on identifying, detecting, assessing and responding to any unexpected or unusual network behavior.  
Conduct proactive threat hunting to ensure unknown threats are not lurking within your environment.
Conduct an asset audit focusing on assets that have external access; eliminate stale accounts and check privileged access.
Conduct a third-party vendor / supply chain assessment. Focus on those places where third parties have access to your environment. Ensure no old entry points are left open. 
Institute multi-factor authentication (MFA) for internal and external users. Check that passwords are strong.
Bring your workers to a higher state of alert, tell them to triple check links and attachments in emails before clicking to guard against phishing attacks.
Deploy an effective endpoint detection and response (EDR) solution.
Conduct crisis simulations to ensure all parts of your organization are prepared to respond to a major cyber event, not just IT staff.

The Long-Term Cyber Impact Trustwave is Keeping an Eye On

There is a possibility that the malware and other techniques attackers use will eventually make their way into the hands of conventional threat actors.

It is not uncommon for malicious code to get sold, traded, dispersed and then used for attacks against targets across industries like retail, e-commerce, etc. This activity might not take place for several months. Trustwave is actively monitoring for malicious techniques and code collaborations and sales on the Dark Web.