UPDATED March 25, 2022:
The Biden Administration released a statement on March 21 urging companies to strengthen their cybersecurity capabilities and protections in the face of potentially damaging cyber activity perpetrated by threat actors as part of the ongoing conflict. The Administration also urged organizations to execute a number of best practices for bolstering cyber defense capabilities.
Additionally, the Cybersecurity & Infrastructure Security Agency (CISA) website’s Shields Up page is an excellent resource to help prepare for disruptive cyber incidents.
The NetWitness Incident Response team is available to assist organizations with enacting these recommendations, as well as several other services, and does not require organizations to be existing NetWitness customers or have NetWitness technology in place. You can learn more about NetWitness Incident Response services here, and if you need immediate help responding to a breach or suspected cybersecurity incident, contact NetWitness here.
Original post:
On Thursday, February 24, 2022, President and former Prime Minister of the Russian Federation, Vladimir Putin, announced a “special military operation” in defense of the Donbas, a separatist region that has existed for the last eight years in southeastern Ukraine. Donbas was only officially recognized by the Russian Federation a few days earlier, on February 21. Shortly after his announcement, the world watched as the Russian Federation military conducted airstrikes targeting multiple locations in Ukraine, and then started an invasion through the air and on the ground.
The geopolitical impact of the Russian Federation’s invasion is of course significant for many reasons, not the least of which is the fact that it has the potential to move from the physical world and into the digital realm. It’s no secret that Russia-based hacking groups with ties to the government have been executing cyberattack campaigns against Ukraine and other nations to the west for years, so many enterprises and government agencies are rightfully concerned about the potential for these groups to unleash large-scale attacks. Many are concerned about their current cybersecurity capabilities.
The NetWitness Threat Intelligence Content team has been monitoring the conflict proactively since its initiation. We continue to assess all credible sources to determine what actions the Russian Federation and/or their proxies are taking against Ukraine and NATO nations to advance and support the invasion.
At this time, we have not sourced or confirmed any irrefutable intelligence that connects actions taken by the Russian Federation that affect the cybersecurity of entities in the West in coordination with the conflict.
Of course, that finding is subject to change, as the conflict is a fluid and ever-evolving situation with many moving parts. In fact, we’re seeing the possibility of some connected attacks in Europe, but investigations around those attacks are ongoing.
We have observed that there have been some actions taken against Ukraine, however. As reported by international media outlets, numerous government ministries and financial services organizations were hit by a wave of DDoS attacks. Security researchers also discovered a “wiper” tool being deployed against a small number of computers to wipe their data. Additionally, Ukraine’s cyber defense force issued a warning on social media about phishing attempts being made against citizens.
As of the time of this writing there are no Intelligence reports that connect these actions directly to the Russian Federation’s Main Directorate of the General Staff (commonly referred to as the GRU) or that attribute the advancements in malware campaigns to them.
However, this does not mean that entities should let down their guard or become complacent with their cybersecurity postures. We advise all enterprises (NetWitness customers and non-customers alike), to take the following actions:
- Patch all systems and infrastructure
- Update all endpoint-based offerings
- Updated all network-based offerings
- Familiarize yourself and your teams with your organization’s processes and procedures related to incident response
- Ensure that you and your staff are prepared for social engineering-driven attempts at compromise, including:
- Phishing
- Spear-phishing
- Social media
- Human intelligence-driven efforts
We will be updating this blog post with pertinent updates and information, so we encourage you to check back in regularly.
If you feel that you may have been the target of an attack or need immediate help, contact the NetWitness Incident Response team here.