On the heels of rising cyberattacks as cybercriminals exploit the global pandemic to gain access to valuable data and unauthorized access to systems, U.S. businesses are now confronted with looming Russian cybersecurity threats amid the conflict with Ukraine.
The conflict in Ukraine is being felt far beyond the region’s borders as Russia’s formidable cyber forces look to launch a new wave of cyberattacks on Western energy, finance, and communications infrastructures.
In February, the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning of the risk of Russian cyberattacks spilling over onto U.S. networks, which follows on the heels of previous CISA warnings on the risks posed by Russian cyberattacks for U.S. critical infrastructure. The latest CISA report warns of:
-
A destructive malware against organizations in Ukraine that may spread to businesses in other countries, especially as sanctions continue. The malware, known as WhisperGate, for example, has been used to target organizations in Ukraine displaying a fake ransomware note, encrypting files based on certain file extensions. This destructive malware can destroy data, render devices inoperable, infiltrate networks, cut off access to critical data, and disrupt daily operations.
-
The malicious cyber actor known as Sandworm or Voodoo Bear is now using new malware, referred to as Cyclops Blink which appears to be a replacement framework for the VPNFilter malware exposed in 2018. This malware exploits network devices, primarily small office/home office routers and network-attached storage devices.
-
Recent regular targeting of U.S. cleared defense contractors (CDCs) by Russian state-sponsored cyber actors, attacking both large and small CDCs and subcontractors with varying levels of cybersecurity protocols and resources.
-
Russian state-sponsored APT actors have performed large-scale scans in an attempt to find vulnerable services and spearphishing campaigns to gain credentials of target networks.
-
Russian state-sponsored cyber actors have gained network access through exploitation of default multifactor authentication protocols (MFAs) and a known vulnerability. In 2021, Russian state-sponsored cyber actors took advantage of a misconfigured account set to default MFA protocols at a non-governmental organization, allowing them to enroll a new device for MFA and access the victim network, using Cisco’s Duo MFA.
Business and IT leaders should be preparing and testing the strength of their cybersecurity and intelligence protocols, including the review of business continuity plans, close examination of supply chain infrastructure, instilling a security mindset in employees, and ensuring collaboration between corporate intelligence and IT teams around cybersecurity threats.
In addition, MFA is one of the most important cybersecurity practices to reduce the risk of intrusions. According to industry research, users who enable MFA are up to 99% less likely to have an account compromised. Therefore, every organization should enforce MFA for all employees and customers and encourage every user to sign up for MFA when available. Equally critical is the review of default configurations and modifying those as necessary to reduce the likelihood of a sophisticated adversary circumventing this measure.
Hope for the Best, Prepare for the Worst.
Although experts in the field say the Kremlin is likely still weighing whether destructive action in cyberspace is worth the blowback, there is a likelihood that Russia will use cyberattacks in response to crippling level of sanctions against the country. Therefore, agencies such as the CISA is urging businesses to remain ‘laser-focused on resilience’ following cyberattacks that left several Ukrainian government websites down.
If you’re seeking a role as a cybersecurity professional or are looking to hire cybersecurity professionals for your team, please reach out to us today for more information.