Editor’s note: This article is part of a series looking at cyberattack developments related to the Russia-Ukraine war. The other articles are a historical look across 15 years of Russian cyberattack behavior during times of conflict, advice on how to protect your organization from potential attacks, and a regularly updated timeline of cyberthreat developments related to the Russia-Ukraine war.
The presidential warning
On Monday, March 21, the White House issued a warning that U.S. intelligence has been detecting increased activity by Russian state-backed attackers intended to compromise western infrastructure.
President Biden tweeted, “I’ve previously warned about the potential that Russia could conduct malicious cyber activity against the U.S. Today, I’m reiterating those warnings based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks.”
In addition to a White House statement that provided comments from the President, the White House also published a “FACT SHEET” with advice for organizations, especially critical infrastructure operators.
Many security researchers and cybersecurity experts have been concerned about a calm before the storm in cyberspace related to the Russia-Ukraine war, so let us break this down and try to be sure we understand the message the White House is sending.
The fact sheet advisory
The fact sheet advice is spot-on. It tells organizations to do the very thing experts and researchers have been preaching for some time now. What is especially welcome is that the statement not only lists the most important security technologies and policies for an effective defense but includes things that “technology and software companies” need to do to have a secure foundation for apps to be built upon.
The political statement
The President’s statement, though, is more like reading tea leaves. The U.S. has intelligence about Russian activity but appears unwilling to share too much of what that with the public.
White House Cybersecurity Advisor, Ann Neuberger participated in a press conference Monday afternoon answering questions from the press.
Neuberger reiterated that there was no specific threat, yet also acknowledged that the FBI and CISA (the Cybersecurity and Infrastructure Security Agency) had held classified briefings with around 100 organizations they thought might be at highest risk. In general, the implication was that U.S. intelligence believes they have observed a lot of scouting and scanning from known Russian assets that indicates they may be seeking access to more American networks.
Unfortunately, this is likely to indicate a “next phase” in this war.
The next phase of cyber conflict
The ground advance has been leading to a standstill as the Ukrainian’s hold their ground and Russia appears to be taking heavy losses for every small advance. The sanctions are starting to hurt and as a result we may see Russia and affiliated groups try to cause retaliatory pain against those who they believe have imposed this cost to their economy.
When I say affiliated groups, I mean everyone and their bare acquaintances. The problem here is that in addition to the Ukrainian IT Army and Anonymous, who espouse support for Ukraine, we also have Russian patriots and criminal groups like Conti who may throw their hats into the ring. This muddies the waters making the “fog of cyberwar” even worse than it has already been.
Worse is the abysmal state of security defenses in unregulated private organizations in general. Every day we assist companies who have only protected some of their assets, keep few if any, logs, are months if not years out of date on patching their systems and have open remote access to the internet with single-factor authentication.
The good news is that CISA has been working with private sector operated critical infrastructure to improve the situation, but it is a long and slow journey. The largest and most critical appear to be in satisfactory shape, but state and municipal security is as bad or worse than the private sector companies.
There is significant risk here if things escalate and we all need to do our part. The White House does not make these types of statements every day, so we are clearly in extraordinary times. The time for upping our game was yesterday, but that does not mean it is too late or we should not make a go of it.
Assess your organization against the list in the fact sheet and see if you have all these areas covered. If you are not sure where to start, work with your security providers to help you prioritize the most significant changes you can make in a timely manner to ensure you are stronger tomorrow than you are today. If you feel you are at high risk, now would be a suitable time to get services on retainer to help you deal with an incident if you do not already have these services in your incident response plan.
The best time to prepare for an incident is now. It is rare for the U.S. President to be concerned enough about a security risk to personally make mention of something you play a part in. In the end, it doesn’t matter whether your adversary is Russian spies, ransomware criminals or do-good vigilantes, the advice is the same in the end. It is time for Shields up!.