How to Prepare for Russian Cyberattacks

Russia’s attack on Ukraine clearly isn’t limited to tanks, planes and missiles. Russia has already and will continue to deploy cybersecurity attacks as part of a strategy to destabilize or outright shut down its opponents. Most of us don’t play a role in battling nation-state cyber warfare. But this blog covers what organizations of all sizes should know about the potential impact of these global events and how you can take common-sense steps to protect your operations and data.

New Threats From a Familiar Source

Russian hacking isn’t a new threat, so you’ve probably been battling it for years without realizing it. President Biden addressed Russia’s harboring of hackers at a meeting with Vladimir Putin in June 2021, and government and private security professionals have been fighting Russian interference for at least a decade. In January 2022, CISA issued an alert focused specifically on understanding and mitigating Russian state-sponsored threats to U.S. infrastructure.

But Russia’s attack on Ukraine brings new urgency, as Russia has already sought to bring down Ukraine’s government and critical infrastructure, mainly via denial of service attacks and malware deployments. Thus far, the U.S. Cybersecurity and Infrastructure Agency (CISA) has said in a statement that there are no specific or credible threats to the U.S. homeland at this point. But as sanctions begin to take effect, attacks may ramp up.

Few organizations face a real possibility of direct attack by nation states. But impacts could still be widespread if threat actors manage to compromise supply chains or critical infrastructure. Recent breaches involving Kaseya and Log4j have shown how quickly attacks can cascade throughout a software ecosystem. Russia’s attack on Ukraine may be your wakeup call, but regardless of the current headlines, you should incorporate the following best practices to protect your environment.

Establish Basic Protections

• Enforce the use of strong passwords throughout your organization.
• If you’re not using multifactor authentication (MFA), deploy it as quickly as possible. This single tool can stop nearly any attack that depends on compromised user credentials.
• Update all your software to close known vulnerabilities.
• Deploy a monitoring tool such as Managed Extended Detection and Response (XDR) that can identify threatening activity and help you investigate it.

Review Your Incident Response Plan

If you do suffer a breach, a calm, organized, well-planned response can greatly limit the damage and speed up your recovery time. Now is the time to pull out your incident response plan and make sure that it accurately reflects who is on your team, the tools you have in place, etc. The same goes for your business continuity/disaster recovery (BC/DR) plan, which describes how you’ll keep operations going if a crisis occurs.

Set up a tabletop exercise to walk through a simulated breach and identify any missing or unclear steps in your plan. Many organizations have only vague notes, for example, about how they would restore data from backups. Take time now to investigate how your backups work and the exact steps and timeframe it would take to restore your critical data.

Cloud-based services could be high-value targets for foreign attackers. So your IR plan should address how you’ll maintain operations if you lose access for a time to your customer relationship management (CRM) platform, document exchange service, Microsoft Office 365, etc.

Vet Your Software Supply Chain

Again, this is something that should be part of your normal practice, especially after the Log4j breach showed how rapidly compromised source code can wreak widespread damage. Many software developers have relied heavily on outsourcing work to programmers in Russia and eastern Europe in recent years. It will be a massive task to comb through all of your code for elements with Russian origins. But this process may become necessary to ensure that no allies-turned-adversaries left a pathway into your system for Russia to potentially exploit.

Report What You’re Seeing

U.S. authorities count on reports from private organizations to help them maintain an accurate picture of current threats. If you experienced an incident or spot anomalous activity, report it to:

CISA – [email protected], 888-282-0870
FBI – Your local FBI field office or [email protected], 855-292-3937.

If you experience a breach and need immediate assistance with assessing the situation and getting back online, call the HBS Incident Response Line 515-965-3756 ext. 9

If you need advice on getting your policies and plans in place, contact us today.