Responding to Cyber Attacks Abroad

Amidst Russia’s attack on Ukraine, one may find it unsurprising to hear of Russian cyberattacks targeted at weakening infrastructure in Ukraine. While some efforts have successfully infiltrated Ukrainian networks and wreaked havoc on the lives of citizens, Russia’s cyber attacks can best be described as trench cyber warfare and have most affected small business owners, localised infrastructure, and influential individuals. 

Strontium, a group known also by the names Fancy Bear or APT28, has been specifically targeting Ukrainian infrastructure entities as well as EU & US government bodies involved in foreign policy decision making. After successful breaches outside of the conflict zone were identified, governments and private companies alike have stepped up to help curb the success and influence of Russian hackers. 

NCSC Advisory

On the 11th of May, the National Cyber Security Centre (NCSC) jointly issued an advisory for service providers and their customers, outlining steps to better protect themselves in light of Russia’s attacks on Ukraine. This advisory was pushed alongside the UK’s partners in the US, Australia, Canada, and New Zealand, and urges MSPs and their clients to strongly consider implementing the following procedures:

• Enable and contractually require MFA on all customer services and products
• Conduct rigorous security risk assessments across all groups to identify vulnerabilities and prioritise resource allocation
• Enable monitoring and logging 
• Keep log records for at least 6 months, as there is often a lag between when a breach occurs and when it is detected

US Department of Justice (DOJ) Efforts

The US DOJ successfully disrupted thousands of internet-connected firewall devices that had been compromised by the alleged GRU-sponsored group, Sandworm. Following a court-authorised procedure, the National Security Division of the DOJ targeted a range of Command and Control (C2) servers that were operating the botnet by closing the external management ports which Sandworm had originally used to access them.  

Help from Microsoft

Since 2016, Microsoft has been working to dismantle Russian GRU-connected actors such as Strontium and Sandworm. Through a specially designed legal process established to enable Microsoft to receive quick access to the resources needed to disrupt these groups, they have successfully seized control of over 100 Strontium-controlled domains on 15 separate occasions alone. 

CISA

Cybersecurity authorities in the US, Canada, Australia, New Zealand, and here in the UK jointly issued a Cybersecurity Advisory (CSA) on the 20th of April 2022 warning against Russian-sponsored actors as well as Russian-supporting cybercrime groups. Among the tactics listed were ransomware, DDoS attacks, and destructive malware – all used in efforts to maintain persistent intrusive access to IT networks, extract sensitive data from those networks, and disrupt critical industrial control systems (ICS). 

Avoiding Impact of Cyber Attacks

There are many steps organisations and individuals can take to avoid and/or minimise the impact of a cyberattack, no matter its geographic source. 

1. Complete a Cybersecurity Risk Assessment

A Cybersecurity Risk Assessment is the best way to determine your baseline and identify areas in your security protocol that are up to par and areas that need preventative attention. Knowing the current state of your cybersecurity posture is the first step towards a more secured network, and Thrive can help. 

2. Routinely Update Software

When new vulnerabilities are identified, developers release patches and updates to cover them. Ensure that all of your bases are covered, including OS updates, app and firmware updates, and IT network asset updates. 

3. Enforce MFA

To the greatest extent possible, ensure that all users across all devices require at least a 2nd form of identification for access. Additionally, minimum password strength requirements are strongly encouraged to reduce the likelihood of a successful brute-force attack. 

4. Provide End-User Awareness Training

The most effective way to stop cyberattacks is at their most common breach point – the end-user. Social engineering attacks, spear phishing campaigns, and new SMS attacks (sometimes referred to as “Smishing”) all can be recognised and avoided with proper anti-phishing and cybersecurity awareness training from Thrive. 

What Is Your Risk Exposure?

Russia is not the first, nor the last, government body to engage in cyber warfare for monetary or military gain. While Russia’s efforts have been targeted at Ukrainian entities and politically influential groups abroad, cyberattacks originate and target people from all corners of the globe. Keep your cyber defence mechanisms up to date with a team that is on the cutting edge of security news – contact Thrive today to learn more.