As the Russia-Ukraine conflict continues to evolve, RH-ISAC is releasing regular threat intelligence and analysis as it relates to cybersecurity risks. Core Members can access the full intelligence reports in the Analyst and CISO Member Exchange communities. Additionally, RH-ISAC’s initial situational analysis and recommendations are available here.
This post will offer ongoing open-source updates and analyses from RH-ISAC intelligence analysts.
March 22, 2022
Kinetic, economic, and cyber hostilities continue in the Russia-Ukraine crisis. To date, there are no reports of known major cyberattacks on organizations in the retail, hospitality, or transportation sectors in connection with the conflict.
The U.S. Government has issued an urgent warning for organizations to harden their cybersecurity after evolving intelligence emerged suggesting the Russian government is reassessing the possibility of disruptive and/or destructive cyberattacks on public and private sector targets in the US in response to international sanctions. No specific threats or attacks have been made public so far.
While companies in the retail and hospitality sectors will be lower on a priority target list for Russian state-backed threat actors, the government advisory to harden defenses should be treated as serious and urgent. Spillover attacks remain a major concern, and prominent brand names will always constitute a valuable target, if only for exposure.
RH-ISAC members in the transportation sector, such as air travel, may be higher on a high-value target list due to their participation in critical international infrastructure, and should remain proactive in shoring up defenses.
Targeted DDoS attacks, ransomware, and phishing/spearphishing attempts would be historically consistent in the retail and hospitality sectors for Russian state-sponsored cyber retaliation to sanctions. The likelihood of such attacks increases the longer the Russian economy is harmed by sanctions and the Russian government is increasingly tempted to turn to cybercrime as an alternate revenue stream.
Among US government recommendations, major changes organizations can take include:
- Implementing multi-factor authentication
- Establishing low reporting thresholds for suspicious activities
- Patching vulnerable components
- Implement offline backups of critical data
- Implement encryption methods on critical data and communications
- Update Incident Response playbooks and conduct table-top exercises to test response processes
- Continue to educate employees and users on good cyber hygiene
March 8, 2022
Kinetic, economic, and cyber hostilities continue in the Russia-Ukraine crisis. To date, there are no reports of known major cyberattacks on organizations in the retail, hospitality, or transportation sectors in connection with the conflict.
Below are updated readings related to the conflict:
- The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates
- New RURansom Wiper Targets Russia
March 7, 2022
While the violence continued to escalate the past few days, the Russian government made several public statements indicating that any actions by foreign nations connected to establishing a no-fly zone over Ukraine or imposing sanctions on Russia in response to the invasion would be considered by Russia as “active participation in armed conflict” and “akin to a declaration of war,” respectively.
While not immediately actionable, this rhetoric further escalates the likelihood for retaliation by the Russian government and state-linked actors against targets in countries connected to the European Union, NATO, and any country that has joined the international sanction effort. Retaliation under similar circumstances has historically involved significant, high-profile cyberattacks on private and public sector organizations. The longer the violence continues and the more intense the international pressure on the Russian government becomes, the more likely cyber retaliation against Western targets becomes. As such, RH-ISAC members should remain alert and focused on solid cyber defense hygiene.
March 3, 2022
Kinetic, economic, and cyber hostilities continue in the Russia-Ukraine crisis. To date, there are no reports of major cyberattacks on organizations in the retail, hospitality, or transportation sectors in connection with the conflict.
While violence focuses on major cities and ports in Ukraine, there has reportedly been some progress in negotiations between the two nations in the form of an agreement to allow safe corridors for civilian evacuation and aid deliveries. Thus far, this has had no discernable impact on the cyber theater one way or the other, nor is it likely to. Historically, nation state-nexus cyberattacks are tools in geopolitical tensions to execute instead of or in addition to kinetic conflict. Thus, in some cases, cyber aggression is decoupled from peace talks because it is seen as an alternate to escalation or at least disconnected from escalatory actions. Members should continue to prepare incident response plans and processes.
Below are updated readings related to the conflict:
- Russian Government Lists IPs and Domains Allegedly Aiming DDoS Traffic at Russia
- DanaBot Launches DDoS Attack Against the Ukrainian Ministry of Defense
March 2, 2022
Hostilities continue in Ukraine, spurring ongoing international turmoil in the economic, political, and cyber spheres. Sanctions continue to increase in severity and reach, and global public opinion continues to trend unfavorably for the Russian government, which in turn contributes to increasing cyber activity. To date, no major attacks on organizations in the retail, hospitality, or transportations sectors have been reported in open source. However, intensifying cyber aggression between Russia and Ukraine increases the likelihood of spillover attacks on secondary and tertiary targets like- major industry and infrastructure leaders in countries connected with the combatants in the coming weeks. Attacks on major industry leaders by sophisticated criminal organizations and state-backed groups would be historically accurate in response to the significant category of sanctions currently being exchanged.
Thus far, cyberattacks that can be reasonably linked to the conflict have been restrained and focused. This limited scope could result from one or several factors, including but not limited to: the reluctance of groups to pick sides; the desire of Russian government to limit the international ripples of the conflict for negotiation purposes in the future; or lack of foreknowledge by groups about the conflict, requiring significant preparation time for effective attacks to be executed.
Below are updated readings related to the conflict:
- Ukrainian Cyber Resistance Group Targets Russian Power Grid, Railways
- Details of ‘120,000 Russian soldiers’ leaked by Ukraine
- Russian Cyber Attacks Against US Banks Increasing
- Russia-Linked Hacker Gang Claims Ransomware Attack On McDonald’s Malware Ransomware
March 1, 2022
Below are updated readings related to the conflict:
- Leaked Conti group communications have been translated to English
- RiskIQ: Fraudulent Website Spoofing UNHCR for Ukrainian Refugees Seeks Bitcoin Donations
- Details on IsaacWiper and HermeticWizard malware targeting Ukrainian networks
February 28, 2022
Kinetic, economic, and cyber hostilities continue in the Russia-Ukraine crisis. To date, there are no reports of major cyberattacks on organizations in the retail, hospitality, or transportation sectors in connection with the conflict. Speculation has been heavy on social media regarding various outages and cyberattacks being connected to Russian actors related to the conflict, but without verifiable or convincing evidence thus far. The RH-ISAC will continue to provide updates on the situation as it develops.
Below are updated readings related to the conflict:
- Enercon on Monday said a “massive disruption” of satellite connections in Europe was affecting the operations of 5,800 wind turbines in central Europe. “The exact cause of the disruption is not yet known. The communication services failed almost simultaneously with the start of the Russian invasion of Ukraine,” Enercon said in a statement.
- A Ukraine border control station was allegedly struck with a data wiper cyberattack that has slowed the process of allowing refugees to cross into Romania. The station reverted to filing forms on pen and paper.
February 27, 2022
As the United States and the European Union react to the recent escalation in the conflict with severe sanctions that threaten to isolate the Russian financial system and economy, combined with a campaign of global isolation targeting the Russian media, national airlines, sporting events, and growing calls for boycotts of Russian products, fears of Russian retaliation are equally growing. Calls for cyberattacks by hacktivist groups against Russian sites, including the formation of a so-called “IT Army” announced by Ukraine’s Minister for Digital Transformation Mykhaylo Fedorov, for the purpose of launching cyberattacks against Russian critical infrastructure, government agencies, banks, and hosting providers, are likely to trigger retaliatory cyberattacks by the Russian and pro-Russian actors and hacktivists groups. This is highlighted by the Conti ransomware group’s announcement on February 25 that it will retaliate against any cyber (or physical) attack against Russia. This ratcheting up of cyber warfare rhetoric and attacks, while unlikely to have any impact on the conflict, will likely further expose the digital infrastructure of Ukraine, and possibly European nations and the United States, to costly cyberattacks.
CISA Releases Advisory on Destructive Malware Targeting Organizations in Ukraine
CISA and the Federal Bureau of Investigation have released an advisory on destructive malware targeting organizations in Ukraine. The advisory also provides recommendations and strategies to prepare for and respond to destructive malware.
February 25, 2022
The situation in Ukraine remains critical and fluid. No major cyberattacks related to the conflict were reported today, but below are some open-source readings on minor developments.
- Details and indicators of recent DDoS attacks targeting Ukraine and Russia
- The Conti ransomware group posted and later updated a public notice threatening cyber retaliation against nations that carry out cyberattacks against Russia. The update to the statement clarified that the group claims no allegiance to any government and mentions the United States specifically