As the Russia/Ukraine crisis develops, RH-ISAC is working to provide guidance to the retail and hospitality community concerned with the situation’s impact on their operations.
Historically, Russian cyber activities during regional conflict start with massive DDoS attacks against the target states’ communications and civil infrastructure organizations. Other opportunistic attacks such as ransomware and data breaches follow, primarily by financially motivated threat actors who operate with impunity from Russia and allied states.
RH-ISAC intelligence observations of tactics, techniques, and procedures related to Russian cyber capabilities indicate that it is unlikely that there will be direct attacks against the retail, hospitality, and travel sector. However, the community should be aware of potential collateral impacts.
Potential Cyber Ramifications
- In the event of massive disruptions, the retail, hospitality, and travel sectors will likely be impacted in many ways as collateral damage and secondary targets, and not as direct targets
- Russia-affiliated cyber actors will likely continue to target the Ukrainian government and critical infrastructure organizations in a coordinated effort to keep the government and the resolve of the Ukrainian people under pressure and in disarray
- Russian actors outside of Moscow control will likely continue to target Ukraine and possibly other Western targets but are unlikely to cause significant disruptions beyond Ukraine’s borders
- A significant concern is a spillover of cyberattacks against Ukraine that could impact global supply chains and commerce, like the 2017 NotPetya cyberattack
- Cyberattacks, if any materialize, will likely focus on the digital and communications assets of government agencies, militaries, critical infrastructure, and supply chains
In the face of a largely ambiguous threat against such a massive potential attack surface, the RH-ISAC offers the following general recommendations:
- Ensure that all vulnerable systems and assets are patched with the most current security updates
- Implement access control security measures
- Update incident response playbooks
- Conduct response exercises with a focus on potential threats related to the current crisis
- Educate workforces to be vigilant and not fall prey to phishing or other threats that attempt to capitalize on topics of current interest
The RH-ISAC will continue to monitor the situation and update the community with any developments relevant to our sector. We are working closely with our National Council of ISAC partners, as well as Core and Associate Members, to collect and share information that will assist the community in preparing for and understanding the indirect impact of these events.
Members can find updates on the developing conflict, further analysis of sector exposure, and specific known Russian APTs and TTPs on the threads in the Analyst and CISO Member Exchange communities. Learn more about RH-ISAC membership.
This guidance was originally published on February 23, 2022 and updated on February 25, 2022.