Last Updated: February 25, 2022
On February 24, 2022, Russia launched a military incursion into Ukraine. Late February 23, Secureworks® Counter Threat Unit™ (CTU) researchers investigated reports of denial of service and wiper attacks impacting Ukrainian government entities and financial institutions. These attacks appear to specifically target Ukrainian organizations, and the lack of a NotPetya-like `wormable` propagation capability reduces the potential for them to spread beyond Ukraine`s borders.
Additional disruptive attacks on Ukrainian entities in support of ongoing Russian military operations are likely. There is also potential for reprisal cyberattacks in response to Western economic sanctions. The reprisal attacks may be conducted by Russian government-sponsored threat or independent threat actors with a pro-Russia agenda.
Computer security incident response teams around the world, including the U.S. Cybersecurity Infrastructure Security Agency (CISA), the UK National Cyber Security Centre (NCSC), and the European Union Agency for Cybersecurity (ENISA), published joint guidance on best practices to help organizations raise their cyber resilience.
Recommended Actions
Due to the rapidly deteriorating security situation in Ukraine and the speed at which cyberattacks can unfold, CTU™ researchers strongly advise organizations to consider applying network segmentation to separate business operations located in Ukraine from other global networks. This separation includes severing persistent VPN connections or remote network shares with suppliers or business partners operating in Ukraine. Organizations operating in Ukraine should also prepare for continuity of operations if they experience power disruptions or loss of business-critical services.
In anticipation of reprisal attacks following Western sanctions or military response, CTU researchers advise organizations globally to increase vigilance. Organizations should review their business continuity plans and restoration processes to address ransomware-style or wiper malware attacks. Additionally, it is important to maintain fundamental security practices such as patching internet-facing systems against known vulnerabilities, implementing and maintaining antivirus solutions, and monitoring endpoint detection and response solutions. Organizations should also monitor and follow advice issued by the U.S. State Department or equivalent government departments or ministry of foreign affairs.
Secureworks Actions
CTU researchers are monitoring activity associated with the escalating conflict and are collaborating closely with the Joint Cyber Defense Collaborative and with other public and private sector partners. Multiple CTU deliverables discussing the ongoing situation have been published since mid-January, including an advisory on February 21.
For Secureworks customers using our solutions like Taegis™, there are many existing countermeasures to detect known tools used by Russian threat groups. However, the activity targeting Ukraine will likely employ previously unobserved tools. CTU researchers are analyzing reported threats and developing new countermeasures as appropriate. Endpoint countermeasures have been released for the wiper malware reported on February 23.
References
https://www.cisa.gov/shields-uphttps://www.ncsc.gov.uk/news/organisations-urged-to-bolster-defences
https://www.enisa.europa.eu/news/enisa-news/joint-publication-boosting-your-organisations-cyber-resilience