The federal government’s primary cybersecurity agency is urging computer network administrators for American critical infrastructure networks to immediately bolster security against electronic attacks following suspected Russian cyberstrikes against Ukraine.
Tuesday’s statement by the Cybersecurity and Infrastructure Security Agency (CISA) warned that increased security is needed urgently following “recent malicious cyber incidents in Ukraine.”
“Every organization in the United States is at risk from cyberthreats that can disrupt essential services and potentially result in impacts to public safety,” the notice said.
The warning comes against the growing Western fears of a Russian military invasion of Ukraine as more than 100,000 Russian troops, along with tanks and armored vehicles, are arrayed near the border.
Talks aimed at defusing tensions also have faltered as Russian officials step up security demands to block Ukrainian membership in NATO and to draw back NATO forces and weaponry in member-states along Russia’s western border.
The CISA, part of the Department of Homeland Security, said recent indicators of Russian cyber operations include the defacement of Ukrainian government websites and the placement of destructive malware on Ukrainian computer networks.
All American network administrators, including those in charge of critical infrastructures such as the electric power grid, financial systems and communications system, are being urged to act now. Defense analysts believe any Russian military incursion into Ukraine will be accompanied by military information warfare and cyberattacks designed to disrupt or confuse enemy military information systems.
CISA published a checklist of actions all organizations should take immediately to reduce the likelihood of damaging cyber intrusions.
On Friday, scores of Ukrainian government computer networks were hit with a cyberattack that included a threat to Ukrainians to “be afraid and wait for the worst.” The hackers also said personal data from the government had been stolen.
Ukrainian Foreign Ministry spokesman Oleg Nikolenko said Russia was behind the attacks. Investigators looking into the intrusions found indicators that “hacker groups associated with the Russian secret services may stand behind today’s massive cyberattack on government websites,” Mr. Nikolenko told reporters in Kyiv.
As many as 70 websites were targeted in the cyberattacks and most websites have mitigated the problems.
“Ukrainian! All your personal data has been uploaded to the public network. All data on the computer is destroyed, it is impossible to restore them,” the hackers’ message stated in Ukrainian, Russian and Polish. “All information about you has become public, be afraid and wait for the worst. This is for you for your past, present and future.”
The CISA notice also referred to a Microsoft warning two days after the Ukrainian cyberattacks alerting computer operators that destructive malware targeting the Ukrainian organization had been detected. The Microsoft Threat Intelligence Center (MSTIC) identified the malware that first appeared Jan. 13.
“Microsoft is aware of the ongoing geopolitical events in Ukraine and [the] surrounding region and encourages organizations to use the information in this post to proactively protect from any malicious activity,” the company said in a blog post.
The malware detected by Microsoft is designed to appear like ransomware but does not contain a ransom recovery mechanism used in criminal ransomware attacks designed to extort money from victim companies that have had their data encrypted. The malware instead “is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom,” Microsoft said.
Dozens of Ukrainian systems had the malware planted on both government and commercial systems and more could become infected, the company said.
“We strongly encourage all organizations to immediately conduct a thorough investigation and to implement defenses using the information provided in this post,” Microsoft said, noting that the activity appeared to be from a “nation-state actor.”
The CISA security checklist calls for monitoring all remote access to networks and making sure that software includes the latest security patches. All ports and protocols not essential for remote access should be disabled, and if cloud services are used, strong security controls should be put in place.
“If working with Ukrainian organizations, take extra care to monitor, inspect and isolate traffic from those organizations; closely review access controls for that traffic,” CISA stated.
For companies using industrial control systems or operational technology, administrators should conduct tests to make sure critical functions could be carried out if computer networks are disabled.
“In addition, while recent cyber incidents have not been attributed to specific actors, CISA urges cybersecurity/IT personnel at every organization to review [the publication] Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure,” the notice said.