What Does the War in Ukraine Mean for Your Cyber Security?

Hackers have been active on both sides in the conflict between Russian and Ukraine. The Grant McGregor team asks: should you be worried? Could your IT systems be caught in the crossfire in the cyberwar? And how can you protect your IT systems?

We’ve all been shocked by the terrible events unfolding in the East of Europe over the last few weeks. Whether you’ve stepped up to help by donating to agencies working to help fleeing refugees(1), felt powerless in the face of the horrifying unfolding situation, or had to learn how to talk to your frightened children about war(2), none of us have remained untouched.

And while the war might seem far away from us, sheltered as we are on our little island, there are some immediate and pressing dangers of which IT and business leaders need to be aware. Namely, the increased activity in cyber warfare – and the propensity of organisational IT systems and IT users to become involved.

Cyber-attacks have stepped up

The UK’s National Cyber Security Centre (NCSC) has published several warnings about the increased risk facing business as a result of the Russian invasion of Ukraine. The first warning was published as early as January 28(3), when the NCSC urged UK organisations to bolster their cyber security resilience in response to the malicious cyber incidents in and around Ukraine.  

At that time, the NCSC warned, “The NCSC is investigating the recent reports of malicious cyber incidents in Ukraine. Incidents of this nature are similar to a pattern of Russian behaviour seen before in previous situations, including the destructive NotPetya attack in 2017 and cyber-attacks against Georgia. The UK Government has attributed responsibility for both these attacks to the Russian Government.”

A history of attacks on Ukrainian digital infrastructure

The 2017 NotPetya attack was not the first cyber-attack inflicted on Ukraine by Russian state actors. In 2014, Russian cyber activity was blamed for election interference. Then, in 2015, the first fully remote cyber-attack on a power grid caused countrywide power outages.

But the NotPetya attack did not stop at Ukraine’s borders. While it was primarily focused on Ukrainian banking and government targets, it spilled over to affect organisations across France, Germany, Italy, Poland, the UK, the USA and Australia.

Cyber-attack activity stepped up ahead of the Russian invasion. As Russian troops gathered on the Ukrainian border on January 13, around 70 Ukrainian government websites were taken down. A month later, DDOS attacks took down government websites and state-owned banking services.

The Harvard Business Review (HBR)(4) has warned that, “for Russia, the war with Ukraine has been likely serving as a testing ground for its next generation of cyber weapons.”

The international response

In response to the threat, the EU rapid cyber response team headed to Lithuania to defend against the cyber-attacks targeting Ukraine. Further, the international tech community has leveraged its resources to expose attacks and stop their spread.

Inside Ukraine, there has been an unprecedented effort in the midst of the armed conflict, the Guardian reports(5) there is “a whole IT army of volunteers [that] was assembled in response to a request by the minister of digital transformation to support the country’s cyber-defence efforts, with reports of some even operating from within bomb shelters.”

While such international solidarity must be welcomed, it is not without its risks. HBR says, “given that the US and EU have banded together in support of Ukraine, the scope of a cyberwar could be broad.”

Could the attacks spill wider than Ukraine?

HBR warns that “there’s little chance that cyber-attacks will be limited to Ukraine. Governments and corporations should closely heed what’s going on there, because cyberwar can – and has – quickly spread across borders.”

It says organisations should be prepared to deal with both the direct and indirect consequences of such an attack. This means, as well as doing everything possible to protect their own systems from attack and ensure effective recovery systems are in place, organisations need to be prepared for other disruptions to service if critical infrastructure and government services are attacked.

The NCSC states, “Following Russia’s unprovoked, premeditated attack on Ukraine, the National Cyber Security Centre continues to call upon organisations in the UK to bolster their online defences.”

Actions to take now

The NCSC has published guidance(6) for organisations so that they can ensure that they are better placed to withstand an attack when the cyber threat is heightened.

The NCSC guidance focuses on a number of key actions:

• Check your system patching to ensure it is all up to date.

Read our suggestions for effective patching here.

• Verify access controls.

Read our suggestions for password security here. And read further advice about multi-factor authentication here.

• Ensure defences are working.

This means updating your anti-virus systems and checking to make sure they are working correctly. You can find further thoughts on device security here.

• Logging and monitoring

For many organisations, security operations centre (SOC) style monitoring is beyond their resources. Talk to your IT provider about the logs they monitor, how long they are held, and what proactive actions are taken when suspicious activity is identified. Read our advice here.

• Review your backups

We’ve long held that unless you are regularly checking your business continuity and disaster recovery plans regularly, they aren’t fit for purpose. This includes checking to ensure backups are being taken correctly and properly secured. Your backups will be vital if you are victim of a cyber-attack.

• Incident plan

Do you have an incident management plan? If not, here’s what you need to know.

• Check your Internet footprint

This means reviewing all your external internet-facing footprint are correct and up to date. Ensure that domain registration data is held securely. And check all patching is up to date; internet connected services with unpatched security vulnerabilities are an unmanageable risk.

• Phishing response

Ensure that staff know how to report suspected phishing emails and other activity, such as social phishing attempts. Read our advice on this here.

• Third party access

This should be limited to minimised privilege. Make sure you remove any access that is no longer required. Read our “zero trust” explainer here.

• NCSC services

Start by reading the full guidance here(6). Sign up to NCSC email updates to make sure you stay up to date with the latest advice. And – of course – sign up to the Grant McGregor blog.

• Brief your wider organisation

In times of heightened threat, its more important than ever that cyber security isn’t seen as the sole preserve of IT. Everyone in the organisation needs to understand the threats and how to protect against them. Make it easy to report a problem – and ensure everyone knows how important it is to report suspicious activity quickly during times of heightened threat.

If you’re worried about that your business isn’t fully protected, or that you don’t know the answers to any of the thoughts above, don’t panic. We’re here to help.

Reach out to our people today, so that we can help ensure that you and your people are safe and secure, and your business protected.

Sources:

1. https://giving.unhcr.org/en/ukraine/

2. https://www.nytimes.com/2022/02/25/well/family/kids-teens-ukraine-russia.html

3. https://www.ncsc.gov.uk/news/uk-organisations-encouraged-to-take-action-around-ukraine-situation

4. https://hbr.org/2022/03/what-russias-ongoing-cyberattacks-in-ukraine-suggest-about-the-future-of-cyber-warfare

5. https://www.theguardian.com/commentisfree/2022/mar/07/tech-community-rallied-ukraine-cyber-defence-eu-nato

6. https://www.ncsc.gov.uk/guidance/actions-to-take-when-the-cyber-threat-is-heightened