Private Sector Directed to Be on Alert for Potential Russian Cyber Attacks

As the Russian invasion of Ukraine becomes a protracted campaign, and as the United States and other countries impose sanctions and other penalties on Russia in response, the possibility of Russian cyberattacks directed at the West (or that spill from Ukraine) looms large. The Cybersecurity & Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security and the Federal Bureau of Investigation (FBI) recently issued a series of alerts to highlight the possibility of destructive malware attacks, ransomware, and other malicious cyber activity being fueled by the conflict in Ukraine, including specific risks directed at the defense contracting community and operators of critical infrastructure. The alerts serve as a reminder for companies of the importance of strong cyber defense and detection tools and the need for regular review of cybersecurity incident response plans in order to be in the best position to detect and respond to state-sponsored attacks. Should companies find themselves the target of an attack, Morrison & Foerster is well-positioned to assist with investigation and response, and outreach to law enforcement, relevant government agencies, customers, and other contacts as appropriate.

“Shields Up” to All Organizations

In an unprecedented “Shields Up” advisory, CISA warned all private sector organizations, including, but not limited to, those that operate and control our nation’s critical infrastructure, to be alert to the possibility of cyber threats to the U.S. homeland following the Russian invasion of Ukraine, particularly in light of the significant sanctions imposed by the United States and its allies. The Advisory recommends that all organizations report incidents or anomalous activity to CISA or the FBI and provides technical guidance for network defenders to protect their most valuable assets and to reduce the possibility of cyber intrusion. Through links within its advisory, CISA offers a number of cybersecurity resources and services to all companies. CISA advises corporate leaders and Chief Executive Officers, in particular, to ensure that their organizations are adopting a heightened security posture, including:

• Empowering their Chief Information Security Officers by including them in the company’s decision-making process for risk and prioritizing security investments;
• Lowering thresholds for reporting potential cyber incidents to senior management and to the U.S. government;
• Testing response plans at the operational, executive, and board levels of the organization, such as through the use of tabletop exercises;
• Focusing on continuity by emphasizing the security and resilience of systems that support critical business functions; and
• Contingency planning for worst case scenarios.

Over the weekend, CISA issued another alert, highlighting the risks of new strains of destructive malware, including WhisperGate and HermeticWiper, which have been observed in Ukraine since the escalation of tensions in the region earlier this year. Although the use of these tools appear to be directed at Ukraine, such attacks may spill over to organizations in other countries. In order to assess potential impact, one need only consider the impact of the NotPetya malware in 2017, which was similarly believed to be directed at Ukraine, but which is estimated to have caused more than $10 billion in damages globally.

As the United States announced sanctions against Russia on February 22, an FBI official asked U.S. businesses and local governments to be on alert for potential ransomware attacks as the conflict in Ukraine deepens, noting that Russia is a “permissive operating environment” for cybercriminals that “is not going to get any smaller.” These concerns are only amplified by Conti ransomware group’s announcement  on February 25 that the Conti group is in “full support” of the Russian government, and that “[i]f anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use our [sic] all possible resources to strike back at the critical infrastructures of an enemy.” The Conti group’s announcement reflects yet another avenue through which the tension in Ukraine can raise the risks to private sector organizations globally.

Alert to Companies Supporting the Defense and Intelligence Sectors

In an alert directed specifically at the defense and intelligence sectors, Alert AA22-047A, Russian State‑Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information Technology, CISA discusses the uptick over the past two years in Russia’s or Russian-backed actors’ targeting of U.S. cleared defense and intelligence community contractors and subcontractors, and the expectation that such efforts likely will accelerate. The alert includes tips to protect networks from malicious cyber activity, including such basic measures as enforcement of multi‑factor authentication and strong passwords, to enabling Microsoft 365 unified audit logs and using endpoint detection and response tools. CISA notes that the intrusions are designed to allow Russia and other state actors to acquire sensitive unclassified information, export-controlled technology, and proprietary trade secrets. Particularly at risk are companies that provide the following types of products and services to the U.S. government:

• Command, control, communications, and combat systems;
• Intelligence, surveillance, reconnaissance, and targeting;
• Weapons and missile development;
• Vehicle and aircraft design; and
• Software development, data analytics, computers, and logistics. 

Russian state-sponsored cyber actors generally use brute force methods, spearphishing, harvested credentials, and known vulnerabilities to gain initial access to contractors’ networks. They then map the active directory to connect to domain controls from which they can extract login credentials and copies of documents. CISA encourages contractors to investigate all suspicious activities in their networks and cloud environments. The alert provides detailed suggestions for detection, remediation, and mitigation of hostile activities. Not only will these measures best protect the organizations, but also they will ensure full compliance with contractual cybersecurity requirements, which has been the focus of scrutiny by the Department of Justice (DOJ). See here for our discussion of the DOJ’s cyber fraud initiative directed at government contractors.

Conclusion

At bottom, the private sector should use these alerts as a catalyst to review their current cybersecurity posture and to ensure that they have robust and current incident response plans in light of a heightened threat environment. It is essential that all companies have in place cybersecurity incident response plans, know what types of data and information they store and where, and understand their legal and contractual responsibilities in the event of a cyber incident. Too often, we see clients scramble in the face of a stressful and potentially catastrophic cyberattack to determine who is in charge, who needs to be notified, and how best to mitigate damage. In addition to putting all possible “Shields Up,” companies must plan ahead in the event those shields are breached to create established response plans and to designate responsibility for essential tasks. Such preparation is well worth the time and effort and will leave companies in the best position to deal with the worst case scenario of a targeted attack.

Upcoming Sanctions Webinar
New Russia Sanctions: Details and Impact | Morrison & Foerster (mofo.com) Join the MoFo National Security team and our sanctions lawyers based around the world for a webinar on 3/3/22 to learn about the scope and impact of significant new U.S., EU, and UK sanctions and export controls imposed in response to the Russian invasion of Ukraine.