As international pressure grows over Russia's conflict with Ukraine, major U.S. enterprises — particularly those operating critical infrastructure — are in the crosshairs of a nation-state military standoff that could easily spill onto the cyber terrain.
Russia, largely isolated by the United States and key NATO allies, has demonstrated the will and ability to leverage a sophisticated arsenal of cyber capabilities from its military intelligence arm and a range of proxies from the country's criminal underground.
For private sector companies and critical infrastructure providers in the Ukraine, the U.S. and other western allies, there is a likelihood, if not an expectation, that cyberattacks will accompany any physical conflict. Cyber activity targeting production facilities, data storage centers and intellectual property could sow chaos and weaken resolve among allied nations.
The Cybersecurity and Infrastructure Security Agency is taking this "very seriously," Jen Easterly, director of the agency told the National Governors Association winter meeting in late January.
CISA has been working since early December "with our federal partners, our state and local partners and our industry partners to make sure that they're aware of the potential threats," Easterly said.
The National Cyber Security Centre (NCSC) in the U.K. on Friday urged companies to bolster their cybersecurity resilience by patching systems, enabling multifactor authentication, and backing up data, among other steps. NCSC has no specific threat information about attacks on U.K. organizations but is monitoring the situation in Ukraine, according to Paul Chichester, director of operations.
"Over several years we have observed a pattern of malicious Russian behavior in cyberspace," Chichester said in a statement.
Last month's cyberattacks in Ukraine, including the defacing of multiple government websites, contained the hallmarks of activity the NCSC has seen before.
The FBI, CISA and the National Security Agency put out a joint advisory in January about potential cyberthreats against U.S. critical infrastructure. CISA also warned U.S. companies to protect their IT systems against destructive wiper malware, which has been used against targets in Ukraine.
The U.S. assessed total losses related to the NotPetya cyberattack in 2017 at $10 billion, as Russians trained its sites on Ukrainian rivals, according to Dawn Cappelli, vice president global security and CISO at Rockwell Automation.
"NotPetya was launched by Russia and targeted at organizations in Ukraine, but it ended up impacting businesses, including industrial control environments, around the world," Cappelli said.
Vigilance is necessary in the face of increased threat activity from Russia directed at Ukraine, she said.
NotPetya cost A.P. Moeller-Maersk, one of the world's largest shipping companies, about $300 million. The attack disrupted operations at 76 ports around the world, including operations in the Netherlands, Spain and Los Angeles. The company had to quickly reinstall more than 4,000 servers, 45,000 personal computers and 2,500 applications.
Maersk declined to comment on any specific measures they are taking in response to the current warnings, but confirmed the company more generally takes steps to keep its systems up to date.
"We continue to audit our cybersecurity maturity both internally and with external specialists so we can properly benchmark our programs and ensure we achieve and sustain business advantage," a Maersk spokesman said via email.
Threat history
Most of Russia's offensive operations against Ukraine since 2014 are linked to a threat actor named Voodoo Bear, an organization likely controlled by the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation, according to CrowdStrike.
Early attacks between 2014-2016 were sparked by custom-delivery malware, which often included a combination of BlackEnergy malware and the KillDisk wiper. Targets included energy providers, media outlets and state-owned financial institutions, according to Crowdstrike.
By 2017, attackers deployed Filecoder.NKH through a supply chain compromise against a Ukraine IT firm. It also deployed XDATA and NotPetya using updates of M.E. Doc, an accounting software used by many firms in Ukraine.
Adam Meyers, senior vice president of intelligence at Crowdstrike, said he doesn't know if Russia is targeting western entities with a direct wiper attack, but cautioned in an email: "Crowdstrike assesses that the potential for a cyber component to increasing hostilities is very likely, but we believe the impact to the West would be the result of collateral damage, not a directed attack."
Russian Foreign Minister Sergey Lavrov reportedly threatened retaliatory measures if the West continued its aggressive steps and failed to meet its security demands regarding its opposition to Ukraine membership in NATO.
Asked how the U.S. would respond to such threats if they involved a cyberattack, White House Press Secretary Jen Psaki said there was no current information about an imminent threat against the U.S., speaking at a Jan. 26 daily briefing.
The U.S. is prepared for such a threat from any source, Psaki said, and has a series of tools to respond.
The Information Technology Information Sharing and Analysis Center (IT-ISAC) has been monitoring the recent cyber incidents in Ukraine, said Scott Algeier, executive director of the organization, which represents more than 125 companies in the IT, food and agriculture and elections sectors.
The group shares information on threat intelligence and reports regularly on nation-state actors that engage in supply-chain attacks, disrupt critical infrastructure and use cyber to steal core intellectual property.
"We need to prepare for the real possibility that the techniques being used against Ukraine will be used against the U.S. and others," Algeier said. "Even if their goal is to confine a cyberattack to within the Ukraine, given the interconnected nature of networks, malware can escape the specific target and spread globally quickly."
