IoT, ICS, and OT security should be your highest priority if you are a professional working in at least one of the sixteen critical infrastructure sectors. The United States of America is currently on high alert after issuing joint advisory from 4 different agencies for 3 different countries, A cautionary alert on attempts of rising ransomware attacks, and the latest alert raised by CISA on February 14th, 2022, warning all businesses – small, mid-sized and enterprises to stay on their guard (“shields up”).
On the 26th of February two days following the official announcement by the Russian president indicating his intentions with Ukraine, the Department of Justice (DOJ and Cybersecurity and Infrastructure Security Agency (CISA) jointly issued a cybersecurity advisory of two destructive malwares known as WhisperGate and HermeticWiper that are currently being used to target organizations in Ukraine and Europe.
Counties in North America, the Middle East, and the Asia Pacific have been facing persistent cyber-attacks for a long time and in light of the escalating Ukraine crises and geopolitical tensions, the number of cyberattacks continues to grow significantly. Considering an added layer of involvement of certain countries in the Russia – Ukraine Crisis, we have analyzed a few key attack surfaces in critical infrastructure that are easily targeted.
- Exploiting existing vulnerabilities
- Stealthy reconnaissance attacks
- Persistent attacks by Botnets
- Sophisticated APT on Critical Infrastructure sectors
- Ransomware attacks on businesses regardless of size
Why will such cyberattacks continue to rise amidst the Ukraine crisis?
This is a question you already know the answer to. A long-drawn battle against an old enemy has continued since the culmination of the cold war but this time it’s online, a hybrid tactical cyber warfare where the enemy has proven to have the added advantage of the necessary skillset from attacks in the past. Kudos to you if you guessed the country we are talking about right. For others, it’s Russia.
In the past and the digital era, Russia has extensively leveraged tactical methods of cyber warfare to add additional pressure. Disruptions or permanent damage be it a cryptic lock via ransomwares, damage to health and safety by disabling SIS systems, or even a complete system override and shut down in critical infrastructure operations of energy sectors and telecommunications. Such attempts in the past have proven to be effective in swaying and accelerating decisions of a nation’s government, military, and even the general population, which fits the Russian agenda.
Such events stay hidden from the limelight as most don’t want to admit to a security failure or the lack of security measures. With attacks brazenly targeted regardless of your size or affiliations, all organizations globally must realize the looming threat and take immediate actions to safeguard themselves.
As immediate steps, here are a few steps you can take to safeguard from cyberattacks:
- Enable multi-factor authentication (MFA) org-wide and ensure that passwords are reset frequently
- Ensure that softwares used org-wide is updated with the latest security patches available. Doing this prevents lateral movement of malwares
- Conduct rigorous and regular vulnerability audits and drills to identify gaps in your security
- Raise awareness with your immediate clients and partners to heighten security measures as risks of chain attacks have been witnessed in the past. Such as the infamous SolarWinds attack
- Complete visibility on your network, logging the devices that are connected, and are actively using your network
- Monitor any abnormal functions of the devices connected to your network and raise immediate red flags for immediate investigation.
- Segment your network and comply with industrial compliance mandates. Read more about Sectrio’s Microsegmentaion module.
- Re-check/rework your remediation and mitigation playbooks to ensure that you are taking an updated approach during an incident.
- Isolate traffic from unverified sources that are deemed suspicious for a deep monitoring
- Build and assign resources to incident response teams. Ensure that your resources and SOC teams are not fatigued from overworking
- Build substitute teams if you are not functional at an optimal level.
- Ensure that you comply with compliance regulations such as NIST CSF, IEC 62443, Zero Trust framework, and other compliance mandates that apply to you. Head over to the compliance kits section on the website to get started
- Self-assess your preparedness for a cyber incident, conduct mock drills
- Working with actionable threat intelligence that can help you assess your cyber threat landscape
- If you do not have access to threat intelligence feeds, do not trust OSINT as they can often mislead your teams. Go for a credible and trusted source. Read the CISO guide in selecting the right threat intelligence vendor if you are unsure of what is best for your organization
- Subscribe to the latest updates from trust sources that you can rely on. Sectrio is currently offering free weekly subscriptions to key personnel that opts in
- Working with a small cybersecurity budget can be extremely difficult. Not all organizations get the same budget as industrial leaders. Leverage the threat landscape reports to bring awareness to the organization for a higher cybersecurity budget. Read our guide in deriving a higher cybersecurity budget to improve value ROI
- Understand organizational dynamics and align your goals for a secure environment
- Understand complexities involved in the integration of IT-IoT and OT technology as each brings its own challenges
- Organizations undergoing a digital transformation must take extra precautions and is often better to opt-in for a security tool that can provide you with the necessary visibility, detailed analysis without overburdening your SecOps teams with branded jargon when it comes to dealing with the convergence of technologies
- Always document and log changes to the system, this will help you in forensic analysis and identifying gaps
These 20+ point guidelines will help you get headed in the right direction for improved resilience and cyber vigilance.
Why the escalating Ukraine crisis can be a new frontier for APT actors?
In the past, we have witnessed APTs with ties to Russia, and other countries inflicting maximum damage by exploiting known vulnerabilities using spear-phishing attacks, brute force, and sophisticated malwares Such instances will go down as lessons that can be learned from analyzing such attacks.
A few examples from the past would be insightful looking at:
- The APT attack on the U.S. SLTT governments and the aviation industry. This attack initiated in early September 2020 lasted until the end of the year, having passed through the network, and ultimately stealing sensitive information and data previously held by the victims.
- The APT attack on the Global Energy Sector. This attack was a long-drawn attack that was persistent for more than seven years, including multi-staged intrusion campaigns, social engineering, and ICS-specific malwares. The damage inflicted by this attack led to a significant loss of data consisting of highly confidential information regarding Industrial Control Systems (ICS) and much more. The attack also claimed to have stolen data from enterprises that were in affiliations with the Global Energy Sector at the time.
- The APT attack on Ukrainian Critical Infrastructure (2015-2016). With close proximity to Russia, the severity of this attack was also proportionally disastrous, leading to the complete system takeover by the threat actors on multiple instances. A malware that was built with the design to bring down national power grids was made use of during such attacks in the time. Malwares were also deployed to corrupt systems that were infected ultimately making them completely inoperable. Ukraine has been a victim of such attacks continuously.
Such instances only prove that nationwide advisories must be taken seriously and could have cascading impacts on the victim’s economy, critical infrastructure, and businesses.
The Ukraine crisis will be marking a frontier as state-sponsored attacks are now targeting organizations regardless of size, affiliations, or relevance. This multi-front tactical warfare has raised alerts to the highest office in the nation.
We also expect rising threats from emerging APT clusters popping up across nations amidst times such as these and adding additional fronts of a multi-pronged war. Such instances have already taken place in light of the crisis. Recently, A known hacker group declared cyberwar on Russia, this will be extremely dangerous as new vulnerabilities are expected to be dumped on the dark web for extensive usage by emerging clusters of cyber warriors. In addition to this, rogue clusters are also expected to play their part in this exploitation. Hence marking a new frontier for emerging and sophisticated APT actors
We urge all to stay extremely vigilant and cautious in the days ahead.
For more informational content, subscribe to our weekly updates and be notified at the latest. We promise not to spam you!
Try our rich OT and IoT-focused cyber threat intelligence feeds for free, here: IoT and OT Focused Cyber Threat Intelligence
Planning to upgrade your cybersecurity measures? Talk to our IoT and OT security experts here: Reach out to sectrio.