Active Defense & Deception , Business Continuity Management / Disaster Recovery , Critical Infrastructure Security
White House Denies Mulling Cyber Strikes on Russia
Press Secretary Says NBC News Report Is 'Off Base'NBC News reported on Thursday that President Joe Biden has been given a menu of options for conducting offensive cyber strikes again Russia. But the White House press secretary says it is "off base and does not reflect what is actually being discussed in any shape or form."
See Also: Live Webinar | Endpoint Security: Defending Today's Workforce Against Cyber Threats
According to the report, options include disrupting internet connectivity inside Russia, targeting the country's electric grid and hacking into its rail lines. The actions, sources told NBC News, could be preemptive. There are no named sources in the story, and NBC News characterized its sources as "two U.S. intelligence officials, one Western intelligence official and another person."
But White House Press Secretary Jen Psaki tweeted that the report was off the mark.
This report on cyber options being presented to @POTUS is off base and does not reflect what is actually being discussed in any shape or form.
— Jen Psaki (@PressSec) February 24, 2022
NBC News reported that the sources says the cyber actions would be meant to disrupt, not destroy, and thus would not constitute an act of war against Russia. It is likely, they add, that the U.S. would not publicly acknowledge such operations. Affiliated agencies, they say, could include U.S. Cyber Command, the National Security Agency, the Central Intelligence Agency and others.
Stark Warnings
This week, cybersecurity officials continued to warn against cyberattacks that would precede any kinetic strikes. Then on Wednesday, several government ministries were hit with a widespread DDoS attack, the second such attack in just days, and new data-wiping malware was discovered on hundreds of devices on Ukrainian networks (see: Cyberattack Hits Ukrainian Government, Banking Websites).
Amid these developments, global cyber officials, technologists and industry watchers continue to urge U.S. and EU organizations to keep their "shields up" against prospective Russian-aided attacks - comparable to the one that struck Colonial Pipeline in May 2021.
On Thursday, U.S. Cybersecurity and Infrastructure Security Agency Director Jen Easterly tweeted: "While there are no specific threats to the U.S. at this time, all orgs must be prepared for cyberattacks, whether targeted or not."
This echoes language issued by Easterly and her team in mid-February that stated: "The Russian government understands that disabling or destroying critical infrastructure can augment pressure on a country's government, military and population" (see: CISA Warns Orgs to Prep for Potential Russian Cyberattacks).
Ukraine at War: Context
Overnight on Wednesday, following a fiery speech from Russian President Vladimir Putin and an equally combative exchange between Sergiy Kyslytsya, Ukraine's ambassador to the United Nations, and Vasily Nebenzya, Russia's ambassador to the UN, at an emergency meeting of the U.N. Security Council, Moscow leveled its air, land, sea and cyber campaign against its Western neighbor - almost immediately shelling its capital city, Kyiv. Putin threatened any nation that intervened in what he called a "peacekeeping mission."
This coincided with malicious cyber activity, including Wednesday's DDoS attacks. The timing aligned with U.S. intelligence reports suggesting that Russia-linked cyber offensives could spread before its military maneuvers.
And according to a new blog post by the Photon Research Team at the firm Digital Shadows, the wiper malware since detected on Ukrainian networks - dubbed HermeticWiper - was deployed from Windows domain controllers, hinting that access may have been gained some time prior.
The cyber and kinetic escalation incited significant sanctions from multiple NATO member-states. In a press conference on Thursday, Biden announced additional financial sanctions against Moscow. He did not, however, declare a Russian exclusion from the SWIFT banking system, which executes financial transactions between banks worldwide.
The president also said: "I repeat the warning I made last week on Russia pursuing cyberattacks against our companies, our critical infrastructure. We are prepared to respond … [and] we've been working closely with our private sector partners to harden their cyber defenses and sharpen our ability to respond to Russian cyberattacks as well."
The conflict has roots in Ukraine - which gained its independence at the fall of the Soviet Union in 1991 - seeking admittance into the intergovernmental military alliance NATO. Putin had demanded that Ukraine renounce such plans and ordered NATO to remove its troops from Eastern Europe - terms NATO rejected.
'Cyber Could Extend Out of Ukraine'
According to the Digital Shadows team, "[Russian] cyberattacks could [now] extend out of Ukraine, and impact NATO and EU member states; [which] has already been observed with 'Hermetic Wiper' impacting networks in Latvia and Lithuania."
The researchers warn that "it is also realistically possible that the financial services, energy, and oil/gas sectors in particular are under an increased risk. Targeting oil and gas in Europe, for example, could … cause concern among nation-states dependent on Russian energy."
Researchers say that cybercriminals based within Russia's borders may now be emboldened or encouraged by Putin's actions, too. They say that "despite recent Russian crackdowns against cybercriminals, they may deem NATO-based targets, or organizations based in NATO countries, as viable."
Rick Holland, a former intelligence analyst for the U.S. Army and current CISO at Digital Shadows, tells ISMG: "If [subsequent] sanctions are severe enough, it is reasonable to expect an escalated Russian cyber response. … [And] no matter what the new sanctions look like, Russian social media disinformation campaigns will continue, further dividing the partisan U.S."
Unprecedented Cyber Steps?
Other cybersecurity experts have also continued to sound the alarm.
"This invasion … means the scope of cyber operations will be much larger than historically seen," says John Bambenek, principal threat hunter at the firm Netenrich. "It is also hard to see how this conflict doesn't lead to other flashpoints outside of Ukraine."
Dave Klein, director and cyber evangelist at the firm Cymulate, says he anticipates cyberattacks to spread abroad.
"There is a real possibility that attacks on critical infrastructure and private and public entities in the West could occur in response to sanctions," he says. "We recommend that enterprises be vigilant."
Bojan Simic, a former hacker and current CEO of the security provider HYPR, says enterprise security teams need to cover the basics, such as resetting passwords and activating phishing-resistant multifactor authentication as soon as possible. Other experts recommend close log monitoring, implementation of strict access controls, regular patching, ensuring internal/external incident response teams are in place and using cyber resources provided by government agencies.
Tony Cole, CTO of Attivo Networks and a retired cyber operator from the U.S. Army, says: "Previous ground gained in pushing the Russian government to shut down criminal ransomware gangs … will likely evaporate, and it's possible those same gangs will be encouraged to increase their illicit activity."