During an Aspen Institutepanel last Friday, federal and private-sector cybersecurity experts discussed how Russia may use cyber threats and misinformation against Ukraine and its allies and how U.S. organizations should prepare.
As of the Feb. 18 discussion, Russia had not made any “specific, credible threats” against the U.S., but organizations should still seize the moment to get their defenses and resiliency plans in order, said Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly.
“Threats to our digital infrastructure are, of course, not bound by national borders,” Easterly said. “Our networks and our critical infrastructure are integrated into a larger global cyber ecosystem, which means that we all need to be ready. As I like to say, ‘Shields up.’”
RUSSIAN CYBER STRATEGIES
Russia’s cyber attacks against Ukraine appear intended to not only disrupt critical operations but also undermine public confidence in the government’s ability to keep them safe.
Organizations and resources with military and economic significance may be the most obvious targets, but they aren’t the only ones. Another key strategy is to incite panic among residents by hitting targets that have a lot of public visibility, said Sandra Joyce, head of global intelligence and executive vice president at cybersecurity firm Mandiant.
Last week, a distributed denial of service (DDoS) attack disrupted websites for two state-run banks and several government websites. The U.S. credited this attack to Russia.
The DDoS attack was quickly followed up by SMS messages sent to bank customers telling them that financial institutions were offline. These messages exacerbated the DDoS problem by prompting customers to check the sites — adding yet more traffic — and sparking fear among residents, Joyce said.
Lin said Russia might aim cyber attacks at hospitals to make residents more afraid to fight or remain in the country, based on the fear that they wouldn’t have access to medical care should they be injured.
MISINFORMATION WARS
Russia will likely want to attack Ukrainian newspapers to muddy information, Joyce said.
Such a move would probably help false narratives flourish.
Misinformation is a major concern for Ukraine and its supporters. Already, hackers believed to be backed by Russia have pushed false narratives to sow divisions between Ukraine and NATO, Joyce said.
The U.S. can anticipate being targeted by misinformation, disinformation and malinformation (MDM) as well. MDM campaigns would in all likelihood strive to “bias the development of policy and undermine the security of the U.S.,” Easterly said.
CISA released a resource on Feb. 18 intended to help critical infrastructure owners and operators identify foreign influence campaigns and reduce their impact. The guide includes steps like advising staff to better secure access to their social media accounts, monitoring for suspicious indicators like sudden surges in online followers or mentions and considering how to field questions from media and inform authorities in the case of a false narrative.
The federal government has also changed its strategy and begun more quickly declassifying intelligence about Russian false-flag disinformation efforts — something Joyce said is key for timely debunking.
RANSOMWARE?
As countries guess what Russia’s next moves will be, experts are aware of Russia’sransomware capabilities. Criminal gangs have been operating in the country for years, honing their skills, noted former CISA director Chris Krebs.
Russia’s recent arrest of several REvil members should be taken as a veiled threat, Krebs and Lin said. The move aims to remind the world that Russia has skilled hackers at its disposal and can mobilize them as easily as it can arrest them.
“What Russia has done is it’s pointed out, ‘Hi, we have these people, and we can control them. We can turn them on, or we can turn them off,’” Lin said.
GETTING CYBER READY
CISA is urging U.S. organizations to prepare for the possibility that Russia launches cyber attacks against the U.S. Getting defenses and response strategies in order now will also ensure that — even if no threats emerge this time around — organizations are prepared for the next cyber emergency down the line.
“Don’t let a good crisis go to waste,” Krebs said.
Easterly asked private firms to promptly report incidents to federal agencies, so that CISA has the details it needs to see threat patterns. When it’s uncertain if an incident is significant enough, companies should err on the side of over-reporting as opposed to the alternative.
“Organizations need to lower their thresholds for escalating anomalous activity and sharing that information with the government,” Easterly said. “This is crucial because we all recognize that early warnings of a cyber attack affecting U.S. organizations are frankly very likely going to be identified by a private company first.”
CISA has released several resources, including guides designed for executive-level leadership, technical advice for critical network defenders about known Russian tactics and techniques and a Shields Up website explaining steps all organizations should take to boost their cyber postures.
CISA and private cybersecurity firms that participate in the agency’s Joint Cyber Defense Collaborative (JCDC) are also offering free tools and services, Easterly said. The offerings, which include antivirus software and vulnerability assessment solutions, are aimed at critical infrastructure owners and operators and state and local governments.