Invenio-IT

Is a Russian Cyberattack Imminent?

Picture of Dale Shulmistra

Dale Shulmistra

Data Protection Specialist @ Invenio IT

Published

Russian-cyberattack

Even prior to Russia’s invasion of Ukraine, U.S. officials have repeatedly warned that Russia may launch a cyberattack against its adversaries around the world. Now, military intelligence suggests this threat is greater than ever.

The White House recently released a statement warning that “There is now evolving intelligence that Russia may be exploring options for potential cyberattacks.”

But what would such an attack look like? And how should organizations protect themselves?

We can glean a lot about Russia’s potential actions by looking at its previous attacks, which have included everything from ransomware to targeted spear-phishing campaigns.

In this post, we take a closer look at the threat of a Russian cyberattack against the U.S. and how to bolster your security.

U.S. warns of Russian cybersecurity threat

Let’s start by looking at what the government’s warning actually says.

Right off the bat, the White House’s official statement urges that organizations should “Act now to protect against potential cyberattacks” from Russia. It further warns of the likelihood that Russia will “engage in malicious cyber activity against the United States” in response to economic sanctions imposed on Russia in the wake of its invasion of Ukraine.

The statement doesn’t necessarily mention specific types of likely attacks. However, it does allude to previous measures that the government has already implemented to “shore up the cybersecurity of the electricity, pipeline, and water sectors” and “detect and disrupt ransomware threats.”

Why is the private sector especially at risk?

Despite the cybersecurity measures that the U.S. is implementing to protect public systems, the White House makes it clear private businesses are still at risk.

“The reality is that much of the Nation’s critical infrastructure is owned and operated by the private sector,” the statement says. “The private sector must act to protect the critical services on which all Americans rely.”

The statement goes on to urge companies to follow a list of cybersecurity steps. We outline each of these steps individually below, but the core guidance is focused on hardening defenses and having secure offline data backups, in case of an attack like ransomware, which virtually destroys PCs and servers with encryption.

‘Deeply troubling’ vulnerabilities

In the White House briefing on March 21, Deputy National Security Adviser Anne Neuberger reiterated the urgency of the statement, emphasizing that a Russian attack could be targeted on “critical infrastructure” in the United States.

Neuberger noted that there is “no certainty of a cyber incident,” but she stressed that it is the responsibility of businesses to strengthen their security now, based on the latest threat intelligence. She stressed that the majority of critical infrastructure in the United States is owned and operated by the private sector. That is where the vulnerabilities exist, she says. And, despite the fact that there are patches available for many known vulnerabilities, companies continue to be compromised. “This is deeply troubling,” Neuberger said, urging organizations to “take immediate action.”

In addition to the cybersecurity steps outlined in the White House’s official statement, she referred businesses to CISA’s Shields Up campaign, which provides more extensive guidance in addition to the latest updates on threats.

Russia’s history of cyberattacks

A Russian cyberattack against U.S. entities certainly wouldn’t be a first. Russia has an extensive track record of infiltrating its adversaries’ systems to cause political disruption, panic or simply to flaunt its cyber capabilities to the world.

One of the most well-known examples was the 2017 NotPetya ransomware attack, which initially targeted Ukrainian infrastructure (but ultimately hobbled IT systems around the world). The attack happened just one month after the global WannaCry attack. Together, these attacks ushered ransomware into the mainstream, and within the following years, it would become the single most destructive cybersecurity threat to businesses.

Like WannaCry, NotPetya exploited known vulnerabilities in older versions of Windows. The attack caused havoc on a wide swath of Ukrainian businesses, utilities, banks, media organizations and other entities.

Recent notable malicious cyber activity attributed to Russia

The NotPetya attack is just one of several cybersecurity incidents involving Russian state actors over the last few years. Here is some of the more notable cyber activity that has been attributed to Russia, either via the country’s own agencies or state-sponsored groups:

When What Outcome
April 2015 White House computers compromised Russian infiltration of “sensitive parts of the White House computer system,” deemed by intelligence agencies as one of “the most sophisticated attacks ever launched against U.S. government system”

 

December 2015 & 2016 Ukraine power grid hacked Russian hackers used a trojan virus to compromise 3 Ukrainian energy distribution companies, causing power outages for roughly 230,000 customers

 

December 2016 Ukraine State Treasury attacked State Treasury systems were halted by Russian cyberattack, lasting several days and disrupting payments to state workers

 

Summer 2015-2016 Cyberattack against U.S. Democratic National Committee Russian infiltration and theft of DNC data, including emails of prominent DNC members and politicians, as well as presidential candidate Hillary Clinton

 

June 2017 NotPetya ransomware attack Ransomware attacks targeted against Ukraine government and businesses; infections spread globally, but it was estimated that 80% were in Ukraine

 

March 2018 U.S. energy sector infiltrated Russian “intrusion campaign” leveraged malware and spear-phishing to infiltrate more than a dozen U.S. power plants, water processing hubs and other government facilities

 

September 2019 SolarWinds attack Russian hacking group suspected of breaching a top cybersecurity firm and several U.S. government agencies including the Treasury, Dept. of Commerce, Dept of Energy and the National Nuclear Security Administration

 

February 2022 Ukrainian government & banks disrupted DDoS attacks knock offline websites for Ukrainian government and financial institutions as Russia’s military invaded the eastern regions of Ukraine

 

It’s worth noting that Russia typically denies responsibility for these attacks, even when they’re traceable to specific state-sponsored groups like “Cozy Bear,” which has been repeatedly linked to Russia’s Federal Security Service.

Additionally, both Ukraine and the United States have launched their own share of cyberattacks in retaliation, such as the 2019 infiltration of Russia’s electrical grid by the United States Cyber Command.

Is an attack already underway?

Typically, the most devastating and widespread attacks don’t happen sporadically over time. They hit all at once, like a bomb. But this means that significant groundwork must be laid beforehand. This may be how hackers launched major attacks like WannaCry and NotPetya, which seemed to simultaneously “detonate” at different organizations and then spread outward from each of those networks.

If Russia is planning a major cyberattack against the U.S. or other nations, then it is likely already laying the groundwork. Indeed, there is already evidence that this is happening.

Warning signs of a forthcoming Russian cyberattack

We may not have access to the “evolving intelligence” that U.S. officials are warning about, but it’s no secret that Russia’s cyber activity has ramped up since the invasion of Ukraine. Groups like the Center for Strategic and International Studies (CSIS) are actively tracking recent incidents that could be a sign of more attacks to come.

Such activity has included:

  • As recently as February, Russian state-sponsored hackers infiltrated numerous U.S. defense contractors, accessing emails and sensitive data relating to the organizations’ export-controlled products, proprietary information and communication with other governments. Attacks like these have been happening since January 2020.
  • Also in February, a ransomware strain associated with a Russian hacking group was deployed to disrupt energy companies and oil terminals in some of Europe’s biggest ports across Belgium and Germany.
  • In January, the Canadian Foreign Ministry was breached, hampering some of its internet-connected services. The attack was believed to be conducted by Russian hacking groups. In fact, the incident occurred only one day after Canada issued a warning about the potential for “Russia-based cyberattacks on critical infrastructure.”
  • Last November, a Russian hacking group infiltrated private email accounts and accessed financial details and personal information for about 3,500 individuals, which included government officials and journalists.
  • In October, an American company revealed that it had evidence that Russia’s Foreign Intelligence Service had launched a campaign targeting technology providers that deploy and manage cloud services.

To be clear, it’s not definite that all these incidents are connected. Also, there’s not always enough evidence to confirm that these attacks are state-sponsored, even if they appear to originate in Russia. Still, these incidents help to provide context to the current geopolitical environment, and at the very least they show that malicious cyberactivity is constantly happening.

How can businesses protect themselves?

Below, we break down each of the cybersecurity steps currently recommended by U.S. intelligence. But from a high-level perspective, these instructions fall into three evergreen layers of protection that we recommend for every organization:

  • Harden cybersecurity defenses, such as network security, antimalware protection, etc.
  • Back up data constantly and test backups to ensure they are viable
  • Educate employees on safe email / Internet practices, how to spot phishing attacks, etc.

Together, these three core strategies go a long way to thwarting cyberattacks and ensuring a quick recovery if a successful attack occurs.

Here are the specific recommendations that officials say businesses should implement “with urgency.”

1) Implement MFA

“Mandate the use of multi-factor authentication on your systems to make it harder for attackers to get onto your system.”

Multi-factor authentication drastically reduces the risk of hackers infiltrating your systems by requiring users to confirm their logins on a secondary device. Even if login credentials have been stolen, hackers won’t be able to gain access unless users’ secondary devices have also been compromised.

2) Update cybersecurity software

“Deploy modern security tools on your computers and devices to continuously look for and mitigate threats.”

This instruction is somewhat generalized, but the underlying point is to make sure your systems are actively scanned for malware. This includes antivirus software, which should actively detect and contain malware on all your servers. Routine scans should also be performed on all endpoint devices, in addition to active detection for email and web browsing.

3) Patch & apply updates

“Check with your cybersecurity professionals to make sure that your systems are patched and protected against all known vulnerabilities.”

When vulnerabilities are publicly known, hackers try to exploit them almost immediately. Leaving your software and operating systems unpatched is reckless. Organizations must apply updates and patches as soon as they become available. Additionally, U.S. officials advise businesses to change all passwords across their networks to eliminate the risk of hackers accessing systems with stolen credentials.

4) Back up data

“Back up your data and ensure you have offline backups beyond the reach of malicious actors.”

Having dependable data backups is critical. This is especially important for the risk of ransomware, which we know is a favored weapon in Russia’s arsenal. Leading BC/DR solutions from Datto allow you to back up your data as often as 5 minutes and recover systems instantly with virtualization.

5) Conduct recovery drills & tests

“Run exercises and drill your emergency plans so that you are prepared to respond quickly to minimize the impact of any attack.”

Test your disaster recovery protocols to ensure they are effective. This can include tests of your actual backup systems (such as data restore tests), as well as the procedures that personnel should follow during an attack.

6) Encrypt data

“Encrypt your data so it cannot be used if it is stolen.”

Unencrypted data is an accident waiting to happen. By encrypting data “at rest,” you prevent attackers from accessing your sensitive files (and holding them hostage). For added protection, your data backups should also be encrypted, both at rest and “in transit” to storage, whether on-site or in the cloud.

7) Train employees

“Educate your employees on common tactics that attackers will use over email or through websites.”

Routine employee education can help to reduce the risk of successful phishing campaigns and malware infections via bad email attachments and links. Users should be taught what to look for and how to respond, especially if their devices are unexpectedly crashing or behaving strangely.

8) Reach out to federal authorities

“Engage proactively with your local FBI field office or CISA Regional Office to establish relationships in advance of any cyber incidents.”

For years, U.S. officials have advised businesses to alert their local FBI field office if they experience a ransomware attack. Now, they recommend initiating this communication prior to an attack. Initial communication can help to identify a specific contact at these agencies who can provide preventative guidance and assistance during an attack. Ideally, this contact information should be included in your disaster recovery plan.

9) Follow additional Fed guidance

The guidance above is only a short list of the highest-priority action steps recommended in the White House’s statement. We recommend visiting cisa.gov/shields-up for more extensive instructions for IT teams and corporate leadership. As CISA warns, “Every organization—large and small—must be prepared to respond to disruptive cyber incidents” in the wake of Russia’s invasion of Ukraine.

Frequently asked questions

1) How do we know Russia will launch a cyberattack?

In short, we don’t. However, we know that Russia has a long history of using cyberwarfare to support its geopolitical objectives, some of which are outlined above. Cybersecurity experts have long warned of a potential Russian cyberattack during the invasion of Ukraine. On March 21, 2022, the U.S. government issued a statement that Russia may now be “exploring options” for such an attack.

2) What kind of cyberattack will Russia use?

U.S. officials haven’t explicitly said what kind of attack the Russian government may be planning, but they frequently refer to ransomware as a threat to prepare for. Ransomware and other forms of malware can be delivered in several ways:

  1. By exploiting known vulnerabilities on unpatched systems
  2. Through malicious emails that contain infected attachments or links to infected websites
  3. Via social engineering campaigns that deceive users with fake emails and websites that steal their credentials

These same techniques are used to launch cyberattacks of all kinds, with different end goals: data theft, operational disruptions / outages and so on. This is why preventative strategies, such as patching and employee training, are so important.

3) Who will be affected by a Russian cyberattack?

So far, U.S. officials point to businesses as the most likely targets. But as we’ve seen from other large-scale incidents, an attack on a large organization can have an outsized impact on individuals as well. Attacks on healthcare systems and utility companies are just a few examples.

The White House has emphasized that “much of the nation’s critical infrastructure is owned and operated by the private sector.” While it doesn’t provide specifics, some news sources say that potential targets include banking systems, electrical grids and mobile networks.

Conclusion

The U.S. government has warned that Russia may conduct a cyberattack against the U.S. in retaliation for recent economic sanctions. While it is not certain if it will definitely occur, the fact remains that cyberattacks happen every day, all over the world. Businesses must be proactive in strengthening their cybersecurity to prevent the risk of an attack that significantly disrupts operations.

Get more information

Is your organization protected against the risk of a major cyberattack? Contact our experts at Invenio IT to learn more about hardening your defenses with advanced BC/DR systems and other IT solutions. Request a free demo or contact us today by calling (646) 395-1170 or by emailing success@invenioIT.com.

Get the Ultimate Employee Cybersecurity Handbook
invenio-logo

Join 23,000+ readers in the Data Protection Forum