I’m sitting here in the departure lounge, about to head out to a conference for a few days. My plan was to write more about QR codes and how vulnerable we are to attacks from malicious actors using QR codes. However, I thought I should write about a topic that’s a little more pressing and not receiving much coverage right now.
What thread pulls the shipping company Maersk, “Shields Up” and Russia amassing troops on the border of Ukraine all together?
On Friday, CISA issued a “Shields Up” advisory warning. CISA is the Cybersecurity and Infrastructure Security Agency, a department of the US government created to manage and reduce the risk to the US cyber and physical infrastructure. It’s a tall order for one agency. When they issue an alert like they did, it should get some notice. Given that last weekend was the “Big Game” and there is a lot of other stuff going on in the news, the CISA warning didn’t make it on to most major news outlets prime time segments.
There is reporting that should be surprising to no one who is paying attention to the fact that Russia is deeply embedded in the Ukraine environment, specifically in the network infrastructure and systems that run the country. Looking way back to 2015 and 2016 we have examples of when Russia literally turned the lights out in Ukraine. Then, in 2017 Russia launched an attack on Ukraine that looked like a ransomware event but didn’t ask for any ransom. The attack was designed to bring the government workings of Ukraine to a grinding halt. It worked.
That attack broke out of the Ukraine region and ended up taking down Merck, Maersk, a FedEx subsidiary and hundreds of other US based companies.
The date of that attack was June 27, 2017. The Cybersecurity community looks at attacks that cluster around US holidays (see the Kaseya hack from 2021 on July 2) as opportunistic attacks taking place when staffing will be lowest, thus inflecting the most damage on US companies. The question came up on many emergency calls, “Was this a directed attack on US and US companies?”.
Maersk wound up having to reinstall over 4000 servers as a result of the attack. Operations ground to a halt for the businesses that got hit. The event ended up being another “warning flare” of how susceptible the Cyber Infrastructure is worldwide to rogue attacks, and not specifically directed at US companies.
Except this wasn’t a rogue attack.
This attack was targeted at Ukraine (based on markers and indicators used to install the malicious code) that broke free in the wild and attacked past it’s intended target area. The move is widely seen as Russia flexing its cybermuscle and looking to impact and intimidate Ukraine.
So back to the CISA “Shields Up” warning. Vladimir Putin stated that if the United States gets involved in Russia’s business in Ukraine, a red line would be crossed, and there would be consequences.
In this latest iteration of cyberwarfare, Russia has already been attacking Ukraine systems, taking government, utility and some banking systems offline, either to soften military targets or to stoke panic in the population. There is concern that similar cyberwarfare will come directly at the US as part of the military involvement between Russia and Ukraine, especially as the US and NATO deploy troops to the area.
In the recent past, Russia has probed and tested access to US nuclear energy plants with some success. The US electrical grid systems have also been affected. Of course, there has already been a major, proven hack to a trusted and nearly ubiquitous software product (the SolarWinds Orion attack from last year), where most US Federal agencies were compromised and over 400 Fortune 500 companies were affected. To this day, there is not 100% certainty that all the issues from that infiltration have been successfully removed and cleaned up.
CISA offers some key tips to protect businesses:
- Validate that all remote access to the organization’s network and privileged or administrative access requires multi-factor authentication.
- Ensure that software is up to date, prioritizing updates that address known exploited vulnerabilities identified by CISA.
- Confirm that the organization’s IT personnel have disabled all ports and protocols that are not essential for business purposes.
- If the organization is using cloud services, ensure that IT personnel have reviewed and implemented strong controls outlined in CISA’s guidance.
- Sign up for CISA’s free cyber hygiene services, including vulnerability scanning, to help reduce exposure to threats.
As I’m preparing to board a plane to meet colleagues and discuss business strategy and planning, I am thinking a lot about all the contingency plans we have in place and how many more we need.
Stay safe out there.