Cybersecurity considerations: War in Ukraine


Authored by RSM US LLP

Since the start of the war, Russia has continued its invasion of Ukraine using a hybrid of both physical and cyberattacks. As Russia continues to ramp up attacks and sanctions escalate against the country, organizations must remain on high alert for cyberattacks. For example, in the United States, the Cybersecurity and Infrastructure Security Agency has warned that every organization is at risk from cyberthreats that can disrupt essential services and potentially result in impacts to public safety from Russian actors, nonaffiliated groups (state or organized) or hacktivists who are taking advantage of the situation.

What to expect from Russian cyber actors

Russian cyber actors have a history of targeting critical infrastructure entities with targeted attacks. Financial and health care institutions have long been the subject of focused cyberattacks, and successful attacks on defense contractors have increased in recent years.

Russian cyber actors continue to use common tactics to gain access to networks in several ways, including:

  • Spear phishing
  • Credential harvesting
  • Password spray techniques/brute-force attacks
  • Known vulnerability exploitation

In addition to data exfiltration attempts, organizations should be on heightened alert for other types of destructive attacks, such as ransomware, distributed denial of service (DDoS) and destructive malware. Cyber actors have already demonstrated these types of attacks during the current conflict in Ukraine, where data-wiping malware was found on hundreds of Ukrainian machines, wiping the affected systems' master boot record, and a wave of DDoS attacks continues to target the Ukrainian government and banking services.

How to respond

Organizations, regardless of size, should remain on heightened alert of retaliation from cyber actors from within Russia, as well as others who may take advantage of the situation, and organizations should ensure implementation of key defenses. RSM recommends that organizations focus on resilience when defending against these types of attacks. The recommendations include standard defense-based solutions combined with a clear line of sight into the indicators within your environment. The following outline includes examples of business-focused activities, along with strategic and tactical defenses that can reduce the risk of having a severe impact from a targeted attack. In addition, organizations should adopt a risk-based posture that evolves with the changing threat landscape.

  • Cyber resiliency—have an established business continuity plan that includes defined roles and responsibilities. In addition, maintain an inventory of systems and their established criticality, allowing for decisions to be made by prioritization. Review or develop playbooks for warzone operations and identify means to provide surge support for responding to an incident. Conduct a tabletop exercise to confirm that all participants understand their roles and responsibilities and test backups for critical assets.
  • Crisis communications—have established internal communication procedures, including consistent expectations of regular updates and rapid messaging to employees during a crisis. External communications should focus on brand protection, engaging with a public relations firm with international experience if necessary.
  • System and software updates—ensure all systems and software remain up to date, prioritizing updates that address known vulnerabilities.
  • Extended detection and response—ensure that endpoint and network protection solutions, including anti-malware and endpoint detection and response solutions, are installed on all organization devices, remain up to date and are monitored for unauthorized changes.
  • Increase maturity of identity and access management (IAM)—reduce the attack surface by utilizing the principle of least privilege, including the review and removal of unnecessary administrative rights for users and/or shared administrative passwords across devices. Confirm that alerting is configured to detect changes within the IAM system, including privilege escalations and role changes. Utilize multifactor authentication, where possible, on externally accessible systems, such as email, portals and remote access technologies.
  • Security awareness training—enhance employee training, confirming that employees are aware of current common threats and how they are delivered. Establish blame-free employee reporting, ensuring that employees know who to contact during an instance of suspicious activity.
  • Review third-party relationships—the following measures can be taken to reduce third-party risk:
    • Identify critical vendors with operations or personnel in affected areas.
    • Collaborate with providers to ensure that you understand their contingency plans, and they are properly managing their cybersecurity risks.
    • Review contractual language to ensure that it includes appropriate security controls, appropriate logging and monitoring requirements, and notification of a security event.
    • Document current inventory levels, including on-site and in-transit materials, identifying alternate sources as appropriate. Utilize analytics to engage with affected suppliers or logistics process owners.
    • Identify alternate providers as appropriate.
  • Maintain operations—from a business perspective, review staffing plans for locations affected by the current conflict to maintain critical operational activities, assuming a high percentage of staff absenteeism. Consider retaining outside legal counsel, focused on the continuity of processes, and ensure that the procedures for paying staff in sanctioned countries are reviewed and approved to avoid loss of resources.

For more information, contact our cybersecurity and privacy team.

This article was written by RSM US LLP and originally appeared on 2022-03-14.
2021 RSM US LLP. All rights reserved.

RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each is separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit us for more information regarding RSM US LLP and RSM International. The RSM logo is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.

BST & Co. is a proud member of the RSM US Alliance, a premier affiliation of independent accounting and consulting firms in the United States. RSM US Alliance provides our firm with access to resources of RSM US LLP, the leading provider of audit, tax and consulting services focused on the middle market. RSM US LLP is a licensed CPA firm and the U.S. member of RSM International, a global network of independent audit, tax and consulting firms with more than 43,000 people in over 120 countries.

Our membership in RSM US Alliance has elevated our capabilities in the marketplace, helping to differentiate our firm from the competition while allowing us to maintain our independence and entrepreneurial culture. We have access to a valuable peer network of like-sized firms as well as a broad range of tools, expertise and technical resources.

For more information on how BST & Co. can assist you, please call (325) 677-6251.