By Mollie MacDougall
As events unfold in Ukraine, many predict cyber warfare will play a significant role in Russia’s offensive operations. We have already seen reports of government and banking website denial of service attacks, and an advanced new wiper malware deployed to some targets in Ukraine. We are continuing to monitor the situation to see what more sophisticated cyberwarfare capabilities might be deployed.
Any Russian state-sponsored phishing activity conducted for access to targets to leverage in this conflict was almost certainly completed weeks ago – or longer. Russia already has options on the table and is likely prepared to ratchet a cyber conflict up or down, depending on how expanded this conflict becomes, and on how the international community reacts to Russian actions. The United States on Thursday imposed sanctions on Russia, targeting some of its biggest banks and members of the elite. While we don’t know how this will unfold, and how countries beyond Ukraine may be caught in the crosshairs, most agree that it’s appropriate to be on high alert for disruptive cyberattacks at the hands of Russia and its sympathizers, especially in the critical infrastructure sectors.
These current events highlight a critical tenet of a mature and effective phishing defense program: phishing defense must be proactive and constant. It cannot be reactive and event-based. Phishing is the upstream access point for more devastating attacks. If we are asking what we need to watch out for in phishing as news breaks of Russia attacking Ukraine, then we are too late. When we hear of Russia building up a military presence in Belarus, we are likely, even then, too late. Phishing is connected to staging—it’s the cyber side of preparation for forward deployment. Thus, an effective phishing defense program must always be on guard, and must always include a vigilant, educated and empowered workforce.
What Organizations Should Do Now
As our customers and partners know, Cofense is mission-focused on stopping phishing threats. I hope it is clear that phishing defense must be consistently prioritized within your organization. Still,there are important actions organizations can take now to best protect themselves. This especially holds true for financial, government, and other critical infrastructure organizations:
- Review your organization’s footprints and assets operating in Ukraine, Russia, and Belarus, including contractors. All employees or contractors in those countries should undergo a full entitlement review – meaning their privileges should be fully understood and regulated to the lowest levels of access necessary. This should also include a thorough review of all third-party dependencies or vendors that operate out of Ukraine or Russia.
- Organizations should look for any indication of anomalous account activity by system administrators, as well as any privilege escalation outside of normal operating procedures.
- Critical infrastructure organizations (especially energy, telecommunications, and financial sectors) should require shortened password reset times and ensure expedited patching of critical vulnerabilities.
- All organizations should closely monitor any traffic connecting to assets in Ukraine, Russia, and Belarus.
- Organizations should implement strict impossible travel rules. If an employee regularly logs in from one place, such as New York, and they suddenly ping from an IP in Moscow, their account should immediately be locked, forced into a password reset, and fully investigated.
We cannot lose focus in defending against phishing attacks. Other sophisticated actors may be keen to take advantage of our attention on Russian threats. Russian sympathizers or opportunistic criminals looking to take advantage of the crisis may increase their phishing activity. Train your staff to identify suspicious emails, empower them to report those emails, ensure you can properly analyze reported emails, and stay focused on the campaigns and tactics that are successful in reaching end users. The current Ukrainian crisis reminds us that while specific phishing attacks cannot be predicted, enterprises can still be at the ready.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.