Secureworks FAQ: Russian Activity in Ukraine

Secureworks FAQ: Russian Activity in Ukraine Thursday, February 24, 2022By: Counter Threat Unit Research Team

Overview

On February 24, 2022, Russia began a military incursion into Ukraine. On February 23 there were ongoing distributed denial-of-service (DDOS), website defacement, and malware wiper attacks targeting Ukrainian government and financial services institutions. This follows similar attacks that occurred in mid-January (including the "WhisperGate" wiper) and earlier in February.

Q. What is the threat to Secureworks® customers?

Russian military operations are likely to include a cyber component. As an example, they may seek to degrade Ukrainian communications networks or critical infrastructure. It is likely that those cyber operations will be targeted, and therefore, are unlikely to impact Secureworks customers other than those who may rely on Ukrainian critical services.

It is highly likely that there will be a response from the U.S., UK, and other European nations, including further economic sanctions. In retaliation, there is the potential for reprisal cyberattacks conducted by Russian government-backed groups or independent pro-Russia threat actors against organizations involved in implementing those sanctions.

Q. What should customers do?

Due to the rapidly deteriorating security situation in Ukraine and the speed at which cyberattacks can unfold, customers are strongly advised to consider logically separating business operations located in Ukraine from other global networks. This includes severing any persistent VPN connections or remote network shares to suppliers or business partners with operations located in Ukraine. Organizations with operations in Ukraine should also prepare for continuity of operations in the case of power disruptions or loss of other business-critical services.

In view of the potential for reprisal attacks in response to any Western sanctions or military response, customers are advised to:

• Review their business continuity plans and restoration processes in the event of ransomware-style or wiper malware attacks.
• Maintain fundamental security practices such as patching internet-facing systems against known vulnerabilities, implementing and maintaining antivirus solutions, and monitoring endpoint detection and response solutions.
• Monitor for and follow advice issued by the U.S. State Department or their equivalent government department / ministry of foreign affairs.

Q. What is Secureworks doing? How am I (as a customer) protected?

The Secureworks Counter Threat Unit™ (CTU) has been tracking Russian threat groups for many years and has built up an extensive knowledge of tools and techniques leveraged by these groups, and countermeasures to detect them. Those groups are profiled on our website at www.secureworks.com/research/threat-profiles.

CTU™ researchers are actively working on threats that could be related to the escalating conflict and are collaborating closely with the U.S. Joint Cyber Defense Collaborative, and other public and private sector partners. Numerous threat intelligence products have been published since mid-January, including an advisory on Monday, February 21. The information available so far indicates that the wiper activity reported in Ukraine has been specifically targeted at Ukrainian government entities and financial services.

For customers using our solutions like Secureworks Taegis, our research team has many existing countermeasures to detect known tools used by Russian threat groups. However, the activity targeting Ukraine will likely employ previously unobserved tools. CTU researchers are analyzing reported threats and developing new countermeasures as appropriate-endpoint countermeasures have been developed for the wiper malware reported on February 23.

Q. Can I get a report specific to my company on the situation?

Due to the challenges of being able to provide detailed guidance based on the specifics of any one organization's security control framework, we are unable to provide specific reports. Organizations are encouraged to review the recommendations and advice issued by the CTU and apply that to their specific context. Secureworks-managed controls will benefit from CTU intelligence applied in the form of countermeasures and known threat indicators, and customers will be alerted to any identified activity in accordance with usual escalation procedures.

Q. Can we have extra vigilance for any activity sourcing from Ukraine or Russia into our networks?

Yes - Secureworks is operating at a heightened state of vigilance for all customers given the situation in Ukraine. Organizations will be alerted to suspicious events in accordance with existing escalation processes. It is important to note that cyberattacks often do not originate from the geography responsible for conducting them; geo-blocking traffic based on its origin country is not an effective defense. However, CTU researchers will continue to apply known threat indicators to managed controls.

Q. We're seeing reports of DDOS attacks outside of Ukraine, for example in Australia. Is this related?

There is the potential for reprisal attacks in response to any Western military response or economic sanctions. We assess it unlikely that Russia will want to get drawn to tit-for-tat cyberattacks with Western nations, and that its focus is more likely to be on achieving its military objectives in Ukraine with minimal Western/NATO intervention. That said, there is the potential for pro-Russia actors operating independent of the state to conduct DDOS or other disruptive attacks. Organizations, particularly those involved in implementing Western sanctions, should be vigilant.