CISOs must get out in front of Ukraine cyber crisis, says NCSC

UK organisations should urgently consider reinforcing their cyber security defences in response to the developing international crisis in Eastern Europe, which has already seen an unknown group or groups conduct cyber attacks against targets in Ukraine with the destructive WhisperGate malware.

The UK’s National Cyber Security Centre (NCSC) is today issuing a new bulletin on the unfolding crisis, which diplomatic experts anticipate will likely culminate in Russian military action against Ukraine, and possibly a full-blown invasion. Further cyber attacks are considered quite likely in such a scenario.

It is urging organisations to consult recently refreshed guidance on increasing international cyber threat levels, saying that recent cyber activity in and around Ukraine fits with previously observed Russian patterns of behaviour, such as the NotPetya incident.

The NCSC’s alert follows similar bulletins from US government agencies, including the Department for Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA).

NCSC operations director Paul Chichester said: “The NCSC is committed to raising awareness of evolving cyber threats and presenting actionable steps to mitigate them. 

“While we are unaware of any specific cyber threats to UK organisations in relation to events in Ukraine, we are monitoring the situation closely and it is vital that organisations follow the guidance to ensure they are resilient. 

“Over several years, we have observed a pattern of malicious Russian behaviour in cyberspace. Last week’s incidents in Ukraine bear the hallmarks of similar Russian activity we have observed before,” he added.

“While we are unaware of any specific cyber threats to UK organisations in relation to events in Ukraine, we are monitoring the situation closely and it is vital that organisations follow the guidance to ensure they are resilient”

The NCSC reiterated that it has not identified any specific threats against organisations in the UK – whether public sector or government bodies, or private enterprises – and nor is it prepared to attribute full responsibility for the WhisperGate attacks on Kyiv to any specific threat actor at this time.

Nevertheless, it said, if we are currently in a period of calm before a storm, security teams should use this time to ensure their systems are fully patched; to improve access controls and enable multifactor authentication (MFA) if possible; to implement incident response plans; to check, double check, then triple check that backup and restore mechanisms are functional; to ensure online defences are working as intended; and to stay up-to-date with the latest threat and mitigation information.

Speaking in response to the DHS alert earlier in the week, Bill Bernard, senior director of solutions architecture at Deepwatch, a US-based security services supplier, said that even though many security professionals would likely assess their organisations to be at minimal risk of a cyber attack backed by the Russian state, it was still worth taking action.

“At this point, you could assume that there would be two different sets of hackers during this time of unrest: one operating at the direction of the state and working to forward their goals; and the other the opportunists looking to make money in the midst of the chaos. Expect the unexpected. Don’t be complacent that you’re not a ‘priority target’ for Russian attackers,” said Bernard.