The agency that defends Canada’s IT networks is warning firms here — particularly banks, airlines, telcos, and others in the critical infrastructure sectors — to bolster their awareness of and protection against Russian state-sponsored cyber threats.
The Canadian Centre for Cyber Security issued the cyber threat bulletin Thursday following similar alerts issued by its U.S. and U.K. counterparts. The warnings come a week after a Russian-based threat actor allegedly attacked computer systems in Ukraine. Russia has amassed an army on Ukraine’s border.
The Canadian Cyber Centre “is aware of foreign cyber threat activities, including by Russian-backed actors, to target Canadian critical infrastructure network operators, their operational and information technology,” the bulletin says in part.
Microsoft said this week it detected fake ransomware notes on some Ukrainian systems that masked data-wiping malware from an unknown threat actor.
“At present and based on Microsoft visibility, our investigation teams have identified the malware on dozens of impacted systems and that number could grow as our investigation continues,” its report says. “These systems span multiple government, non-profit, and information technology organizations, all based in Ukraine. We do not know the current stage of this attacker’s operational cycle or how many other victim organizations may exist in Ukraine or other geographic locations. However, it is unlikely these impacted systems represent the full scope of impact as other organizations are reporting.”
The Cyber Centre urges Canadian critical infrastructure network defenders to:
- Be prepared to isolate critical infrastructure components and services from the internet and corporate/internal networks if those components would be considered attractive to a hostile threat actor to disrupt. When using industrial control systems or operational technology, conduct a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted.
- Increase organizational vigilance. Monitor your networks with a focus on the TTPs reported in the CISA advisory (link available in English only). Ensure that cybersecurity/IT personnel are focused on identifying and quickly assessing any unexpected or unusual network behavior. Enable logging in order to better investigate issues or events.
- Enhance your security posture: Patch your systems with a focus on the vulnerabilities in the CISA advisory (link available in English only), enable logging and backup. Deploy network and endpoint monitoring (such as anti-virus software), and implement multifactor authentication where appropriate. Create and test offline backups.
- Have a cyber incident response plan, a continuity of operations and a communications plan and be prepared to use them.
- Inform the Cyber Centre of suspicious or malicious cyber activity.
On Friday’s Cyber Security Today Week in Review podcast, host Howard Solomon will talk to former U.S.cyber diplomat Christopher Painter about the situation in Ukraine, the history of nation-state cyberattacks and cybercrime. The podcast will be available at 3 p.m. Eastern.
Here’s some of what he had to say:
“It’s not surprising this [cyberattacks] has grown as something that states are using as a way to project power. It’s not surprising that Russia or China would use this, but smaller states like North Korea and Iran can [also] use it to project power. Because it’s somewhat of an asymmetric threat — You don’t need a huge infrastructure, you don’t need a huge army or a bunch of tanks to impose some costs on countries that you don’t like. We’ve seen that more and more, and I don’t think that’s going to abate anytime soon. I think we’re clearly seeing that. And then you have the things like election interference which is incredibly serious. It’s something that we as cyber experts didn’t see coming. We were looking at the [data] thefts, we were looking at the attacks, but really weren’t focused on this kind of hybrid threat to essentially be a [public opinion] influence operation. So yeah, we’re really seeing a wide range of activity by states, and also by criminals sometimes acting at the behests of states acting as proxies for states. It’s obviously not a good environment.
“The major message is we need to do a better job of protecting ourselves, hardening our targets. But we also need to make sure that we are deterring and dissuading this kind of conduct by being better at working collectively with countries to stop it and saying it will impose costs. I don’t think we’ve done that particularly well so far.”