Introduction
Beginning early Thursday morning multiple news sources reported that Russia launched their invasion on Ukraine. This included shelling and rocket attacks on several of the major cities including Ukraine’s capital, Kyiv.
Multiple news outlets are reporting that the invasion will not only include physical attacks but also include cyber attacks on Ukraine. Organizations around the world are sending out warnings about the increase in cybersecurity threats over the coming weeks. Umbrella Managed Systems is following developments closely and is already making changes to combat increased cyber threats.
Petya and NotPetya – Russia’s launch into cyber war
In 2017 Russia launched its NotPetya ransomware attacks on Ukraine, with the final impact of this attack reaching a global level and over $10 billion in damages. In fact, cybersecurity experts consider this to be the biggest cyber-attack in history. This historical attack was years in the making and experts pinpointed its start date back to 2014 and Petya ransomware.
Even back in 2014 Russia and Ukraine were in gridlock with each other even though war was not declared. Russia took advantage of its position of power over Ukraine and made it a testing ground for Russian-based cyber-attacks including Petya.
To summarize Petya Ransomware is a part of a family of encrypting ransomware that locks a PC up and then forces its victim to pay for a key to unlock their data. In its most common form, this malware targeted Microsoft Windows-based systems by infecting the master boot record, encrypting the hard drive, and preventing Windows from booting. To retrieve data and regain access to their device the ransomware would demand users make payment via bitcoin. Russia’s success with this ransomware gave birth to NotPetya, a much bigger ransomware threat.
In just a few short years Russia was able to fully set up and launch NotPetya. Taking its name from its resemblance to Petya the new malware stood out as it was created to be a super spreader of sorts as it contained tools to help the malware spread to and infect multiple computers. Originally developed to target Ukraine this infectious malware quickly spread to devices around the world including a hospital in Pennsylvania. The impact of this malware was felt worldwide as companies across the globe were impacted. In fact, the reach was strong it even ended up impacting Rosneft, a state oil company of Russia.
Today, Russia’s invasion of Ukraine is designed to target all parts of this country. This invasion is already being fought on all fronts, including the cyber front. There are already reports that cyber attacks on Kyiv’s banking, government, and infrastructure have already begun. Looking back at Russia’s impact of cyberwar it is safe to assume that the impact of this digital invasion will be felt worldwide.
Umbrella is taking action to protect against cyber fallout
In a recent article from SC Media, the American Hospital Association highlighted three areas of concern. These were based on Russia’s previous cyberwar attack methods used in NotPetya.
- All workforce members should be urged to be on heightened alert around the potential to receive malware-laden phishing emails.
- Healthcare security leaders should apply geo-fencing for inbound and outbound traffic originating from, and related to, Ukraine and its surrounding region.
- Organizations should identify internal and third-party mission-critical clinical and operational services and tech, in addition to implementing business continuity plans and well-practiced downtime procedures for four to six weeks to ensure operations can be maintained if disrupted by a cyberattack.
The association’s areas of concern are valid. Umbrella recognizes the fact that we live in a “assume breach” world as it helps us remain vigilant in protecting both our organization and our clients’ organizations from cyber security threats. We are taking the invasion of Ukraine seriously as this has generated an increased alert in cyber security. Our team has already been meeting and we’re taking the advice of the American Hospital Association as well as our own experts to ensure the top level of security and prevent attacks before they occur.
Removing the pilot testing stage for patches and updates.
As part of our standard practice, we normally test patches for a period before pushing them out to clients. We will be temporarily updating our practices here and no longer hold on deploying patches and updates to PCs. This temporary change will allow us to increase the turnaround time on patching and ensure that devices have up-to-date versions of software. Our belief here is that this impermanent change has the potential to make a big difference.
Enhancements to the KnowBe4 program.
Every month we send out mock phishing tests to our clients’ organizations to help them better identify actual phishing emails. We will continue with this service for all clients while making a couple of improvements. We will confirm that all clients are being phished at the highest level of difficulty as well as add the Current Events category to the deck of phishing templates to ensure your staff is being tested on the latest phishing-related topics. Staff will not see any changes to the process as all changes will be made internally and monthly phishing reports will be sent as normal.
Other security changes.
- We have already deployed next-generation endpoint protection with Huntress/SentinelOne to proactively monitor your network for any cybersecurity threats. This automated process watches your network 24/7 and sends an alert to our Centralized Services team anytime a threat is detected. In any instance a threat is identified we treat it as a Priority 1 incident (P1) and rapidly respond to prevent any fallout.
- Your backups are constantly overseen. In addition to local backups, we run offsite backups to create multiple secure copies of your data. Every day we vigilantly run health checks and monitor backups to ensure that all data is being backed up and saved correctly. This allows us to be prepared for hardware failures or in the worse case a data breach.
- In an extreme case where ransomware was to get a hold of backups Umbrella has already created a backup of the backup and in turn, would be able to restore the data.
- We will be blocking all IP requests from Russia and Ukraine.
- To further protect your systems from a devastating ransomware attack, Umbrella implemented additional security measures to protect critical backup systems such as Zero-Trust Application Whitelisting, System Insight and Event Management tools, and 24×7 Security Operations Center monitoring.
- Umbrella’s internal Cybersecurity Task Force will be working closely with our security partners to monitor and respond if needed.
What steps should my organization be taking?
Umbrella is doing the heavy lifting when it comes to the monitoring of cyber security threats, taking action to keep clients safe, and ensuring your data is backed up. Keep in mind there are things that your organization can do to help protect against a cyber threat.
- Alert your staff when there is a heightened risk for a security breach. You can do so by forwarding this email to your organization.
- Make sure your staff is keeping their devices online on Wednesday nights to receive patches and updates. To do so one simply needs to sign out of the device at the end of this will leave the PC locked and secured, but online to receive updates. In the case of a laptop ensure you plug the device in after signing out to ensure it doesn’t go to sleep.
- If you see something say something. Umbrella is here to support you, if you notice a weird prompt, message or anything else on your PC submit a support request by emailing help@umbrella-ms.com. It is better to error on the side of caution.
- Continue to alert our team any time you receive a suspicious or unexpected email in your inbox. Especially if they’re making an urgent request or asking you to click a weird link. We can quarantine, review, and take the appropriate action.
Umbrella is here to support you and keep your organization secure. These increased cyber security threats are something we are here to plan against. You can best help us by using the resources you already use to report anything that is out of the ordinary or doesn’t feel right. As always please contact our help desk with any questions.