CISA is encouraging increased cybersecurity awareness in a new "Shields Up" advisory as tensions escalate between Ukraine and Russia.
Russia has threatened new invasions against Ukraine as an escalation of the Russo-Ukrainian War that began in 2014. The cybersecurity implications of these threats have already been felt, as Ukrainian tech companies are ramping up for potential conflict. In addition, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported last month that Ukraine was being hit with destructive malware attacks, though these attacks were not directly connected with a specific entity.
The advisory, published Saturday, provided general guidance for preventing, detecting and responding to cyberintrusions, but also direct references to past and present Russo-Ukrainian conflicts.
"While there are not currently any specific credible threats to the U.S. homeland, we are mindful of the potential for the Russian government to consider escalating its destabilizing actions in ways that may impact others outside of Ukraine," the advisory read.
For example, the advisory mentioned past cyberaggressions involving critical infrastructure committed by Russia against Ukraine around 2015. These attacks included the deployment of malware known as BlackEnergy, which hit utility companies in Ukraine and caused significant power outages in some regions of the country.
CISA recommended taking extra precautions when working with Ukrainian organizations. The agency also advised taking "extra care to monitor, inspect, and isolate traffic from those organizations" and to "closely review access controls for that traffic." Some of the advice given includes ensuring software is up to date, disabling ports and protocols not essential for business use, and designating a crisis response team.
CISA declined to comment beyond the content of the advisory.
In another instance of government entities warning of cyberthreats against critical infrastructure, the FBI and U.S. Secret Service published a joint cybersecurity advisory on Friday to raise awareness about BlackByte ransomware, a ransomware-as-a-service entity that has previously "compromised multiple U.S. and foreign businesses, including entities in at least three U.S. critical infrastructure sectors (government facilities, financial, and food & agriculture)."
Like many ransomware variants, BlackByte avoids infecting systems with Russian and ex-East bloc languages. The ransomware, first discovered last year, was recently observed exploiting the ProxyShell vulnerability in Microsoft Exchange servers.
One recent victim of BlackByte ransomware was the San Francisco 49ers football team, which the operator's leak site mentioned over the weekend. A spokesperson for the team shared the following statement with SearchSecurity:
We recently became aware of a network security incident that resulted in temporary disruption to certain systems on our corporate IT network. Upon learning of the incident, we immediately initiated an investigation and took steps to contain the incident. Third-party cybersecurity firms were engaged to assist, and law enforcement was notified.
While the investigation is ongoing, we believe the incident is limited to our corporate IT network; to date, we have no indication that this incident involves systems outside of our corporate network, such as those connected to Levi's Stadium operations or ticket holders. As the investigation continues, we are working diligently to restore involved systems as quickly and as safely as possible.
Alexander Culafi is a writer, journalist and podcaster based in Boston.