The Chertoff Group

Ukraine Bulletin

What Happened

On Monday February 21, 2022, in the aftermath of a series of unproductive diplomatic meetings between Russia, the U.S., and NATO, and DDOS cyberattacks, President Putin announced that Russia would recognize the separatists in Donetsk and Luhansk in Eastern Ukraine as “independent republics” and that Russian troops were being deployed to the region as “peacekeepers.” This approach mirrors the actions that Russia took in Crimea in 2014 and in Georgia 2008. The White House has announced limited sanctions prohibiting Americans from doing business in or with the regions of Donetsk and Luhansk, as well as sanctions on Nordstream AG. German Chancellor Olaf Scholtz announced that Germany would not complete certification of the NordStream II pipeline as a response to the Russian actions.

Why it’s Important

These actions by Putin are of grave concern and impact and are yet another major violation of Ukraine’s territorial integrity and sovereignty (the last one being Crimea in 2014) and a dramatic move aimed at destabilizing Ukraine and reasserting Russian control and influence over the former states of the Soviet Union. This is likely not the last action Russia will take unless it can be deterred against further action by sanctions capable of crippling its industry and economy. As such, the United States and its NATO allies in particular, can expect an extended period of instability and heightened risks including the potential of:

  • Continued Russian cyberattacks against the Ukrainian Government, U.S., Canadian and European businesses and governmental agencies,
  • Further incursions into Ukrainian territory from Belarus in the north and/or the Crimea in the south,
  • Widespread disinformation
  • Blockade of trade routes in and out of Ukraine through the Black Sea and Sea of Azov,
  • Incursions into Ukraine’s airspace
  • Moves to consolidate a Russian presence in other former Soviet states such as Kazakhstan
  • Russian efforts to intimidate and pressure neighbors such as the Baltic states and Poland

These are just some of the possible incidents that could occur over the coming months.

What to do about it

This is an ongoing crisis situation and business entities need to make plans to mitigate the increased risk of operations in and around Ukraine, as well as prepare for what are likely to be escalating sanctions. 

CORPORATE SECURITY, BUSINESS CONTINUITY, AND RESILIENCE

Businesses with operations in central and Eastern Europe can expect continued disruption from events unfolding in eastern Ukraine. In addition to U.S. and Germany’s prohibition against operating in the Donetsk and Luhansk regions, businesses that operate in or rely on the region for components, key services, or a customer base will be disrupted. If not yet complete, organizations should conduct focused Business Impact Analysis to evaluate potential impacts to critical processes and functions that have or will be disrupted as the crisis escalates. This assessment should include analysis of interdependencies between systems and processes, and second and third order impacts of the conflict (e.g., rising energy prices, strained regional infrastructure, and a potential humanitarian crisis). We recommend focused table-top exercises to ensure internal decision-making is streamlined and resources can be quickly deployed to improve resilience and minimize business disruptions.

Contingency planning around Ukraine is crucial, but companies must be cognizant of threat actors using the disruption in the Ukraine to divert attention and obfuscate their hostile actions, both in cyber and physical domains. This concern is exacerbated in the cyber domain, where Russia may create a safe haven for cyber criminals who can further Russian goals of inflicting pain or chaos on its perceived adversaries. We also note that other bad actors, including corporate spies or malicious insiders, may attempt to exploit the chaos of the moment to target unrelated aspects of businesses. 


AVIATION AND MARITIME IMPLICATIONS

The Russian military has routinely jammed GPS in Eastern Ukraine since the Crimean conflict in 2014. This tactic is expected to be used against civil GPS and satellite communications. Given this, commercial aviation safety is a grave concern. Several nations have issues Notices to Airmen (NOTAM) prohibiting flights near the region. Similarly, businesses involved in maritime activities in and around Ukraine should be mindful of Russia’s expanding use of GPS and AIS spoofing to disrupt commercial trade. In 2021, a British destroyer reported a disruption to their AIS signal while transiting near Crimea which led to the Russia military harassing the vessel.

COMPLIANCE

The sanctions that have been announced to date are likely not to be the only ones to be imposed as this situation evolves. The Biden administration has stated that is has prepared wide ranging sanctions against the financial and energy sectors, as well as strict export controls on microelectronics. Corporate compliance functions need to stay informed of the changing regulatory landscape, including updated export controls on Russia. Corporations must ensure that their organizational compliance policies and processes are fully implementing new regulations and controls within the implementation timeline states by the U.S. Government. 

CYBER

Financial organizations, defense contractors and businesses with a presence in Ukraine and its neighboring areas should be on high alert. Russian security services are very active and have the capability to initiate disruptive cyberattacks on Ukrainian critical infrastructure. Multiple rounds of distributed denial of service attacks have knocked certain websites of the Ukrainian army, the defense ministry, and major banks offline in recent days. While these were relatively low-level attacks, such activity can often serve as a smokescreen for more serious and damaging activities, for example “Whispergate” destructive wiperware deployed against select Ukrainian targets in January and additional variants being reported as of February 23. We are also tracking reports of significant disruption to mobile Internet services in Luhansk, Eastern Ukraine, on February 17.

Russian cyber actors will not limit themselves to governmental agencies. Corporations have been and will continue to be targets of cyber-hackers, as described here. The 2017 notPetya attacks, also attributed to Russia, demonstrated that even firms that are not Ukrainian may be incidental victims of broadly focused attacks.

Consistent with guidance from the U.S. Cybersecurity & Infrastructure Security Agency (CISA), Chertoff Group recommends the following measures:

  • Validate that all remote access to the organization’s network and privileged or administrative access requires multi-factor authentication.
  • Ensure that software is up to date, prioritizing updates that address known exploited vulnerabilities identified by CISA.
  • Confirm that the organization’s IT personnel have disabled all ports and protocols that are not essential for business purposes.
  • If the organization is using cloud services, ensure that IT personnel have reviewed and implemented strong cloud controls, for example those identified here, here and here.
  • Confirm that the organization’s entire network is protected by antivirus/antimalware software and that signatures in these tools are updated.
  • If working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic.
  • Review firewall and audit logs for anomalous activity
  • Review activity of administrative, service, and user accounts for potentially malicious activity such as command line usage or script execution
  • Review Incident Response and Recovery procedures and update as necessary
  • Test backup procedures to ensure that critical data can be rapidly restored if the organization is impacted by ransomware or a destructive cyberattack; ensure that backups are isolated from network connections.
  • If using industrial control systems or operational technology, conduct a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted.

More broadly, Chertoff Group recommends that security practitioners apply a threat-informed defense strategy “ that is, security measures based on anticipated adversary behavior and an assumption that a breach may already have occurred. The MITRE Corporation’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework can help through its library of mappings between TTPs and defensive countermeasure coverage. Practitioners should also validate that defensive countermeasure are operating as intended.

The Chertoff Group has deep experience helping organizations of all sizes rapidly implement threat and risk-informed cyber defenses. Contact info@chertoffgroup.com for more information.

 

 

Let's Talk.

Let's explore ways we can help you manage risk or position for strategic growth.

202.552.5280 | Mon. – Fri. 8:00 AM – 5:00 PM EDT