The Chertoff Group

Ukraine Bulletin-Update

What Happened

On February 24, 2022, President Putin announced a “special military operation” in Ukraine to “protect” the people in the “republics of Donbas”, adding the actions were aimed at demilitarizing and “de-nazifying” Ukraine. Almost immediately following, Russian forces began a multi-pronged air, land, and sea invasion from the north, south, and east, launching missile strikes against multiple cities including the capital of Kyiv. The Russians have also closed the airspace over Ukraine. Refugees from Ukraine have begun crossing into Poland. In response, the White House announced it will follow up the limited sanctions instituted earlier this week with “full-scale sanctions” today; these sanctions, reportedly will not include the oil sector. Several European NATO countries invoked Article IV of the NATO Treaty – requiring consultations whenever the security of any of the allies is threatened.

Why it’s Important

This full scale invasion of Ukraine by Putin – the largest onset of hostilities in Europe since World War II — is of grave concern and will have lasting impact upending the order that arose in Europe at the end of the Cold War and replacing it with what likely will be at the least a lasting deep chill and regional upheaval. Putin appears determined to topple the Ukrainian government, cut it off from the West and NATO economically and militarily, and bring it back under Russian influence and de facto control. The planned, wide-reaching punitive sanctions by the United States and the European Union will in themselves likely provoke retaliatory action by Putin who has made threatening remarks that some interpret as hinting at a potential nuclear response. Markets have already started to respond and the price of oil is climbing. The action in Ukraine also could be a pre-cursor to future moves to consolidate a Russian presence in other former Soviet states such as Kazakhstan, as well as specific actions designed to intimidate and pressure neighbors such as the Baltic states and Poland.

What to do about it

This is an ongoing war-time situation and business entities need to make plans to mitigate the increased risk of operations in and around Ukraine, as well as prepare for widespread sanctions and potential Russian retaliation.

CORPORATE SECURITY, BUSINESS CONTINUITY, AND RESILIENCE

Businesses with operations in Central and Eastern Europe can expect continued disruption from events unfolding in Ukraine and impacts arising from the influx of refugees. Businesses that operate in or rely on Ukraine or the region for components, key services, or a customer base will be disrupted. If not yet complete, organizations should conduct a focused Business Impact Analysis to evaluate potential impacts to critical processes and functions that have or will be disrupted as the crisis escalates. This assessment should include analysis of interdependencies between systems and processes, and second and third order impacts of the conflict (e.g., rising energy prices, strained regional infrastructure, impacted IT dependencies and a potential humanitarian crisis). We recommend focused table-top exercises to ensure internal decision-making is streamlined and resources can be quickly deployed to improve resilience and minimize business disruptions.

Contingency planning around Ukraine is crucial, but companies must be cognizant of threat actors using the disruption in the Ukraine to divert attention and obfuscate their hostile actions, both in the cyber and physical domains. This concern is exacerbated in the cyber domain, where Russia may create a safe haven for cyber criminals who can further Russian goals of inflicting pain or chaos on its perceived adversaries.  We also note that other bad actors, including corporate spies or malicious insiders, may attempt to exploit the chaos of the moment to target unrelated aspects of the businesses. Likewise, we are concerned about the downstream physical supply chain impact of the ransomware attack disclosed on February 20 against market-leading logistics operator Expeditors International.

AVIATION AND MARITIME IMPLICATIONS

The Russian military has routinely jammed GPS in Eastern Ukraine since the Crimean conflict in 2014. This tactic is expected to be used against civil GPS and satellite communications. Given this, commercial aviation safety is a grave concern. Several nations have issued Notices to Airmen (NOTAM) prohibiting flights near the region. Similarly, businesses involved in maritime activities in and around Ukraine should be mindful of Russia’s expanding use of GPS and AIS spoofing to disrupt commercial trade. In 2021, a British destroyer reported a disruption to their AIS signal while transiting near Crimea which led to the Russia military harassing the vessel.  

COMPLIANCE

The Biden administration has stated that it has prepared wide-ranging sanctions against the financial sector and against oligarchs and their business operations, as well as strict export controls on microelectronics. Corporate compliance functions need to stay informed of the changing regulatory landscape, including updated export controls on Russia. Corporations must ensure that their organizational compliance policies and processes are fully implementing new regulations and controls within the implementation timeline stated by the U.S. Government.

CYBER

Financial organizations, defense contractors and businesses with a presence in Ukraine and its neighboring areas should be on high alert. Russian security services are very active and have the capability to initiate disruptive cyberattacks on Ukrainian critical infrastructure. Multiple rounds of distributed denial of service attacks have knocked certain websites of the Ukrainian army, the defense ministry, and major banks offline in recent days. While these were relatively low-level attacks, such activity can often serve as a smokescreen for more serious and damaging activities, for example “Whispergate” destructive wiperware deployed against select Ukrainian targets in January and additional variants being reported as of February 23. We are also tracking reports of significant disruption to mobile Internet services in Luhansk, Eastern Ukraine, on February 17.

Russian cyber actors will not limit themselves to governmental agencies. Corporations have been and will continue to be targets of cyber-hackers, as described here. The 2017 notPetya attack, also attributed to Russia, demonstrated that even firms that are not Ukrainian may be incidental victims of broadly focused attacks. On February 23, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) issued a joint alert with the FBI, National Security Agency and UK authorities on new malware strains associated with the same Russian state actor responsible for notPetya.

Consistent with guidance from CISA, Chertoff Group recommends the following measures:

  • Validate that all remote access to the organization’s network and privileged or administrative access requires multi-factor authentication.
  • Ensure that software is up to date, prioritizing updates that address known exploited vulnerabilities identified by CISA.
  • Confirm that the organization’s IT personnel have disabled all ports and protocols that are not essential for business purposes.
  • If the organization is using cloud services, ensure that IT personnel have reviewed and implemented strong cloud controls, for example those identified here, here and here.
  • Confirm that the organization’s entire network is protected by antivirus/antimalware software and that signatures in these tools are updated.
  • If working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic.
  • Review firewall and audit logs for anomalous activity
  • Review activity of administrative, service, and user accounts for potentially malicious activity such as command line usage or script execution
  • Review Incident Response and Recovery procedures and update as necessary
  • Test backup procedures to ensure that critical data can be rapidly restored if the organization is impacted by ransomware or a destructive cyberattack; ensure that backups are isolated from network connections.
  • If using industrial control systems or operational technology, conduct a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted.

More broadly, Chertoff Group recommends that security practitioners apply a threat-informed defense strategy “ that is, security measures based on anticipated adversary behavior and an assumption that a breach may already have occurred. The MITRE Corporation’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework can help through its library of mappings between TTPs and defensive countermeasure coverage. Practitioners should also validate that defensive countermeasure are operating as intended.

The Chertoff Group has deep experience helping organizations of all sizes rapidly implement threat and risk-informed cyber defenses. Contact info@chertoffgroup.com for more information.

 

 

 

Let's Talk.

Let's explore ways we can help you manage risk or position for strategic growth.

202.552.5280 | Mon. – Fri. 8:00 AM – 5:00 PM EDT