Jan 282022

U.S. and Foreign Cybersecurity and Intelligence Agencies Recommend Measures to Counteract Threat of Russian Cyberattacks

Vishnu Tirumala, Alan Charles Raul, Sujit Raman and Stephen W. McInerney
, , ,

On January 11, 2022, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) recently released a joint Cybersecurity Advisory warning critical infrastructure operators about the threat of Russian state-sponsored cyberattacks and recommended best practices to minimize disruption from such an attack (the “Advisory”).

The advisory was promptly endorsed by the National Cyber Security Centre, a division of Government Communications Headquarters (“GCHQ”), a UK intelligence agency. Within a few days, data security experts at Microsoft, Palo Alto Networks (“PANW”), and Mandiant confirmed reports of increasing Russian cyberactivity and offered their own recommendations for hardening measures (many of which overlap with the Advisory).

Key Takeaways

The Advisory, as well as the Microsoft, PANW, and Mandiant reports, are noteworthy for a few reasons in particular.

  • First, all of the reports specifically focus on the threat of Russian state-sponsored cyberattacks.  This is an important public action by the U.S. government, especially in light of ongoing tensions between the U.S. and Russia in Ukraine. A few days after the Advisory, Ukrainian government websites were attacked by Russian actors while the Russian government simultaneously arrested members of the notorious ransomware gang REvil.
  • Second, although the focus of the Advisory is on critical infrastructure, the recommendations are broader than that and may be applicable to a wide-range of companies.  These recommendations are further detailed below, but two to note in particular:
    • The Advisory recommends that organizations “require multi-factor authentication for all users, without exception.” Other government agencies, like the New York Department of Financial Services and the Federal Trade Commission, are also increasingly focused on the need for broad implementation of MFA.
    • Another example is the inclusion of remediation details for old vulnerabilities (including some dating back to 2018) and CISA stating that the Russian state-sponsored advanced persistent threat (“APT”) actors have used these “common but effective” vulnerabilities for attacks.  This suggests that the FBI may still be seeing attacks exploiting historic vulnerabilities; emphasizing the need for companies to closely review their IT systems to confirm proper remediation of such vulnerabilities.

Best Practices to Minimize Disruptions

The following are the best practices highlighted by the Advisory, Microsoft report, PANW report, and Mandiant report.

  • Require multi-factor authentication (MFA) for all users

The agencies recommend that all users, without exception, must be authenticated with MFA for remote access to internal networks. Like an incident response plan, MFA has become a critical element of cybersecurity programs.

The agencies’ posture is consistent with requirements from prominent regulators, like the New York Department of Financial Services and the Federal Trade Commission, that similarly insist on broad implementation of MFA. MFA was also expressly named by both Microsoft and Mandiant as one of the most important recommendations to mitigate risk.

  • Implement centralized log collection and monitoring

The agencies recommend that organizations centralize log collection and monitoring capabilities to detect threat actor behavior and investigate incidents. Organizations can use the logs to look for password spray activity, identify unusual activity in dormant accounts, or identify when an IP address is not consistent with the user’s expected location. Microsoft and Mandiant recommended that organizations also review logs for remote access infrastructure to confirm authenticity

  • Create, Maintain, and Exercise a Cyber Incident Response, Resilience, and Continuity of Operations Plan

An incident response and continuity of operations plan are increasingly common features in a credible cybersecurity program. The agencies urge organizations to regularly test their controls and backup procedures so that personnel are adequately prepared for an incident.

While the Advisory only urges the adoption of comprehensive cybersecurity programs, an increasing number of states have begun to mandate such cybersecurity programs – especially if the organization possesses personal data. Prominent examples include the NY DFS Cyber Regulations, California Consumer Privacy Act (“CCPA”), NY SHIELD Act, Massachusetts data security law, and the numerous Insurance Data Security laws. Federal law and regulations also mandates such cybersecurity programs under Gramm-Leach Bliley and HIPAA, as does the General Data Protection Regulation in the EU, and its counterpart in the UK.

  • Keep software updated and use industry-recommended antivirus programs

The Advisory reminds organizations to regularly update their software, especially to patch vulnerabilities that are known to have been exploited. Mandiant advised organizations to promptly patch and harden any identified vulnerabilities. PANW similarly encouraged organizations to update their firmware. Moving forward, the agencies urge organizations to adopt a centralized patch management system and to use antivirus programs to regularly scan IT network assets for malware.

  • Enable Controlled Folder Access

Microsoft and Mandiant further recommended organizations using Windows Defender Antivirus activate Controlled Folder Access. The service determines whether an application is malicious or suspicious and, if so, will block it from making changes to any files in a protected folder.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Vishnu Tirumala

Washington, D.C.

vtirumala@sidley.com

Alan Charles Raul

Washington, D.C., New York

araul@sidley.com

Sujit Raman

Stephen W. McInerney

Chicago

smcinerney@sidley.com

You might also like
EU Formally Adopts Cyber Law for Connected Products

On 12 March 2024, the European Parliament approved the EU Cyber Resilience Act (“CRA”) with a large majority of 517-12 votes in favor of the legislation (with 78 abstentions). The CRA aims to ensure that “products with digital elements” (“PDE”) i.e., connected products such as smart devices, and remote data processing solutions, are resilient against cyber threats and provide key information in relation to their security properties.

Chambers 2024 Global Practice Guides for Data Protection & Privacy and Cybersecurity
The newest editions of the Chambers Global Practice Guides have been published and, once again, Sidley lawyers have contributed to two guides: Data Protection & Privacy 2024 and Cybersecurity 2024. These publications cover important developments across the globe and offer insightful legal commentary for businesses on issues related to data privacy and cybersecurity, such as regulatory enforcement and litigation, global cooperation to combat cybercrime, international agreement on ‘Software Security by Design,’ a global approach to policy on artificial intelligence, and more. Sidley partner Alan Charles Raul is a contributing editor to both guides in addition to authoring the introductions. The UK chapters of Cybersecurity 2024, covering “UK Law and Practice” and “UK Trends and Development” were authored by Sidley lawyers William Long, Francesca Blythe, Denise Kara, and Eleanor Dodding.
FinCEN Seeks Input on Banks’ Collecting Partial Social Security Numbers for Customer Identification Programs

On March 28, 2024, the Financial Crimes Enforcement Network (FinCEN), in consultation with the U.S. banking agencies and the National Credit Union Administration, issued a request for information (RFI) regarding the customer identification program (CIP) requirement for depository institutions (referred to herein as banks) to collect tax identification numbers (TINs).Comments are due by May 28, 2024.