After the Russian invasion, the body led by Baldoni recommended "adopting ad hoc measures and increasing internal controls for the protection of digital infrastructures". Here is the decalogue of the Csirt 24 Feb 2022 Federica Meta Journalist
Maximum cybersecurity alert. In relation to the evolution of the international situation, the National Cybersecurity Agency "strongly renewed the recommendation to adopt high cyber defense measures and maximum internal controls for the protection of its digital infrastructures". Furthermore, it is recommended to follow the indications and updates published on the portal and on the Twitter profile of Csirt Italia (Computer Security Incident Response Team), “which also contain some indicators of compromise with respect to the most recent cyber attacks”. In those days the Csirt had published a note regarding the possible cyber risks deriving from the situation in Ukraine. "It appears to have been distributed a" wiper "type of malware - called HermeticWiper (alias KillDisk.NCV) - whose peculiarities consist in intentionally destroying the data on a device in order to make them unrecoverable, undermining the correct functioning of the running operating system" , explained the Csirt. In this sense it was asked - and today with the Russian invasion of the Ukrainian territories even more - to adopt the best practices (download the document HERE) in the field of cybersecurity, "urgently implementing" the indicators of compromise and to raise the level of attention by adopting the necessary mitigation actions as a matter of priority. There are two types of recommended measures: organizational-procedural measures and technical measures. Index of topics • Organizational-procedural measures • Technical measures • Cyberattacks on Ukrainian sites • S&P estimates Organizational-procedural measures Verification of the consistency and offline availability of the backups needed to restore the core business services in particular. Identification of information flows and components directly interconnected with partners and / or located in Ukrainian networks. Implementation of a demilitarized zone (DMZ) for Business-to-Business (B2B) connectivity Identification of critical assets for carrying out the main activities (e.g. business processes). Application of the principle of least privilege for systems with trust relationships and / or with the possibility of remote access. Increase of monitoring and logging activities. Update of cyber incident management plans based on any architectural changes introduced. Creation, updating, maintenance and periodic exercise of incident response capabilities, of a business continuity and resilience plan in the event of loss of access or control of an IT (IT) and / or operational (OT) environment. Designation of a crisis response team with the main points of contact, roles / responsibilities within the organization, including technology, communications, legal and business continuity. Ensure the availability of key personnel, identify the means necessary to provide immediate support for incident response. Exercise staff in cyber incident response by making sure all participants understand their specific roles and tasks. Pay particular attention to securing cloud environments before transferring files relevant to your organization's activities. In addition, it is recommended that you use the security controls made available by the cloud platforms. Increase info-sharing activities with IT security structures with particular reference to CSIRT Italy. Technical measures Prioritization of patching activities of internet-facing systems. Verification of the interconnections between the IT network and the OT networks, preferring the maximum possible segregation between them. Monitoring of service accounts and administrator accounts for any abnormal activity. Monitoring of Domain Controllers, in particular Kerberos TGS (ticket-granting service) events, in order to detect any anomalous activity. Searching for processes and / or running command line programs that may indicate credential dumps, particularly by monitoring attempts to access or copy the ntds.dit file from a Domain Controller. Monitoring the installation of file transfer software such as FileZilla and rclone, as well as the processes associated with compression or archiving tools. Network traffic monitoring by analyzing spikes in outbound network connectivity, particularly to unusual destinations such as VPS and VPN providers, as well as the TOR network. Prioritize the analyzes on their own successful detection of malicious code (eg Cobalt Strike and webshell). Make sure that all remote accesses require multi-factor authentication (MFA), in particular for VPN services, company portals facing outwards (extranet) and access to email (eg. OWA or Exchange Online). Cyberattacks on Ukrainian sites First, the websites of the Ministry of Defense and the Ukrainian army became obscure. So the customers of the two largest state-owned banks in the country could not access their accounts or, worse, saw their balances suddenly zero. Fake text messages from Polish, Austrian and Estonian numbers appeared on their phones, warning them that the ATMs were out of order. The Los Angeles Times reports this, highlighting another aspect of the Russian attack on Ukraine. "Then the snowball started rolling," intelligence officer Yuri Shchigol said, as the massive February 15 online assault engulfed the Ukrainian central bank, the president's office, the foreign ministry, the security service and a number of other state portals, disabling their websites for hours. That attack was followed by yesterday’s attack, which - writes the Los Angeles Times - hit several banks, as well as the national parliament, the cabinet of ministers and the websites of the foreign ministry. Hours later, on Wednesday, Russian President Vladimir Putin announced that he would continue with a military operation in Ukraine. Ukrainians woke up to the sound of explosions in what Putin called the "demilitarization" of Ukraine, demanding that the Ukrainian army withdraw. " "For most people, the beginning of this war is the crossing of the borders of Ukraine," said Shchigol, head of the technical and security intelligence service of Ukraine, known as SssCip. Angeles Times - But the war in cyberspace is underway and we have been monitoring and defending ourselves against attacks from Russia for years ``. In the meantime, according to the US daily - the specter of higher-level cyber attacks has raised fears that the fallout could affect far beyond Ukraine, especially in retaliation by Russia for tougher economic sanctions ". Estimates from S&P The conflict between Russia and Ukraine could also have an impact in terms of cybersecurity. And the economic impact could exceed $ 10 billion for nations and businesses. This was stated by S&P Global ratings: the agency notes a strong risk that Ukraine is the target of new and targeted cyberattacks. These hacker attacks could also spread beyond Ukraine's borders to target other countries and businesses in the neighboring area or beyond. A cyber attack "could have ripple effects on businesses, government and others in the region and beyond," said S&P analyst Zahabia Gupta. "We are monitoring whether this type of attack can spread beyond the borders of the country and its potential implications" in economic terms. According to S&P, the economic impact of a large-scale hacker attack linked to the Russia-Ukraine crisis could exceed for those involved the estimated $ 10 billion for the 2017 "NotPetya" malware attack, because today the degree of interconnection and digitization is much higher. “NotPetya” was launched in Ukraine in 2017 causing the digital systems to shut down for about 7,000 companies in 65 countries for weeks. Those with weaker IT governance and risk management will be more exposed to rating impacts. S&P is also monitoring the potential credit impact of cyberattacks on insurers and policyholders, given the still ambiguous war risk exclusion clauses in insurance policies.
potential attacks