A top cyber official said Friday that the United States has evidence for massive denial of service and SMS spam campaigns in Ukraine originating in Russia, while another official said at a separate event that the U.S. knew of "no specific credible threats to the U.S. homeland."
“We believe that the Russian government is responsible for widescale cyberattacks on Ukrainian banks this week,” Deputy National Security Advisor for Cyber Anne Neuberger said at a briefing with reporters, citing a high volume of traffic from Russia's GRU, its military intelligence service, to Ukranian IP addresses and domains as evidence for an informal attribution.
The Ukrainian attacks were two-fold. The first stage saw a denial of service campaign degrade bank services. A second phase spammed text messages saying the banks no longer were in service to customers.
At a webinar hosted by the Aspen Institute on Friday, Mandiant Senior Vice President and Head of Global Intelligence Sandra Joyce said it was the text messages that were particularly devious.
"Messages going out to bank customers telling them that their bank doesn't work, that the website is down, has a two-fold effect," she said. "One, it drives more traffic to the bank itself feeding that DDoS incident but also it, probably more importantly, drives up that fear driving up the uncertainty around can the Ukrainian government protect itself."
CISA has issued several warnings since the start of heightened Russian tensions asking U.S. critical infrastructure to, in language Director Jen Easterly has repeatedly used, go "shields up" in preparation for potential cyberattacks reaching Americans.
Those attacks could take multiple forms, with CISA warning of both potential direct attacks against U.S. infrastructure in retaliation for American or NATO involvement in the Ukraine situation, or spillover from attacks against Ukraine exceeding their targets.
At the Aspen Institute event, Easterly said: "There are no specific credible threats to the U.S. homeland that we know of currently, [but] we all recognize that threats to our digital infrastructure are, of course, not bound by national borders, and we saw that very starkly in July of 2017."
In July of 2017, in attacks the U.S. and international community have attributed to Russia, the NotPetya wiper malware was sent as a malicious update for accounting software used for Ukrainian tax purposes. But the malware would spread far beyond Ukraine, causing global damage to major businesses, including pharmaceutical giant Merck and law firm DLA Piper.
Easterly provided opening remarks for the Aspen event, asking enterprises to take four key steps to prevent potential impact from the conflict: Preemptively take steps to prevent attacks, hunt for potential intrusions, prepare incident response, and test all back-up systems.
"I would say of the guidance that we have been providing perhaps the most critical is that organizations need to lower their thresholds for escalating anomalous activity and sharing that information with the government," she said, later adding: "Early warnings of a cyberattack affecting U.S. organizations are, frankly, going to be identified by, very likely, a private company first rather than the government."