- As the Russia-led invasion intensifies, Ukraine is being attacked by bombs and bytes. Cisco is working around the clock on a global, company-wide effort to protect our customers there and ensure that nothing goes dark.
- Cisco Talos has taken the extraordinary step of directly operating security products 24/7 for critical customers in Ukraine while over 500 employees across Cisco have come together to assist in collecting open-source (public) intelligence.
- In critical Ukrainian networks, we are taking advantage of advanced product features to create Ukraine-specific protections based on intelligence we have received.
- We are closely monitoring telemetry and aggressively convicting threats to protect both our Ukrainian and global customers.
- Customers with a mature security model should design their intelligence programs to drive changes in the organization’s defensive posture based on their findings.
- We have been successful in our work in Ukraine up to this point and will continue to support our partners there
You may not have noticed, but Cisco has been a different place in the past month. The unjust invasion of Ukraine, and the sense of helplessness we all have felt, has created a motivated collection of Cisco employees working to make life just a little safer and easier in a part of the world many have never been. Teams have set aside their normal tasks and now watch over Ukranian networks, some have focused on caring for and protecting refugees and others have turned their obsession with social media into a critical component of our open-source intelligence work. The plans have been creative and, while many would have been unthinkable just a week ago, approvals have come fast and everyone has been stretching far beyond their normal workload.
In today’s situation in Ukraine, lives and livelihoods depend on the up-time of systems. Trains need to run, people need to buy gas and groceries, the government needs to get messages out to civilians for morale and for safety. Cybersecurity can be invisible behind all of this. In this blog we talk about a small part of Cisco’s response to this crisis. It is just one of many stories about how the people that make Cisco what it is have responded to an unprecedented crisis. There are lessons here for the defender as well, on what a world-class intelligence team can do when handed a network to defend and a capable set of security tools. But mostly this is a story about the people – from the cubicle to the C-Suite – who would do what little they could.
Calm Before the Storm
This effort has extended through all parts of Cisco and started with Talos – Cisco’s threat intelligence arm – more than a month ago, when we initiated an internal process to manage large-scale events. We began by increasing monitoring in Ukraine as the Russian troop buildup continued. Telemetry from Ukraine customers was closely scrutinized by intelligence analysts and our SecureX Hunting team. At that point, we were not working with customers directly, just quietly watching over them.
As it became clear that there was a real possibility that Russia would invade, our intelligence team began its quiet work. We do not talk about this a lot, but speaking broadly, any major event will have many small groups of researchers who have grown to trust each other cooperating and sharing information that is not publicly available. Most of these groups are informal, but one of the newer ones, the Joint Cyber Defense Collaborative (JCDC), which works out of the Cybersecurity and Infrastructure Security Agency (CISA), has been public that it is serving as a platform for collaboration between public and private sector partners. Whether organized or informal, public or private, all these groups have been eager to work together to protect Ukraine and the world from Russian aggression online.
When both the website defacements and the first WhisperGate malware deployments occurred in mid-January, we were contacted by three Ukrainian government agencies we have worked with in the past. From that point on, we have continued to support the State Special Communications Service of Ukraine (SSSCIP), the Cyberpolice Department of the National Police of Ukraine and the National Coordination Center for Cybersecurity (NCCC at the NSDC of Ukraine). This support has largely taken the form of incident response, and we have turned the lessons learned in those responses into protections for all our customers.
Our investigations with our government partners in Ukraine led to additional protections for our customers globally as well as a blog post to inform the world of the threats we were aware of and our perspective on those threats. This is a common cycle that has been repeated both before and after the WhisperGate deployments: Ukraine experiences an event, we help investigate, we publish new protections based on what we learned and share our understanding of what happened.
A Growing Threat
As the invasion approached, there were other minor events, but none that had any appreciable impact. These were distributed denial-of-service (DDoS) or unsuccessful wiper attacks and an unconfirmed manipulation of Border Gateway Protocol (BGP) routing. Our assessment is that the best of Russia’s cyber capability was focused elsewhere, likely in espionage activities trying to understand the global response to Russia’s invasion. Regardless of the reason, there were no major cyber incidents against Ukraine in the days leading up to the invasion.
Once the invasion began, things moved very quickly. The amount of information to be processed about what was happening in Ukraine exploded. Talos would like to thank the over 500 Cisco employees from a variety of backgrounds and with many different skillsets who have joined a space dedicated to sharing open-source intelligence about Ukraine to ensure that the intelligence team didn’t miss anything.
Early on, we deployed Secure Endpoint in some new environments under a demo license that was set to expire. When we went to the business to extend it, the decision was made to extend all security licenses for all Cisco customers in Ukraine. During this chaotic period, no customer would lose protection because they were dealing with more important matters than license renewals.
Defending Critical Networks
Additionally, we extended a new offer to critical organizations in Ukraine: Talos would monitor their Secure Endpoint configurations, modify them based on our intelligence and aggressively hunt in their environments for threats at no cost. For each organization that accepted this offer, we assigned a set of engineers to manage the protections and configurations and two hunters from Talos to work with that specific data set.
One of our frequent recommendations to mature organizations is to have an intelligence operation that drives material protections into their defensive tools. Here is an example of why we make this recommendation: In reviewing several pieces of malware, we found multiple command and control (C2) servers in a certain network. Typically, we would block those IPs and move on. But within the context of a nation under an existential threat, for Secure Endpoint installations we control we blocked the entire network so that if additional C2s opened, they were already blocked. This isn’t appropriate globally – we have no idea what the connectivity needs are for all our customers – but when tasked only with making decisions for Ukranian critical infrastructure, it’s an easy call.
Another example is the case of HermeticWiper. As part of its activity, the malware drops one of several drivers to support its wiper actions. In Ukraine, for networks we’re actively protecting, we chose to block all of these drivers. Again, globally, we can’t do that – some of our customers may well be using the software that those drivers were stolen from. But when we are looking only from Ukraine’s perspective, we can check the network quickly to confirm those hashes aren’t in use and block them.
In both cases, we are building our defense in depth. Ideally, we block HermeticWiper or a variant when it drops – but if we don’t, then the drivers are blocked. Hopefully, we block any trojan that uses the network we described above when it is dropped by a loader, but if we don’t, then the C2 communications themselves will be blocked. We are always looking for ways to layer defenses so if the adversary out-maneuvers us in one area, we have protections waiting for them.
So far, this activity has been successful in protecting our customers, including blocking what we assess to be wiper attacks very early in the attack chain. The work of our intelligence group – and let me be clear that this includes our cooperation with organizations and individuals outside of Cisco – has allowed us to have insight into several different attack chains. While we can’t publish this information because of information-sharing restrictions (mainly to protect operational security), we can leverage that information in specific networks, blocking certain things or writing advanced content signatures that look for certain patterns. This intelligence work has led directly to successful defense in Ukraine. For that, we thank all the unnamed partners – corporations and individuals – who have quietly worked with us.
Guidance for Customers
Now is not the time to tell every story, but we shared these examples because of the risk that this conflict will extend beyond the borders of Ukraine. Organizations globally should look at their intelligence teams and work to ensure they are directly driving the defensive posture of the organization. Organizations should consider how their tolerance for false positives has changed given the current threat environment and allow their teams to move more aggressively if possible.
The world right now is more dangerous than it has been in decades, and organizations need to be creative in how they restructure their defenses. We often say that in the end, humans are the most critical part of your defense. This is the kind of threat we have in mind when we make that statement.
For our part, Cisco will continue to stand beside our customers as they build resilient networks to face the many possible futures in front of us.
Cisco Talos, the largest non-governmental threat intelligence organization in the world, actively discovers new vulnerabilities, hunts malicious actors and malware campaigns, and works with governments and cyber intelligence agencies across the globe to make the Internet a safer space.
Talos is sharing its findings related to the ongoing Russian conflict here: Current executive guidance for ongoing cyberattacks in Ukraine