USTRANSCOM Cybersecurity Newsletter

Feb 16, 2022 | Cybersecurity

I am sure most of you are already aware of the potential threats of Russia invading Ukraine. CISA and DHS have assessed there is a high likelihood that cyberattacks will be part of Russia’s playbook if they choose to invade. This out-of-cycle newsletter is being sent out to highlight actions we can take now to reduce the impact these attacks may potentially have on our organizations. The Cybersecurity and Infrastructure Agency (CISA) has provided recommendations that organizations can implement to make near-term progress toward improving cybersecurity and resilience. I have also included some recent activity that highlights potential attack vectors and how these cyberattacks are not just targeting Ukraine.


Reduce the likelihood of a damaging cyber intrusion

  • Validate that all remote access to the organization’s network and privileged or administrative access requires multi-factor authentication.
  • Ensure that software is up to date, prioritizing updates that address known exploited vulnerabilities identified by CISA.
  • Confirm that the organization’s IT personnel have disabled all ports and protocols that are not essential for business purposes.
  • If the organization is using cloud services, ensure that IT personnel have reviewed and implemented strong controls outlined in CISA’s guidance.
  • Sign up for CISA’s free cyber hygiene services, including vulnerability scanning, to help reduce exposure to threats.

Take steps to quickly detect a potential intrusion

  • Ensure that cybersecurity/IT personnel are focused on identifying and quickly assessing any unexpected or unusual network behavior. Enable logging in order to better investigate issues or events.
  • Confirm that the organization’s entire network is protected by antivirus/antimalware software and that signatures in these tools are updated.
  • If working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic.

Ensure that the organization is prepared to respond if an intrusion occurs

  • Designate a crisis-response team with main points of contact for a suspected cybersecurity incident and roles/responsibilities within the organization, including technology, communications, legal, and business continuity.
  • Assure availability of key personnel; identify means to provide surge support for responding to an incident.
  • Conduct a tabletop exercise to ensure that all participants understand their roles during an incident.

Maximize the organization’s resilience to a destructive cyber incident

  • Test backup procedures to ensure that critical data can be rapidly restored if the organization is impacted by ransomware or a destructive cyberattack; ensure that backups are isolated from network connections.
  • If using industrial control systems or operational technology, conduct a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted.

NOTE:  CISA, the FBI, and other U.S. government partners are positioned to support you.  Our team is available to discuss any concerns your organization may have.

Recent Activity

Ukraine and Western Europe

  • On 15 Feb, the websites of Ukraine’s defense ministry, armed forces, state banks Privatbank, and Oschadbank were taken down. The state center for information security blames a DDoS attack. Ukrainska Pravda reports this is the most powerful cyber attack yet, citing sources in the government.
  • On 29 Jan, a cyberattack targeted IT systems in the German-owned oil trading firm Mabanaft and storage company Oiltanking. The attack also affected Belgium’s SEA-TANK and Dutch fuel storage firm Evos. No attribution at this time; however, the malware utilized has been attributed to Russian cyber actors. Mabanaft is a key supplier of oil products such as heating oil, diesel, jet fuel, gasoline, and other oil products in Germany and the neighboring Amsterdam-Rotterdam-Antwerp area.
  • On 14 Jan, a cyberattack took down around 70 Ukrainian government websites, including the Ministry of Foreign Affairs, the Cabinet of Ministers, and the Secretary and Defense Council. Hackers replaced the websites with text stating, “be afraid and wait for the worst” and alleged that personal information had been leaked to the Internet. Ukraine blamed a hacker group linked to Belarusian intelligence for the attack and also suggested involvement of the  Russian Federation. Russia denied the allegations.
  • A separate destructive malware attack took place around the same time, first detected by Microsoft’s Threat Intelligence Center on 13 January. The malware was installed on devices belonging to multiple government, non-profit, and information technology organizations in Ukraine. The software was designed to look like ransomware, but lacks a recovery feature, indicating an intent to simply destroy files instead of encrypting them for ransom.


  • In late Jan, a multi-day cyberattack against Global Affairs Canada, hampering some of the Ministry’s internet-connected services.  It is not clear if the Russians, the alleged perpetrators, hacked into the system or were able to merely disrupt its service.
  • Around the same time, the Communications Security Establishment, Canada’s cyber security agency, issued a warning to bolster network security in anticipation of Russia-based cyberattacks on critical infrastructure. Canada has been vocal in its support for Ukraine and recently announced a $120M loan to the Ukrainian government and recommitting Canadian soldiers to train Kyiv’s security forces.

United States

  • On 23 Jan, the Department of Homeland Security distributed a memo to critical infrastructure operators and state and local governments warning that Russia could launch a cyberattack on US targets if it feels its long-term security is threatened by NATO or US response to what’s going on in Ukraine.
  • While there are not currently any specific credible threats to the U.S. homeland, CISA is mindful of the potential for the Russian government to consider escalating its destabilizing actions in ways that may impact others outside of Ukraine.


Further Details

CISA Alert AA22-011A Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure; CISA, 11 Jan 2022
This joint Cybersecurity Advisory (CSA)—authored by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA)—is part of our continuing cybersecurity mission to warn organizations of cyber threats and help the cybersecurity community reduce the risk presented by these threats. This CSA provides an overview of Russian state-sponsored cyber operations; commonly observed tactics, techniques, and procedures (TTPs); detection actions; incident response guidance; and mitigations. This overview is intended to help the cybersecurity community reduce the risk presented by these threats. Link to Alert:

CISA Urges Organizations to Implement Immediate Cybersecurity Measures to Protect Against Potential Threats; CISA, 21 Jan 2022
In response to recent malicious cyber incidents in Ukraine—including the defacement of government websites and the presence of potentially destructive malware on Ukrainian systems—CISA has published CISA Insights: Implement Cybersecurity Measures Now to Protect Against Potential Critical Threats. The CISA Insights strongly urges leaders and network defenders to be on alert for malicious cyber activity and provides a checklist of concrete actions that every organization—regardless of sector or size—can take immediately. Link to CISA Insights:

 Ukraine Ministry of Defense confirms DDoS attack; state banks lose connectivity; ZDnet, Greig, 15 Feb 2022
The Ukrainian Defense Ministry and several state-backed banks were hit with distributed denial-of-service (DDoS) incidents or disruptions on Tuesday. The Defense Ministry website is down, and it confirmed that it was attacked, telling the public that it will be communicating through Twitter and Facebook.   “The MOU website was probably attacked by DDoS. An excessive number of requests per second were recorded. Technical works on restoration of regular functioning are being carried out,” the Defense Ministry said on Tuesday afternoon. Link to Article:


Related Articles

By Patrick Grimsley, CISO, Chief, Information Security Division, U.S. Transportation Command, TCJ6

Share This