NCSC advises organisations to act following Russia’s attack on Ukraine

Following Russia’s unprovoked, premeditated attack on Ukraine, the National Cyber Security Centre continues to call upon on organisations in the UK, and beyond, to bolster their online defences.

The NCSC – which is a part of GCHQ – has urged organisations to follow its guidance on steps to take when the cyber threat is heightened.

While the NCSC is not aware of any current specific threats to UK organisations in relation to events in and around Ukraine, there has been an historical pattern of cyber attacks on Ukraine with international consequences.

The guidance encourages organisations to follow actionable steps that reduce the risk of falling victim to an attack.

For the NCSC Guidance visit https://www.ncsc.gov.uk/guidance/actions-to-take-when-the-cyber-threat-is-heightened

Deputy Secretary General stresses NATO will continue to increase Ukraine’s cyber defences

Deputy Secretary General Mircea Geoană participated virtually at the Cybersec Global 2022 event. Focusing on the tensions between Russia and Ukraine during his keynote speech, the Deputy Secretary General stressed that NATO has been working with Ukraine for years to increase its cyber defences, and will continue to do so at pace.

He said: “The use of hybrid attacks against Ukraine, including cyber-attacks and disinformation, as well as the massing of advanced weapons on its borders, underlines the key role of advanced technology in modern warfare”.

The Deputy Secretary General pointed out that “China and Russia are investing heavily and deploying new technologies with little regard for human rights or international law, aggressively challenging our technological edge”. He recalled that last summer Allies had agreed a new comprehensive cyber defence policy for NATO and went on to say that “we are strengthening our cyber defences and increasing the resilience of our critical infrastructure and supply chains to reduce our vulnerabilities”.

The Deputy Secretary General also noted NATO’s leading role with regard to the new technologies, in areas such as artificial intelligence, autonomous systems, biotechnology, big data, hypersonics, quantum computing and space. He underlined that to avoid any technology gaps, “we are making sure that transatlantic innovation benefits all Allies”. Mr. Geoană emphasized that NATO’s strength comes from its unity and its ability to adapt to remain strong and “retaining our technological edge is a big part of this”, he added.

2nd edition of National Cybersecurity Strategy Guide Launched

The Guide to Developing a National Cybersecurity Strategy is one of the most comprehensive overviews of what constitute successful cybersecurity strategies. It is the result of a unique, collaborative, and equitable multi-stakeholder effort.

Over the last two decades, people worldwide have benefitted from the growth and adoption of information and communication technologies (ICTs) and associated socio-economic and political opportunities. Digital transformation can be a powerful enabler of inclusive and sustainable development, but only if the underlying infrastructure and services that depend on it are safe, secure, and resilient. To reap the benefits and manage the challenges of digitalization, countries need to frame the proliferation of ICT-enabled infrastructures and services within a comprehensive national cybersecurity strategy.

To help governments in this endeavour, a consortium of partner organisations jointly developed and published the first Guide to Developing a National Cybersecurity Strategy (NCS) in 2018. Since then, the number of national cybersecurity strategies or frameworks worldwide has increased significantly. In 2018, only 76 countries had adopted a strategy while today more than 127 countries have such strategies in place, and many have used the Guide as a reference and blueprint.1

However, the fast-changing nature of cyberspace, the increased dependency on ICT, and the proliferation of digital risks all call for continuous improvements to national cybersecurity strategies. Most countries have both accelerated their digital transformation and become increasingly concerned about the immediate and future threats to their critical services, infrastructures, sectors, institutions, and businesses, as well as to international peace and security, that could result from the misuse of digital technologies and inadequate resilience.

This second edition of the Guide could not come at a more critical time. The updated content reflects the complex and evolving nature of cyberspace, as well as the main trends that can impact cybersecurity and should, therefore, be included into national strategic planning. The objective of the Guide is to instigate strategic thinking and continue supporting national leaders and policy-makers in the ongoing development, establishment, and implementation of such national cybersecurity strategies and policies. We are confident that this new Guide will serve as a useful tool for all stakeholders with cybersecurity responsibilities.

The purpose of the report is to guide national leaders and policy-makers in the development of a National Cybersecurity Strategy, and in thinking strategically about cybersecurity, cyber-preparedness and resilience.

This Guide aims to provide a useful, flexible and user-friendly framework to set the context of a country’s socio-economic vision and current security posture and to assist policy-makers in the development of a Strategy that takes into consideration a country’s specific situation, cultural and societal values, and that encourages the pursuit of secure, resilient, ICT-enhanced and connected societies.

The Guide is a unique resource, as it provides a framework that has been agreed on by organisations with demonstrated and diverse experience in this topic area and builds on their prior work in this space. As such, it offers the most comprehensive overview to date of what constitutes successful national cybersecurity strategies.

CISA Releases Directive on Reducing the Significant Risk of Known Exploited Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities, to drive urgent and prioritized remediation of vulnerabilities that are being actively exploited by adversaries. The Directive establishes a CISA-managed catalog of known exploited vulnerabilities and requires federal civilian agencies to remediate such vulnerabilities within specific timeframes.

CISA issued BOD 22-01 to drive federal agencies to mitigate actively exploited vulnerabilities on their networks, sending a clear message to all organizations across the country to focus patching on the subset of vulnerabilities that are causing harm now, and enable CISA to drive continuous prioritization of vulnerabilities based on our understanding of adversary activity. The Directive applies to all software and hardware found on federal information systems, including those managed on agency premises or hosted by third parties on an agency’s behalf. With this Directive, CISA is imposing the first government-wide requirements to remediate vulnerabilities affecting both internet-facing and non-internet facing assets.

“Every day, our adversaries are using known vulnerabilities to target federal agencies. As the operational lead for federal cybersecurity, we are using our directive authority to drive cybersecurity efforts toward mitigation of those specific vulnerabilities that we know to be actively used by malicious cyber actors,” said CISA Director Jen Easterly. “The Directive lays out clear requirements for federal civilian agencies to take immediate action to improve their vulnerability management practices and dramatically reduce their exposure to cyber attacks. While this Directive applies to federal civilian agencies, we know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities. It is therefore critical that every organization adopt this Directive and prioritize mitigation of vulnerabilities listed in CISA’s public catalog.”

With over 18,000 vulnerabilities identified in 2020 alone, organizations in the public and private sector find it challenging to prioritize limited resources toward remediating the vulnerabilities that are most likely to result in a damaging intrusion. This Directive addresses this challenge by driving mitigations of those vulnerabilities that are being actively exploited to compromise federal agencies and American businesses, building upon existing methods widely used to prioritize vulnerabilities by many organizations today.

This Directive applies to federal civilian agencies however, CISA strongly recommends that private businesses and state, local, tribal and territorial (SLTT) governments prioritize mitigation of vulnerabilities listed in CISA’s public catalog and sign up to receive notifications when new vulnerabilities are added.

NSA, CISA, and FBI detail Chinese State-Sponsored Actions, Mitigations

The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released a Cybersecurity Advisory, Chinese State-Sponsored Cyber Operations: Observed TTPs. This advisory describes over 50 tactics, techniques, and procedures (TTPs) Chinese state-sponsored cyber actors used when targeting U.S. and allied networks, and details mitigations.
Chinese state-sponsored cyber activity poses a major threat to U.S. and allied systems. These actors aggressively target political, economic, military, educational, and critical infrastructure personnel and organizations to access valuable, sensitive data. These cyber operations support China’s long-term economic and military objectives.
One significant tactic detailed in the advisory includes the exploitation of public vulnerabilities within days of their public disclosure, often in major applications, such as Pulse Secure, Apache, F5 Big-IP, and Microsoft products. This advisory provides specific mitigations for detailed tactics and techniques aligned to the recently released, NSA-funded MITRE D3FEND framework.
General mitigations outlined include: prompt patching; enhanced monitoring of network traffic, email, and endpoint systems; and the use of protection capabilities, such as an antivirus and strong authentication, to stop malicious activity.

Microsoft update on brute force and password spraying activity

The NCSC has issued advice to organisations following an update from Microsoft on malicious cyber campaigns.
Microsoft has revealed that it had identified new activity from an Advanced Persistent Threat (APT) known as NOBELIUM targeting organisations globally.
The Microsoft Threat Intelligence Center says that this activity was mostly unsuccessful.
The NCSC has observed an increase in activity as part of malicious email and password spraying campaigns against a limited number of UK organisations. We are supporting those affected and would urge all organisations to familiarise themselves with our guidance on mitigating phishing attacks, including how to block phishing emails and how to implement two-factor/multi-factor authentication:
- Phishing attacks: defending your organisation
- Multi-factor authentication for online services
- Identity and access management (part of the 10 steps to cyber security collection)
- Home working: preparing your organisation and staff
The following blog posts from Microsoft provide further details, including IoCs, detection and mitigation advice:
- New Nobelium activity – Microsoft Security Response Center
- Investigating and Mitigating Malicious Drivers – Microsoft Security Response Center
- Nobelium Resource Center – updated March 4, 2021 – Microsoft Security Response Center

CISA Publish Rising Ransomware Threat to Operational Technology Assets Fact Sheet

CISA has published Rising Ransomware Threat to Operational Technology Assets, a fact sheet for critical infrastructure owners and operators detailing the rising threat of ransomware to operational technology (OT) assets and control systems. The document includes several recommended actions and resources that critical infrastructure entities should implement to reduce the risk of this threat.
The guidance:
- Provides steps to prepare for, mitigate against, and respond to attacks;
- Details how the dependencies between an entity’s IT and OT systems can provide a path for attackers; and
- explains how to reduce the risk of severe business degradation if affected by ransomware
Given the importance of critical infrastructure to national security and America’s way of life, CISA published this fact sheet to help organizations build effective resilience.

Italy announced the creation of the national cybersecurity agency

The Italian government has announced the creation of a new agency focused on cybersecurity. Prime Minister Mario Draghi provided its strong commitment to the creation of the agency that is tasked to protect the country and its critical national infrastructure from cyber threats.
The creation of the agency follows warnings by Prime Minister Mario Draghi that Europe needed to protect itself from Russian "interference". The announcements comes after a slew of ransomware attacks in recent months, with recent high profile examples including Colonial Pipeline and JBS.
It will need to "protect national interests and the resilience of services and essential functions of the State from cyber threats," a government statement said. Speaking in Brussels, following a European Union summit, Draghi said urgent action was needed.
"We need to strengthen ourselves a lot, especially in terms of cybersecurity, all of us, at national level and at EU level... because the level of [Russian] interference both with spies and with manipulation of the web has become truly alarming," he said.
The new Italian cybersecurity agency will develop and implement cyber strategies to prevent, monitor, detect and mitigate cyber attacks, and increase the level of cyber security of the country’ infrastructures.

FS-ISAC Report Finds Cybercriminals and Nation-State Actors Converging, Increasing Cross-Border and Supply Chain Attacks

FS-ISAC, the only global cyber intelligence sharing community solely focused on financial services, announced today the findings of its latest report, which found that wittingly or otherwise, nation-states and cyber criminals are leveraging each other’s tools and tactics, leading to an increase in cross-border attacks targeting financial services suppliers.
The pandemic has accelerated digitization, connectivity, and the sector’s interdependence, as demonstrated by recent supply chain incidents. Increasingly, the financial sector needs a trusted conduit of real-time cyber information between institutions and third-parties.
"FS-ISAC was the logical host for us to brief the financial services sector to reach a critical mass of institutions around the world all at once," said Jonathan Yaron, CEO of Accellion. "This way, we could ensure that the industry received critical and correct information via a trusted source, enabling it to act quickly to mitigate the impact of the incident."
“Organizations properly practicing defense-in-depth with multi-layered controls are still vulnerable to large-scale and even systemic issues through third party suppliers,” said J.R. Manes, Global Head of Cyber Intelligence at HSBC. “The FS-ISAC community provides its members the visibility into emerging threats that could impact customers and business, even when they are not directly exposed. Ensuring and encouraging the sharing of cyber threat intelligence is a vital part of the defense of not only the financial sector, but the whole business ecosystem that runs on top of the Internet.”
FS-ISAC’s report outlines today’s top threats:
- Convergence of nation-states and cyber criminals: Nation-state actors are leveraging the skills and tools of cyber criminals, either knowingly or not, to enhance their own capabilities.
- Third-party risk on an upward trend: Suppliers to financial firms will continue to be lucrative targets for threat actors, as shown by three highly visible incidents in the last two quarters.
- Cross-border attacks will increase: Cyber criminals test their attack in one country before hitting multiple continents and sub-verticals, as shown by a DDoS extortion campaign targeting ~100 financial institutions in months.
“Trying to outpace evolving cyber threats diverts resources from a financial firm’s core business,” said Steve Silberstein, FS-ISAC CEO. “As the global fincyber utility, FS-ISAC enables industry-wide cross-border sharing to pool resources, expertise, and capabilities to manage cyber risks and incident response.”
Report Methodology
The Navigating Cyber 2021 report is derived from FS-ISAC’s rigorous threat intelligence monitoring maintained by its intelligence operations team. The intelligence is sourced from FS-ISAC's thousands of member financial firms in more than 70 countries and further augmented by analysis by the Global Intelligence Office. Multiple streams of intelligence were leveraged for the curation of the round-up, which examined data across a one year period from January 2020 to January 2021.

CISA releases new 5G paper with NSAcyber and ODNIgov: Potential Threat Vectors to 5G Infrastructure

Securing Critical Infrastructure operations means ensuring cybersecurity practices are incorporated within 5G.
The deployment of 5G has begun, and with it, a wealth of benefits that has the potential to impact every aspect of our lives and work. With faster connectivity, ultra-low latency, greater network capacity, 5G will redefine the operations of critical infrastructure activities from the plant floor to the cloud. It will enable large-scale connections, capabilities, and services that can pave the way for smart cities, remote surgery, autonomous vehicles, and other emergent technologies. However, these capabilities also make 5G networks an attractive target for criminals and foreign adversaries to exploit for valuable information and intelligence and even global disruption.
To secure the full scope of 5G use cases, it is critical that strong cybersecurity practices are incorporated within the design and development of 5G technology. In March 2020, the White House developed the National Strategy to Secure 5G, which outlines how the Nation will safeguard 5G infrastructure domestically and abroad. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency, and the Office of the Director of National Intelligence, as part of the Enduring Security Framework (ESF)—a cross-sector, public-private working group—initiated an assessment of the cybersecurity and vulnerabilities to 5G infrastructure. The ESF established the 5G Threat Model Working Panel which developed this paper, Potential Threat Vectors to 5G Infrastructure, to enhance understanding of the threats posed to 5G adoption.
The Working Panel reviewed existing bodies of public and private research and analysis to identify and generate an aggregated list of known and potential threats to the 5G environment. From that list, they identified three primary threat vectors areas—Policy and Standards, Supply Chain, and 5G Systems Architecture—and within these threat vectors, 11 sub-threats were identified as additional points of vulnerability for threat actors to exploit (i.e., open standards, counterfeit parts, and multi-access edge computing). This paper represents the beginning of the Working Panel’s thinking on the types of risks introduced by 5G adoption in the Unites States, and not the culmination of it.
With the promise of connectivity between billions of Internet of Things (IoT) devices, it is critical that government and industry collaborate to ensure that cybersecurity is prioritized within the design and development of 5G technology.
https://www.cisa.gov/publication/5g-potential-threat-vectors
1 2