Organisations using Russian-linked software or products have been told to take time to consider the risk involved with using those technologies following Russia’s invasion of Ukraine.
New guidance from the National Cyber Security Centre (NCSC) – part of GCHQ – says organisations in several key areas in particular should reconsider the risk of using Russian-controlled products as part of their network or supply chain because of the risk of potential cyber attacks.
The NCSC said that Russian law already contains legal obligations on companies to assist the Russian Federal Security Service (FSB), and the pressure to do so may increase in a time of war. And while it said there was no evidence that the Russian state intends to suborn Russian commercial products and services to cause damage to UK interests, the absence of evidence is not evidence of absence.
“In our view, it would be prudent to plan for the possibility that this could happen,” said Ian Levy, technical director at the NCSC in a blog post.
“You may choose to remove Russian products and services proactively, wait until your contract expires (or your next tech refresh), or do it in response to some geopolitical event. Alternatively, you may choose to live with the risk,” said Levy.
He added: “Whatever you choose, remember that cyber security, even in a time of global unrest, remains a balance of different risks. Rushing to change a product that’s deeply embedded in your enterprise could end up causing the very damage you’re trying to prevent.”
NCSC said organisations providing services to Ukraine and organisations or individuals doing work that could be seen as being counter to the Russian state’s interests, making them retaliatory targets for cyber attacks, should reconsider their risk.
Organisations involved in critical infrastructure, the public sector and high-profile organisations which if compromised, could represent what the NCSC describes as a ‘PR win’ for Russia are also urged to think about the risks of using Russia-linked software and technology products.
National security departments in government were advised against using cloud-enabled products where the supply chain included states like Russia in 2017, but following the invasion of Ukraine, others are being urged to consider the risks too.
It’s not possible for the NCSC to provide custom guidance on managing risk to every business, but it’s urging organisations to err on the side of caution, particularly if they’re more likely to be a target of Russian cyber aggression because of the invasion of Ukraine. Organisations should also consider how they could protect their network if those services are abused.
“This conflict has changed the world order, and the increased risk and uncertainty aren’t going away any time soon. However, the best thing to do is to make plans, ensure your systems are as resilient as practical and have good recovery plans,” said Levy.
SEE: A winning strategy for cybersecurity (ZDNet special report)
The NCSC also notes that any additional sanctions against Russia could means that services could be stopped at a moment’s notice, so organisations should examine how they would mitigate this.
Russian-state backed hackers are accused of being the perpetrators of several major hacking campaigns, including the SolarWinds supply chain attack.
In many instances, these attacks target the lowest hanging fruit, abusing unpatched software, weak passwords and poor network management. Organisations are urged to apply security patches and use strong passwords to help protect networks from nation-state hackers – and other cyber criminals who use the same tactics.
One of the most widely used forms of Russian-owned software is Kaspersky antivirus. According to the NCSC, individual users are highly unlikely to be targeted by any potential cyber attacks which look to abuse the software, meaning that “it’s safe to turn on and use at the moment,” according to Levy.
Nonetheless, it’s warned that if Kaspersky were to be subject to sanctions and the antivirus software stopped receiving updates, users may need to switch to another provider.
The NCSC will continue to evaluate the potential risk of cyber attacks by Russia – and other hostile groups – which could target the UK. The NCSC has previously issued guidance on what organisations can do to help protect their networks from cyber attacks which might occur as a result of Russia’s invasion of the Ukraine.
MORE ON CYBERSECURITY