Ukraine & Russia: InfoSec implications for UW

Latest update
Overview
Issue
Recommendations for the UW community
Recommendations for developers
Recommendations for IT staff
References

News and events are evolving quickly since the invasion of Ukraine on February 24, 2022. OIS staff will keep this page updated with any information relevant to cybersecurity at UW.

Latest updates

March 24, 2022

Security researchers report that a new tactic, dubbed “protestware,” has been developed in response to the ongoing crisis in Ukraine. Multiple programmers who maintain open source code libraries have committed new additions to their code that either display pro-Ukrainian messaging or wipe files on the host system if it detects the host is on a Russian or Belarusian IP. Most notably, a popular nmp package ‘node-ipc’ was recently observed using this file-wiping technique. The Office of Information Security has added recommendations for UW developers in response to this new trend.

March 7, 2022
Russian cyber actors have begun to exploit the ongoing humanitarian crisis in Ukraine via phishing emails. These email requests urge for digital donations to fake Ukrainian assistance websites. Many of these websites were recently created with “Ukraine” in the domain. The Office of Information Security recommends staying vigilant against phishing as this method of attack remains an effective way for a cyber attacker to intrude a network.

Overview

The UW Office of Information Security (OIS) Cyber Intelligence team is aware of multiple reports from federal and state agencies warning of possible homeland cyber attacks stemming from the ongoing crisis in Ukraine. While there are currently no direct threats to the University, the OIS’s office is communicating steps you can take to reduce the likelihood you fall victim to a cyber attack.

Issue

Security experts assess that Russian cyber actors will likely conduct disruption and demoralization campaigns targeting entities outside of Ukraine, to include the U.S. homeland if Russian perceives the U.S. to be a threat to their national security. These campaigns would likely be very similar to the website defacement, data wiping, and targeting of critical services that banks and government websites observed in Ukraine since January of 2022. While some of these cyber attacks could be well-constructed exploits of previously undisclosed vulnerabilities, it is likely that cyber actors will target publicly known and documented exploits first when targeting a system or device.

While UW stakeholders and the OIS office cannot defend against exploits of previously undisclosed vulnerabilities, we can reduce risk by mitigating known vulnerabilities on our systems. This guidance follows the Cybersecurity and Infrastructure Security Agencies (CISA) guidance for “Shielding Up” against Russian cyber threats. The steps outlined in this alert not only serve as steps applicable to this current crisis unfolding in Europe, they reduce your overall information security risk and help secure your systems year-round.

Recommendations for UW students, faculty, and staff

There are a few best practices for securing your data and devices that go a long way toward protecting personal and UW institutional information from vulnerabilities and threats.

Keep computers, laptops, devices, and applications updated and patched with the most recent operating systems and security updates. If you use computers and devices that are not managed by UW, configure them to update automatically.
Use strong passwords on all accounts and devices and avoid using the same password for multiple accounts. Consider using a password manager.
Opt in for multi-factor authentication to add an additional layer of security to your account. Find more info on how to opt in to 2FA on the web on IT Connect.
Use anti-virus software and keep it updated. Members of the UW community can install a free version of Sophos anti-virus for home use and for unmanaged University-owned computers and devices.
Don’t click suspicious links and avoid opening email attachments in email unless you are expecting them and trust the person who sent them. Review our phishing online training, phishing examples, and infographic.
Attackers often exploit fear during uncertain times. Learn about various types of scams and know that they are constantly being adapted according to current events.
Only use trusted networks protected with an appropriately complex password. Use Husky OnNet to connect to campus resources when working remotely and use eduroam for encrypted wireless connections on UW campuses.
Keep your data and devices backed up and back up your backups. Find more information on the World Backup Day infographic.
If you’re working from home, review our Working Remotely online training for tips.
Review our Security 101 online training and infographic for more information and resources.
Contact your IT support team or ciso@uw.edu with questions.

Find more tips on ready.gov/cybersecurity

Recommendations for Developers

If you downloaded nmp node-ipc package version 10.1.1-10.1.2, you downloaded a package with malicious code that was geofenced to delete files for target users with IPs in Russia or Belarus. Update to version 10.1.3 or stay below 10.1.1 to avoid this malicious package.
As with the Log4j vulnerability, understand & inventory your package dependencies. If a component is not being used, disable it. Only use supported libraries and make a plan to migrate away from unmaintained libraries.
When specifying dependencies for software projects, it is recommended that you avoid wildcards for version numbers. Instead:

- Specify exact dependency versions.
- Bump versions manually when you are ready to update your project.
- Stick with trusted repositories & secure protocols (not plain http, unless the packages are cryptographically signed).

Recommendations for IT staff

If you manage IT systems and assets for your unit or department, review your IT security plan and business continuity procedures. A one-hour review in a time of peace far outweighs discovering gaps while executing during a time of crisis.
Update and patch your systems. For your public IP space, use open source tools like Shodan to understand what cyber attackers can see on the Internet. For your private IP space, use UW-IT’s Infrastructure Software Tools and cross-check your equipment database to ensure abandoned devices do not exist in your network space.
Opt in for multi-factor authentication to add an additional layer of security to your account. This is especially important for community members who administer websites on UW shared hosting as it will help mitigate defacement of their websites.
Back up your backups, as data-wiping malware has been observed in multiple instances against Ukrainian public agencies.
- Cloud administrators should review their configuration policies against CISA’s recommendations in order to strengthen data stored in the cloud.
Use UW-IT’s sponsored anti-virus software Sophos. The Home Premium version may be used for personally-owned computers.
Monitor for anomalies in your environments by enabling auditing of logs. While this is a daunting and sometimes unfeasible task for all devices on your network, administrators can initiate by focusing on their critical assets identified in their security plan.
Manage your organizational secrets, and reflect on questions such as:
- Are your technological documentations internet accessible?
- What could a cyber actor Google about your department?
Contact your IT support team or ciso@uw.edu with questions.

As always, if you suspect an incident or potential data breach please follow our Report an Incident guidance and contact the OIS office at security@uw.edu.