Finally time to go?
Recommended actions to protect corporate IT operations in light of USG alert to evacuate US citizens
In the spring of this year, KSG distributed a primer on preparing for a shutdown of operations in Russia. The escalation of tensions in Russia meet the conditions described in our triggers and companies should now implement steps towards an immediate cessation of business operations.
On September 27, the US Embassy in Russia issued an evacuation order to all US citizens in Russia, advising them to leave while commercial flights are still available and routes by car and bus are still open (see Security Alert here). The situation in Russia has become increasingly unstable and unsafe since the Russian government announced mobilization on September 21 in support of the war in Ukraine. In addition, Russian government officials have hinted at using nuclear weapons against Ukraine. Politico in a recent report cited five anonymous US administration officials that the US and allies are increasing intelligence collection to determine the possibility of nuclear use, but worry that preparation for use of a tactical nuke is hard to detect for technical reasons.
Separately, there are heightened concerns of Russian expansion of unconventional and hybrid threats against non-Ukrainian targets, particularly in the wake of the disruption of the Nord Stream 1 pipeline earlier this week. Danish intelligence and Swedish defense agencies believe two explosive charges were used against the subsea pipeline. The attacks came less than a day after Ukraine issued a warning of cyberattacks on critical infrastructure operators in Poland and the Baltic states. Bloomberg reported US officials have advised LNG carriers serving Europe to be on the alert, while German and Norwegian are boosting security to defend against sabotage threats to oil and gas infrastructure. The policy decision to attack critical infrastructure in non-combatant states that support civilians heralds a turning point in the war. Companies must act decisively to defend against worst case scenarios.
For organizations with remaining operations in Russian territory, our initial recommendations from the spring on managing a controlled shutdown are likely no longer feasible given the urgency of the need to get personnel out of the country. Accordingly, we have streamlined our guidance below to focus on a “crash plan” for a rapid shutdown of IT operations.
Technical Shutdown Steps
Deactivate in-country administrative access – This step is critical, but also will likely tip-off your Russian IT staff and would lead to a point-of-no-return on exiting the country.
Review identity provider policies and configuration looking for staff who may have the ability to modify roles, groups, and access. Pay particular attention to team members with access to reset passwords, unlock user accounts, and configure application access. Do this for both on-premise and hosted identity stores.
Remove access to those team members who can control building access, as those systems can provide physical access to critical systems found in server rooms, or controlled access.
If your organization uses a colocation provider in region, revoke access to request access and disable accounts in any available portals.
Implement blocking DLP policies – Turn up blocking DLP policies to the maximum extent to prevent exfiltration of corporate IP or PII.
Wipe high-risk internal servers – High-traffic servers, NAS, and SAN devices hosted in region cannot realistically be surveyed for all critical data and will need to be encrypted and/or wiped remotely.
NAS Filers can often be encrypted at the volume level and shutdown remotely.
SAN volumes can be encrypted and then deleted.
Windows servers can be encrypted with Bitlocker and off-device keying material added as required using manage-bde. This will allow for the protection of data using remote desktop or PowerShell.
Encrypt then destroy RAID volumes for servers and systems where specific controllers are used.
Deprovision access to intranet services – Eliminate access to internally hosted services using Layer-7 access control mechanisms.
Deprovision access to cloud services – Eliminate access to SaaS and other cloud services at a group level.
Lock/wipe endpoint PCs as appropriate – Companies might decide to allow employees to keep corporate mobile devices and laptops for humanitarian reasons (practically, getting hardware out of Russia has become extremely difficult and legally risky for Russians). Devices should, at a minimum be locked remotely, and if possible they should be wiped and returned to a no-OS or pre-setup mode.
Intune users can securely return a Bitlocker encrypted Windows machine to an out-of-box experience (OOBE).
Deprovision mobile devices – Likewise, companies might decide to allow mobile devices to stay with their ex-employees, but such devices should be deprovisioned and removed from MDM once local corporate apps are deleted.
Lock user accounts – User accounts should be locked in the corporate identity management system. Deleting accounts often causes data loss and should not be performed at this time.
Cut WAN access, maintaining a VPN backup – Finally, eliminate all Layer-3 communication via the WAN at a firewall or router outside of Russia. While you can keep the WAN link active for contingencies, you should assume that any live connections could be used as an entry point to your network.
KSG Partners with concerns or equities at risk of impact can reach out at firstname.lastname@example.org.