The developments in the war in Ukraine follow each other quickly, also in the domain of digital threats. At this moment, the NCSC has not received any concrete indications that the digital attacks related to the war in Ukraine are affecting the Netherlands, but does not exclude any potential impact and attacks in the future.
At this moment, international reporting has predominantly covered digital attacks that use DDoS and wiper ware (malware that permanently destroys data on systems). Different international hacker collectives are also mingling in the war. This involvement can lead to an increased number of digital attacks, that in the future may also have an impact on Dutch organizations.
Make sure that your digital resilience is fully in order. In this regard, the NCSC recommends to at least follow up the NCSC basic measures. The NCSC also provides additional short-term recommendations. For future developments, keep an eye on the timeline on the NCSC website. The NCSC keeps monitoring the situation closely and will continue to provide necessary information and recommendations. The timeline and recommendations are regularly updated.
Which digital attacks should you take into account?
On this page you will find an overview of the minimum kind of attacks that you should take into account and what your organization can do to prepare.
You can find information on how to deal with ransom- and wiper ware on this page. Take further measures to be able to continue working without the availability of potentially targeted systems or networks.
You can read more information on DDoS and how to deal with an attack on this page [available in Dutch only]. Take further measures to be able to continue working without the availability of the DDoS-targeted internet connection and systems
You can find more information on (spear)phishing and how to deal with an attack on this page [available in Dutch only].
- The spread of disinformation via hacked channels is a threat. Be alert on potential misuse of your public communication platforms.
- Monitor the activities on your social media accounts. Be alert on suspicious and deviant login attempts. The NCSC recommends the use of multifactor authentication for all social media accounts.
- Make sure that your employees use the by-you designated and accredited communication tools.
- Recommend your employees to be reluctant with sharing (personal) information on their social media accounts.
What can you do in the short term?
On this page you find actions to undertake in the short term to be prepared for a potential incident.
- Make sure that all updates are installed. This applies particularly to systems with a direct internet link.
- Go through your incident-response plans and make sure they are up-to-date.
- Make sure that your contact lists are available offline. Also consider your external contacts, such as service providers.
- Make sure that your employees are informed on whom to contact within your organization in case any suspicious signals are observed.
- Test your existing back-ups. Make an offline back-up, also if you normally don’t do so.
- Make sure that your logical and physical network prints are available offline.
- Improve the security of your e-mail servers by implementing SPF, DKIM and DMARC .
- For the most important information(systems), consider what you would like to know in case of a compromise and make sure that the corresponding logging is in order.
Focus points to suppliers
- Check on what suppliers you are dependent for your primary service.
- Make sure that your service suppliers have an up-to-date list of contact persons for your organizations.
- Be aware of potential disinformation in your communication with suppliers.
- Ask your suppliers to check the systems they manage for you on severe vulnerabilities.
- Check whether you use software from Russian or Ukrainian suppliers, and what impact the war has on the delivery, support and guarantees of/with that software.
Additional measures can be found in the Factsheet Checklist security of ICS/SCADA systems.
Operational technology (OT/ICS)
Many of the above measures also apply to industrial organizations with primary processes that heavily rely on OT-systems. Below follow three OT-specific proceedings:
- Make sure to have adequate system protection that grants permission to networks with OT-systems, such as stepping stones, VPN’s and firewalls.
- Check whether the access to OT-environments is sufficiently protected, for instance by network segmenting.
- Be extra alert on the use of data carriers in OT-environments, since these can be potentially infected with malware. Think for instance of USB-sticks, mobile phones and laptops.
How to act in case of an incident?
In case of an incident or a strong suspicion thereof, we recommend you undertake the following actions:
- Isolate or disconnect the device from the network. In doing so, you prevent the further spread of malware or attacks through the network.
- In case you would like to have a forensic IT investigation conducted after an incident, and are insufficiently capable to do so yourself, get in contact with an organization that is specialized in this field in advance. Ask them how to respond to an incident and in which manner digital traces can be secured. Structure your incident procedure accordingly.
- In a virtualized environment, you can clone the infected systems and pause to secure the memory of the affected system. In doing so, don’t forget to isolate the host system.
- Secure the log documents that are important to the investigation. Think for instance of: network- and system logs. Log the actions you have undertaken on the affected system.
- Log all observations, undertaken procedures and actions in a logbook.
- Reset passwords and other forms of authentication for administrator and other system- or services-accounts.