The U.S. government is warning the cybersecurity community, particularly those responsible for American utilities and other critical infrastructure, to brace for a wave of cyberattacks that might be launched by Russia ahead of military action against Ukraine.

Tensions between Russia and Ukraine have been rising over the last couple of months, with Russia stationing thousands of troops on the border and conducting joint military exercises with neighboring Belarus. Russian President Vladimir Putin denies he plans to invade but has also demanded concessions from the U.S. and its allies, including an end to military activities by NATO in Poland and other former Soviet republics, and denying Ukraine membership in the alliance. U.S. and NATO officials said Wednesday that they had rejected both demands.

There are also signs that the conflict is spreading into the electronic realm. Earlier this month Ukrainian officials reported cyberattacks against the websites of multiple government departments, including the ministries of foreign affairs, defense and education. While the hackers have not been identified, their messages contain multiple references to past conflicts between Ukraine and the Soviet Union, leading Ukraine’s government to suspect Russia’s involvement.

With U.S. officials fearing similar attacks against their public and private sectors, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI and National Security Agency, issued a joint cybersecurity advisory earlier this month urging cybersecurity workers to “adopt a heightened state of awareness and to conduct proactive threat hunting” against tactics used in previous Russian-attributed cyberattacks.

Those attacks include assaults in 2015 and 2016 against Ukraine’s power grid, for which a Pittsburgh grand jury indicted six Russian military intelligence officers in 2020. (See Six Russians Charged for Ukraine Cyberattacks.) CISA also accused Russia of sponsoring an “intrusion campaign” against the global energy sector that spanned the better part of a decade, along with 2020’s hack of the SolarWinds Orion product that may have infected thousands of organizations with malware, including the Department of Energy and FERC. (See FERC, E-ISAC Report Details Reach of SolarWinds Compromise.)

The advisory includes tactics, techniques and procedures (TTPs) commonly seen in Russia-sponsored hacking operations, such as the use of virtual private servers to route traffic to targets; brute-force password guessing, password spraying and spearphishing campaigns; compromising trusted third-party software to gain access to victim organizations; and using previously compromised accounts to raise their user privileges on compromised systems.

CISA also provided tips on detecting when malicious actors have established a presence in a company’s network. Suspected victims are advised to implement robust log collection and retention to help investigate incidents and discover suspicious activity. Behavioral evidence such as the same user logging in from geographically separate locations, along with electronic artifacts created by bot activity, can also provide evidence of dangerous activity.

Additional recommended steps for enhancing organizations’ cyber readiness include preparing response plans that assign main points of contact, as well as roles and responsibilities, in a suspected incident, and detail staffing plans to avoid overwhelming IT staff. The agencies also advise cyber professionals to conform to strong identity and access management practices such as strong passwords, multifactor authentication and secured credentials, and to ensure their software, including antivirus programs, are kept up to date.