April 14, 2023
On the @MriyaReport twitter space Dr Bilyana Lilly talked about a Report released by The State Service of Special Communications and Information Protection of Ukraine entitled ..
Russia’s Cyber Tactics: Lessons Learned in 2022 — SSSCIP analytical report on the year of Russia’s full-scale cyberwar against Ukraine
We asked Nazar Tymoshyk CERT UA’s Principal Incident Response Officer & Founder of UnderDefense to comment on this report and we recommend that you read it:
In 2022 Russia made 2194 cyber attacks on Ukraine aimed at destruction, sophisticated data exfiltration, cyber espionage, and more. However, even though Russia leveraged all its cyberwarfare capabilities, these efforts ended up having a low military impact. Today, Nazar Tymoshyk, CERT UA’s Principal Incident Response Officer & founder of UnderDefense, guides us through the report covering methods & tactics Russia has been using in war. Learn more about lessons learned after one year of cyberwarfare and discover tips to employ for businesses.
Cyberattack methods & tactics Russia uses in war
After the full-scale invasion, cyberattacks were focused on disruptive operations aiming to suppress Ukrainian resilience, but collaboration with Western partners has helped to identify and block such attacks quickly.
In H2’2022 we saw a tactical shift: Russians could no longer use what had been prepared before the war and lost control over many valuable assets. In the second half of 2022, only 2-3 out of 10 operations were focused on destruction. The rest appeared to be sophisticated spear phishing campaigns with the goal of data exfiltration and cyber espionage.
Russians sometimes targeted technical vulnerabilities rather than specific individuals or organizations. When the target is well-protected, they find another less-protected organization somehow connected to a target, identify a vulnerability in their network and try to leverage it to get inside the targeted organization’s network. Malicious codes and malware infections were also used a lot. Thieves were critical in gaining access to internal networks via VPN without 2FA. Account compromise using malware or Cobalt strike implants appeared to be another popular method of exploitation.
In H2 2022 Russians shifted to attacking civilian organizations & critical infrastructure: power supply companies, commercial entities, logistic service providers, media companies, the Ministry of Energy & Coal Industry, the Ministry of Finance, and the Ministry of Foreign Affairs. Russian APTs were focused on credential harvesting to gain impersonalized access through email or VPN without 2FA to collect data. Email communication was their first priority, PII & PHI databases were a second priority.
Gamaredon/Actinium, a unit inside of the FSB (UAC-0010), accounted for 45% of all attacks while the Financial Cybercrime unit and GRU’s “Ember Bear” accounted for 16% and 11% respectively. GRU’s “Sandworm”, SVR’s “InvisiMole” and hacktivist groups “XakNet”, “Zarya”, “CyberArmyofRussia” were also noticed. We even identified a Belarusian group “GhostWriter” (UAC-0105) engaged in credential harvesting and malware campaigns.
As more large businesses and corporations invest in cybersecurity tools, hackers are increasingly targeting small and medium-sized businesses and using them as supply chains.
Based upon these observations, we recommend taking the following actions:
1. Minimize credential theft and account abuse. Your users’ identity protection is a key requirement to secure your network. We recommend enabling multifactor authentication everywhere and Active Directory hardening (or migrating Domain Controllers to Azure AD).
2. We urge the application of the least privileged access and additionally securing access to the most sensitive and privileged accounts & systems.
3. Secure Internet-facing systems and remote access solutions, ensure they are updated to the most secure levels, regularly evaluated for vulnerability, and audited for changes to the integrity of the system. Anti-malware solutions and endpoint protection should be enabled too. Legacy systems should be isolated to prevent them from being an entry point for persistent threat actors. Remove or restrict outbound access wherever possible to mitigate egress-based kill chains.
4. Leverage anti-malware, intrusion detection, flow monitoring, endpoint detection, and identity protection solutions with a central management console: the State Cyber Protection Center has a toolset and sensors which can be provided to organizations for free.
5. A combination of defense-in-depth security solutions, paired with trained and capable personnel, can empower your organization to identify, detect, and prevent intrusions impacting your business. Enabling native cloud workloads protection allows the identification and mitigation of known and novel threats to your network at scale.
The Ukraine Pavilion at the International Security and Cyber Security Expo in London 26/27th September 2023.
Nazar and UnderDefense will join us in London where we plan for Nazar to speak on the stages.
We are bringing to London some of Ukraine’s best and fastest growing companies from the Cyber Security, Open Data, AI, Software Development and Drone Sectors.
You will learn how they are defeating Russia in many and various ways.
Find out more about our plans HERE.
There are opportunities for Investment Banks, Private Equity, Venture Capital, Angel Investing, Law Firms, Accountants, Consultants, Recruitment and Training Companies.
Managed Service Providers in the UK will become Critical National Infrastructure when the Law going through Parliament now is passed.
All MSP Directors need to consider their options.