Russian-sponsored threat actors have already distributed cyberattacks via new malware and wiperware such as Cyclops Blink and HermeticWiper. As tensions between Ukraine and Russia escalate, there’s potential for increased cybersecurity risk against targets across the world.
We’ve witnessed this historically during previous unrest. For example, the Ukrainian Maidan revolution in 2014 resulted in the NotPetya wiperware campaign. These attacks extended well beyond the borders of the country and impacted a number of organizations that had Ukrainian assets.
However, organizations of all sizes and industries — even those that aren’t affiliated with Ukrainian assets — should be prepared to respond to state-sponsored cyberattacks. Threat actors are opportunistic, and will likely target environments without proper security controls — including small and mid-sized businesses that often lack resources — because they are easy wins.
Russian advanced persistent threats (APTs) follow similar playbooks to other highly-effective groups; these techniques, tactics, and procedures (TTPs) are not secret.
It’s important to be aware of these tactics and detect them early enough to stop an attack in progress. Here are some TTPs, mapped to the MITRE ATT&CK Framework, that Russian state-sponsored threat actors have been known to use.
According to MITRE, initial access techniques use various entry vectors to gain an initial foothold within a network. Initial access is an especially important tactic to detect because it occurs so early on in the cyber kill chain.
Russian threat actors have used the following techniques to gain initial access before launching a cyberattack:
External remote services such as VPNs and Remote Desktop Protocol (RDP) are common ways for attackers to gain a foothold in an environment. Most notably, state-sponsored actors have weaponized CVE-2019-11510, CVE-2019-11539, and CVE-2018-13379, vulnerabilities that affect Pulse Secure, Palo Alto GlobalProtect and Fortinet Fortigate.
Upgrading to the latest version of VPN software is crucial. Since a malicious actor could have already exploited the VPN to steal credentials, it’s important to also reset the VPN’s credentials after patching.
RDP is another commonly-exploited external service. Avoid relying on RDP if at all possible. If you must use RDP, follow these security best practices:
In a brute-force attack, threat actors rely on automated software to generate a large number of consecutive guesses as to the value of the desired data, such as a password.
From 2019 to 2021, GRU — Russia’s military intelligence group — launched a brute-force campaign that targeted hundreds of government and private sector organizations worldwide, specifically organizations running Microsoft 365 cloud services. Threat actors used a Kubernetes cluster to perform password spraying techniques on a larger scale.
To defend against brute force attacks, organizations should deploy multi-factor authentication (MFA), limit the number of times a user can unsuccessfully attempt to log in, and temporarily lock out users who exceed the specified maximum number of failed login attempts.
Password spraying, a variant of a brute-force attack method, is a common tactic used by Russian state-sponsored threat actors. Password spraying takes a large number of usernames and loops them with a single password, applying that to multiple accounts over a period of time to gain access into an environment.
In October 2021 Nobelium, the Russian state-sponsored actors that were also responsible for the 2020 SolarWinds attack, gained access to privileged accounts in MSPs and resellers using a variety of techniques — password spraying being one of them — and then leveraged that access to attack the service providers’ customers.
The most effective way to prevent password spraying is by using two-factor or multi-factor authentication. Organizations can also monitor for persistence use — attempting to log in to multiple accounts via the same IP address — via their identity platforms. For Windows hosts, it’s important to also enable more robust logging capabilities to get visibility into password spraying attacks. Sysmon is a good way to extend Windows default logging capabilities.
A dynamic blocklist can stop an attack in its early stages by automatically blocking IP addresses that are attempting to perform password spraying.
Russian state-sponsored APT actors have performed “Kerberoasting,” an offline cracking technique in which actors abuse valid Kerberos ticket-granting services to obtain valid Service Principal Names (SPN) within an Active Directory (AD) domain. Any instance of Kerberoasting in an environment should be considered a critical threat.
There are a few ways to detect Kerberoasting attacks; one way is to create a honey credential (or honeytoken) that exists solely to act as a canary.
Learn More About Detecting Kerberoasting Attacks >
During the persistence phase, adversaries attempt to maintain their foothold on systems.
Hours before Russia invaded Ukraine on February 24, a new form of disk-wiping malware was used to attack organizations in Ukraine. Part of that campaign included installing web shells weeks prior to the attack. Web shells were also used by the Russian GRU cyber military group.
Read More About How To Detect Web Shells>
In the Russian GRU’s brute-force campaign, threat actors used a PowerShell cmdlet (NewManagementRoleAssignment) to grant the ‘ApplicationImpersonation’ role to a compromised account. Although PowerShell is a legitimate tool that IT administrators commonly use, it can also be used to maintain a foothold or execute malicious code without administrative access.
Organizations can alert on PowerShell commands and scripts through third-party software or via a security information and event management (SIEM). It is also fairly straightforward to enable it in Microsoft Group Policy.
Learn More About Detecting Malicious PowerShell Activity>
Privilege escalation refers to an adversary attempting to gain higher permissions, according to MITRE.
State-sponsored actors have also used valid credentials of a global admin account to log into the Microsoft 365 admin portal and change permissions of an existing enterprise application.
To prevent this, you can correlate logs, including Microsoft 365 logs, from network and host security devices and assign administrator roles to role-based access control (RBAC) to implement least privilege principles. Due to its high level of default privilege, only use the global admin account when absolutely necessary; instead, use other built-in admin roles within AD.
Russian threat actors have also used BloodHound, a tool that can collect information about AD users, groups, and computers, and map pathways to escalate privileges to domain administrator accounts and expedite lateral movement. Robust endpoint detection and response (EDR) software should be able to detect the use and presence of tools like BloodHound on your network.
Equally important is the ability to send EDR logs to a centralized logging system to correlate with other telemetry sources. This will help identify and contextualize security threats, enabling you to respond quickly and more effectively.
Knowing how to prevent and detect the known TTPs listed above is a step in the right direction to defend against state-sponsored attacks. Now is also a good time to ensure that you’re enacting basic security principles that will reduce your overall attack surface.
If you aren’t fully prepared, make changes as soon as possible to ensure that you are secure and patched. This includes doing the following:
Taking time to go through the above steps is one of the best ways you can ensure that you are as protected as possible right now. It’s also important to measure your current security maturity and identify any missing capabilities. Our checklist of the different areas of threat detection and response – from logging to alerting to audits and compliance – can help you identify any security gaps.