Assessing Recent Cyber Threats as Russia-Ukraine Crisis Escalates

By Matthew Herring and Callie Guenther, CRITICALSTART Cyber Research Unit

Background:

On January 11^th, 2022, The Cybersecurity & Infrastructure Security Agency (CISA) published an alert “Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure” amid growing tensions between the US and Russia. Two days later, Microsoft’s Threat Intelligence Center (MSTIC) identified evidence of a destructive malware operation targeting multiple organizations in Ukraine¹. This was the most recent in a series of attacks that began in late 2014 where critical infrastructure across Ukraine fell victim to destructive and disruptive cyber-attacks including NotPetya and WannaCry malware variants. Late last week, CISA published an article informing organizations about the renewed risks to critical infrastructure from malware tools leveraged by Russian State-Sponsored threat actors, highlighting the risks to those working with Ukrainian organizations².  

The long-standing hostilities between Russia and the Ukraine date back to the breakup of the USSR. After the invasion and subsequent annexation of the Crimean Peninsula in 2014, Ukraine fell victim to a series of aggressions attributed to the Russian state, further deteriorating the already tense relationship. In December 2015, more than 225,000 people lost power across Ukraine as the result of a multi-stage malware attack against power generation firms, and in December 2016 parts of Kiev experienced another power blackout following a similar attack targeting a Ukrainian utility company. In June 2017, government and business computer systems in Ukraine were hit by the NotPetya cyberattack; the crippling attack, attributed to Russia, spread to computer systems worldwide and caused billions of dollars in damages³. In the years since, The United States and other NATO Allies have put pressure on Russia, authorized NATO-led military exercises, and imposed new sanctions in an attempt to curb Russian involvement in Ukraine.

Current Status:

The ongoing geopolitical unrest in Ukraine has ushered in another round of cybersecurity attacks in the region. WhisperGate, also tracked by Microsoft as (DEV-0586) is a new malware family designed to look like ransomware, but lacks any ransom recovery mechanism. In similar fashion to the infamous NotPetya malware which also targets and destroys the master boot record (MBR) instead of encrypting it, WhisperGate notably has more components designed to inflict additional damage⁴. Cyber campaigns have been a recurring aspect of the unstable relationship between Russia and Ukraine, and while we have yet to see a targeted attack against the NATO allies or other Ukrainian-adjacent organizations as retaliation for support, researchers believe the wide-range of offensive cyber tools Russia maintains will be weaponized against the west.

As this situation evolves, Critical Start’s Cyber Research Unit (CRU) continues to monitor and investigate additional opportunities for detection, focused on the tactics, techniques, and procedures commonly employed by Russian threat actors. We monitor for active reconnaissance, which is regularly conducted with large-scale scanning, as well as spearphishing campaigns known to expose credentials from target networks. CRU also tracks Russian state-sponsored APT groups that have been known to compromise trusted third-party software through the supply chain and gain to access to victim organizations. Our detections watch for exfiltrated data and exported copies of the Active Directory databases, as well as track any unsecured credentials or private keys that may be an indicator of unauthorized credential access. Our comprehensive behavior-based detection development ensures that detections are not only in place for the recent WhisperGate malware, but also activities that are consistent with Russian threat actors. For a detailed list of commonly employed tactics, techniques, and procedures employed by Russian APT groups and other State-Sponsored threat actors, refer to Appendix A.

The Bottom Line:

Critical Start observes that the recent activities associated with Russian State-Sponsored Actors align with the following desired outcomes:

• Intelligence gathering against targets supporting Ukrainian interests. 
• Attacks against critical infrastructure, as observed in past attacks against the Ukrainian Power grid in 2015 and again in 2016.

As with any threat scenario, the basics are important. Ensure vulnerability management programs and technology are operating effectively, implement multi-factor authentication for all remote access to resources, ensure cloud environments have effective controls implemented and monitor for suspicious or malicious behavior. Confirm all reporting mechanisms are sound and coverage gaps are mitigated. Create, maintain, and exercise a cyber incident response and continuity of operations plan and monitor for additional recommended actions from official channels.

Critical Start is continuing to monitor this evolving situation and will continue to keep our customers informed. Our Cyber Research Unit continuously works to add new content to our customers’ environments so that we can remain vigilant against this threat. We want to stress that we are here to help and are committed to continued vigilance of all threat actor activity and will develop new detections in response to any developments. If you suspect malicious behavior or fraudulent network activity, please reach out to [email protected].

Appendix A: Tactics, Techniques, and Procedures commonly employed by Russian Threat Actors

¹ https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/

² https://www.cisa.gov/uscert/ncas/alerts/aa22-011a

³ https://www.cfr.org/global-conflict-tracker/conflict/conflict-ukraine

⁴ https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html