Assessing Recent Cyber Threats as Russia-Ukraine Crisis Escalates
By Matthew Herring and Callie Guenther, CRITICALSTART Cyber Research Unit
On January 11th, 2022, The Cybersecurity & Infrastructure Security Agency (CISA) published an alert “Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure” amid growing tensions between the US and Russia. Two days later, Microsoft’s Threat Intelligence Center (MSTIC) identified evidence of a destructive malware operation targeting multiple organizations in Ukraine1. This was the most recent in a series of attacks that began in late 2014 where critical infrastructure across Ukraine fell victim to destructive and disruptive cyber-attacks including NotPetya and WannaCry malware variants. Late last week, CISA published an article informing organizations about the renewed risks to critical infrastructure from malware tools leveraged by Russian State-Sponsored threat actors, highlighting the risks to those working with Ukrainian organizations2.
The long-standing hostilities between Russia and the Ukraine date back to the breakup of the USSR. After the invasion and subsequent annexation of the Crimean Peninsula in 2014, Ukraine fell victim to a series of aggressions attributed to the Russian state, further deteriorating the already tense relationship. In December 2015, more than 225,000 people lost power across Ukraine as the result of a multi-stage malware attack against power generation firms, and in December 2016 parts of Kiev experienced another power blackout following a similar attack targeting a Ukrainian utility company. In June 2017, government and business computer systems in Ukraine were hit by the NotPetya cyberattack; the crippling attack, attributed to Russia, spread to computer systems worldwide and caused billions of dollars in damages3. In the years since, The United States and other NATO Allies have put pressure on Russia, authorized NATO-led military exercises, and imposed new sanctions in an attempt to curb Russian involvement in Ukraine.
The ongoing geopolitical unrest in Ukraine has ushered in another round of cybersecurity attacks in the region. WhisperGate, also tracked by Microsoft as (DEV-0586) is a new malware family designed to look like ransomware, but lacks any ransom recovery mechanism. In similar fashion to the infamous NotPetya malware which also targets and destroys the master boot record (MBR) instead of encrypting it, WhisperGate notably has more components designed to inflict additional damage4. Cyber campaigns have been a recurring aspect of the unstable relationship between Russia and Ukraine, and while we have yet to see a targeted attack against the NATO allies or other Ukrainian-adjacent organizations as retaliation for support, researchers believe the wide-range of offensive cyber tools Russia maintains will be weaponized against the west.
As this situation evolves, Critical Start’s Cyber Research Unit (CRU) continues to monitor and investigate additional opportunities for detection, focused on the tactics, techniques, and procedures commonly employed by Russian threat actors. We monitor for active reconnaissance, which is regularly conducted with large-scale scanning, as well as spearphishing campaigns known to expose credentials from target networks. CRU also tracks Russian state-sponsored APT groups that have been known to compromise trusted third-party software through the supply chain and gain to access to victim organizations. Our detections watch for exfiltrated data and exported copies of the Active Directory databases, as well as track any unsecured credentials or private keys that may be an indicator of unauthorized credential access. Our comprehensive behavior-based detection development ensures that detections are not only in place for the recent WhisperGate malware, but also activities that are consistent with Russian threat actors. For a detailed list of commonly employed tactics, techniques, and procedures employed by Russian APT groups and other State-Sponsored threat actors, refer to Appendix A.
The Bottom Line:
Critical Start observes that the recent activities associated with Russian State-Sponsored Actors align with the following desired outcomes:
- Intelligence gathering against targets supporting Ukrainian interests.
- Attacks against critical infrastructure, as observed in past attacks against the Ukrainian Power grid in 2015 and again in 2016.
As with any threat scenario, the basics are important. Ensure vulnerability management programs and technology are operating effectively, implement multi-factor authentication for all remote access to resources, ensure cloud environments have effective controls implemented and monitor for suspicious or malicious behavior. Confirm all reporting mechanisms are sound and coverage gaps are mitigated. Create, maintain, and exercise a cyber incident response and continuity of operations plan and monitor for additional recommended actions from official channels.
Critical Start is continuing to monitor this evolving situation and will continue to keep our customers informed. Our Cyber Research Unit continuously works to add new content to our customers’ environments so that we can remain vigilant against this threat. We want to stress that we are here to help and are committed to continued vigilance of all threat actor activity and will develop new detections in response to any developments. If you suspect malicious behavior or fraudulent network activity, please reach out to [email protected].
Appendix A: Tactics, Techniques, and Procedures commonly employed by Russian Threat Actors
Active Scanning: Vulnerability Scanning [T1595.002]
Russian state-sponsored APT actors have performed large-scale scans in an attempt to find vulnerable servers.
Phishing for Information [T1598]
Russian state-sponsored APT actors have conducted spearphishing campaigns to gain credentials of target networks.
Develop Capabilities: Malware [T1587.001]
Russian state-sponsored APT actors have developed and deployed malware, including ICS-focused destructive malware.
Initial Access [TA0001]
Exploit Public Facing Applications [T1190]
Russian state-sponsored APT actors use publicly known vulnerabilities, as well as zero-days, in internet-facing systems to gain access to networks.
Supply Chain Compromise: Compromise Software Supply Chain [T1195.002]
Russian state-sponsored APT actors have gained initial access to victim organizations by compromising trusted third-party software. Notable incidents include M.E.Doc accounting software and SolarWinds Orion.
Russian state-sponsored APT actors have used cmd.exe to execute commands on remote machines. They have also used PowerShell to create new tasks on remote machines, identify configuration settings, exfiltrate data, and to execute other commands.
Valid Accounts [T1078]
Russian state-sponsored APT actors have used credentials of existing accounts to maintain persistent, long-term access to compromised networks.
Credential Access [TA0006]
Russian state-sponsored APT actors have conducted brute-force password guessing and password spraying campaigns.
OS Credential Dumping: NTDS [T1003.003]
Russian state-sponsored APT actors have exfiltrated credentials and exported copies of the Active Directory database ntds.dit.
Steal or Forge Kerberos Tickets: Kerberoasting [T1558.003]
Russian state-sponsored APT actors have performed “Kerberoasting,” whereby they obtained the Ticket Granting Service (TGS) Tickets for Active Directory Service Principal Names (SPN) for offline cracking.
Credentials from Password Stores [T1555]
Russian state-sponsored APT actors have used previously compromised account credentials to attempt to access Group Managed Service Account (gMSA) passwords.
Exploitation for Credential Access [T1212]
Russian state-sponsored APT actors have exploited Windows Netlogon vulnerability CVE-2020-1472 to obtain access to Windows Active Directory servers.
Unsecured Credentials: Private Keys [T1552.004]
Russian state-sponsored APT actors have obtained private encryption keys from the Active Directory Federation Services (ADFS) container to decrypt corresponding SAML signing certificates.
Command and Control [TA0011]
Proxy: Multi-hop Proxy [T1090.003]
Russian state-sponsored APT actors have used virtual private servers (VPSs) to route traffic to targets. The actors often use VPSs with IP addresses in the home country of the victim to hide activity among legitimate user traffic.
Matthew leads the CRITICALSTART Cyber Research Unit, providing timely, actionable intelligence and effective, accurate detections. This gives our customers an adaptive edge to protect themselves against the ever-changing threat landscape. Matthew’s background includes various roles in Compliance, Threat Detection, Incident Response, Cloud Security, and Risk Management.
You may also be interested in…
- Consumer Education(40)
- Consumer Stories(2)
- Cybersecurity Consulting(7)
- Data Breaches(15)
- Data Privacy(43)
- Incident Response(2)
- MDR Services(74)
- Press Release(81)
- Research Report(10)
- Security Assessments(4)
- Thought Leadership(18)
- Threat Hunting(3)
- Vulnerability Disclosure(1)