Cyber-attacks play a formidable role in modern warfare. As Russia’s war against Ukraine shows no sign of slowing down, the digital onslaught of attacks against Ukrainian civil, military and government organizations continues. However, it’s not just Ukraine that faces threats and disruption from Russian-based threat actors and hacking campaigns. As a retaliation to ongoing sanctions and perceived support for Ukraine, pretty much any Western organization at either government or business level is fair game for Russian hackers. As various Russian threat groups evolve their tactics and operations, staying current on the latest trends helps your organization better prepare for and mitigate cyber-attacks. With this in mind, a helpful report produced by Ukraine’s SSSCIP provides detailed findings on Russia’s cyber warfare during 2022. Here are some actionable takeaways from the report about Russian cyber tactics along with recommended mitigations.
Key Tactics Deployed by Russian Hackers
The report’s findings revealed useful information about the most commonly deployed and successful tactics and techniques that different Russian adversaries opt for in their cyber-attacks.
Data theft, destruction, and espionage are common objectives seen across various threat groups and attacks. Here are four key tactics to be aware of along with additional details on observed techniques:
1. Vulnerability Exploitation
Complexity defines today’s IT ecosystems, with companies using the cloud, virtualization technology, and more third-party code than ever. This complexity, along with a dearth of security resources, makes it harder to find, manage, and remediate all vulnerabilities. Exemplifying the problem is recent research that found the average company’s technology infrastructure has more than 800 extremely dangerous security vulnerabilities. The SSSCIP report about Russian cyber tactics reflects this high susceptibility to vulnerability exploitation. One crucial finding is that adversaries increasingly target technical vulnerabilities within the supply chain in order to gain access to their main targets. For example, targeting commonly used open-source libraries and frameworks can provide an easy entry route into your environment if you use a vulnerable version of this code.
Phishing was one of the most commonly observed tactics in targeted Russian cyber operations against Ukraine. The ability to lure victims into disclosing sensitive information or clicking a malicious link through nothing other than psychological manipulation and words make phishing an attractive tactic for hackers. The most popular medium to deliver phishing attacks is email, but some hackers opt for text messages or phone calls. In particular, Russian threat actors favour spear phishing attacks, which are highly targeted and focused on a specific individual. Spear phishing campaigns often involve trawling the web to find out as much information as is available about the target of the email. The highly personalised nature of spear phishing emails makes them a particularly insidious threat as people are more likely to be fooled by an email when the sender seems to know so much about them, including their:
- Their name
- Place of work
- Email address
- Colleagues’ names
Russian threat groups like Sandworm have gained notoriety for their ability to create and distribute innovative malicious code that previously wreaked havoc on targets such as the Ukrainian power grid in 2015 and Ukrainian banks and ministries two years later. Among the most widespread types of malicious code observed in recent cyber-attacks by Russian actors against Ukraine are:
- Infostealers that steal useful information, such as passwords to user accounts.
- Backdoors such as trojans that enable remote access and control over systems.
- Working exploits for commonly encountered vulnerabilities—remember that the presence of a vulnerability on its own doesn’t mean a breach because it still requires someone to exploit it.
Reflecting how multiple tactics often combine in a single attack to achieve the objective, a spear phishing email could contain an infostealer that captures someone’s password, which then provides a method for compromising their account (see the next point). Having gained access to a user account, the threat actor then exploits a common vulnerability to escalate privileges or move laterally.
4. Account Compromise
Another extremely common tactic observed in Russian-based cyber-attacks was account compromise. Getting inside someone’s legitimate user account can occur in a variety of ways, including brute force attacks, social engineering, or even buying stolen credentials from underground marketplaces. It’s this tactic that enables hackers to masquerade as legitimate users and access targeted accounts, data, or systems that’ll help achieve their ultimate objectives. The main variation of account compromise observed in the report was using malware to hack into accounts (e.g., with an infostealer). Account compromise regularly targets VPN accounts that provide remote access to workers.
Ways to Protect Against Russian-Based Cyber Attacks
Here are some brief tips for protecting against the kinds of cyber-attacks that Russian groups like Sandworm, Krypton, Nobelium and more conduct against Ukrainian targets:
- Invest in better user security training and awareness programs, particularly around phishing and spear phishing attacks to minimize the chances of success with these tactics.
- Switch on multi-factor authentication for user accounts so that knowing a password alone doesn’t guarantee hackers access to VPNs and user accounts for other systems/services.
- To limit lateral movement in your network, implement the principle of least privilege access to ensure users only have access to the resources they legitimately need to complete their daily job tasks.
- Regularly evaluate all Internet-facing systems and third-party dependencies for vulnerabilities.
How Pen Testing Helps Thwart Russia’s Cyber Attacks
While many of these attacks hit Ukrainian operators of critical infrastructure, in diverse sectors such as energy, telecom, government, and defence, the focus of Russian threat groups is not solely limited to Ukraine.
In truly thwarting these attacks, experts with the ability to think and act like an attacker can prove invaluable for your organisation.
DIESEC’s penetration testing service uses real-life scenarios to test your line of defence and uncover vulnerabilities you didn’t even know about. In the day-to-day grind of managing a complex IT ecosystem, vulnerabilities in third-party code and other overlooked apps can easily slip into your environment and remain there, waiting for a hacker to exploit them. We can also perform pen tests on your people to gauge social engineering knowledge and preparedness.