Russian-sponsored threat actors have already distributed cyberattacks via new malware and wiperware such as Cyclops Blink and HermeticWiper. As tensions between Ukraine and Russia escalate, there’s potential for increased cybersecurity risk against targets across the world.
We’ve witnessed this historically during previous unrest. For example, the Ukrainian Maidan revolution in 2014 resulted in the NotPetya wiperware campaign. These attacks extended well beyond the borders of the country and impacted a number of organizations that had Ukrainian assets.
However, organizations of all sizes and industries — even those that aren’t affiliated with Ukrainian assets — should be prepared to respond to state-sponsored cyberattacks. Threat actors are opportunistic, and will likely target environments without proper security controls — including small and mid-sized businesses that often lack resources — because they are easy wins.
Russian advanced persistent threats (APTs) follow similar playbooks to other highly-effective groups; these techniques, tactics, and procedures (TTPs) are not secret.
It’s important to be aware of these tactics and detect them early enough to stop an attack in progress. Here are some TTPs, mapped to the MITRE ATT&CK Framework, that Russian state-sponsored threat actors have been known to use.
According to MITRE, initial access techniques use various entry vectors to gain an initial foothold within a network. Initial access is an especially important tactic to detect because it occurs so early on in the cyber kill chain.
Russian threat actors have used the following techniques to gain initial access before launching a cyberattack:
External Remote Services
External remote services such as VPNs and Remote Desktop Protocol (RDP) are common ways for attackers to gain a foothold in an environment. Most notably, state-sponsored actors have weaponized CVE-2019-11510, CVE-2019-11539, and CVE-2018-13379, vulnerabilities that affect Pulse Secure, Palo Alto GlobalProtect and Fortinet Fortigate.
Upgrading to the latest version of VPN software is crucial. Since a malicious actor could have already exploited the VPN to steal credentials, it’s important to also reset the VPN’s credentials after patching.
RDP is another commonly-exploited external service. Avoid relying on RDP if at all possible. If you must use RDP, follow these security best practices:
- Never allow RDP to be internet-facing
- Configure Network Level Authentication (NLA) and similar protections for RDP.
- Ensure that any and all remote access flows through a proper virtual private network (VPN) connection protected by two-factor authentication (2FA) whenever possible.
- Limit the amount of users that need RDP access and limit access to specific IPs
From 2019 to 2021, GRU — Russia’s military intelligence group — launched a brute-force campaign that targeted hundreds of government and private sector organizations worldwide, specifically organizations running Microsoft 365 cloud services. Threat actors used a Kubernetes cluster to perform password spraying techniques on a larger scale.
To defend against brute force attacks, organizations should deploy multi-factor authentication (MFA), limit the number of times a user can unsuccessfully attempt to log in, and temporarily lock out users who exceed the specified maximum number of failed login attempts.
Password spraying, a variant of a brute-force attack method, is a common tactic used by Russian state-sponsored threat actors. Password spraying takes a large number of usernames and loops them with a single password, applying that to multiple accounts over a period of time to gain access into an environment.
In October 2021 Nobelium, the Russian state-sponsored actors that were also responsible for the 2020 SolarWinds attack, gained access to privileged accounts in MSPs and resellers using a variety of techniques — password spraying being one of them — and then leveraged that access to attack the service providers’ customers.
The most effective way to prevent password spraying is by using two-factor or multi-factor authentication. Organizations can also monitor for persistence use — attempting to log in to multiple accounts via the same IP address — via their identity platforms. For Windows hosts, it’s important to also enable more robust logging capabilities to get visibility into password spraying attacks. Sysmon is a good way to extend Windows default logging capabilities.
A dynamic blocklist can stop an attack in its early stages by automatically blocking IP addresses that are attempting to perform password spraying.
Steal or Forge Kerberos Tickets: Kerberoasting
Russian state-sponsored APT actors have performed “Kerberoasting,” an offline cracking technique in which actors abuse valid Kerberos ticket-granting services to obtain valid Service Principal Names (SPN) within an Active Directory (AD) domain. Any instance of Kerberoasting in an environment should be considered a critical threat.
There are a few ways to detect Kerberoasting attacks; one way is to create a honey credential (or honeytoken) that exists solely to act as a canary.
During the persistence phase, adversaries attempt to maintain their foothold on systems.
Hours before Russia invaded Ukraine on February 24, a new form of disk-wiping malware was used to attack organizations in Ukraine. Part of that campaign included installing web shells weeks prior to the attack. Web shells were also used by the Russian GRU cyber military group.
To identify the creation of web shells in your environment, review web accessible directories for newly created .php, .asp, .aspx, and .jsp files.
Account Manipulation: Exchange Email Delegate Permissions
In the Russian GRU’s brute-force campaign, threat actors used a PowerShell cmdlet (NewManagementRoleAssignment) to grant the ‘ApplicationImpersonation’ role to a compromised account. Although PowerShell is a legitimate tool that IT administrators commonly use, it can also be used to maintain a foothold or execute malicious code without administrative access.
Organizations can alert on PowerShell commands and scripts through third-party software or via a security information and event management (SIEM). It is also fairly straightforward to enable it in Microsoft Group Policy.
Valid Accounts: Cloud Accounts
State-sponsored actors have also used valid credentials of a global admin account to log into the Microsoft 365 admin portal and change permissions of an existing enterprise application.
To prevent this, you can correlate logs, including Microsoft 365 logs, from network and host security devices and assign administrator roles to role-based access control (RBAC) to implement least privilege principles. Due to its high level of default privilege, only use the global admin account when absolutely necessary; instead, use other built-in admin roles within AD.
File and Network Discovery
Russian threat actors have also used BloodHound, a tool that can collect information about AD users, groups, and computers, and map pathways to escalate privileges to domain administrator accounts and expedite lateral movement. Robust endpoint detection and response (EDR) software should be able to detect the use and presence of tools like BloodHound on your network.
Equally important is the ability to send EDR logs to a centralized logging system to correlate with other telemetry sources. This will help identify and contextualize security threats, enabling you to respond quickly and more effectively.
What You Should Do To Protect Against Russian Cyberattacks
Knowing how to prevent and detect the known TTPs listed above is a step in the right direction to defend against state-sponsored attacks. Now is also a good time to ensure that you’re enacting basic security principles that will reduce your overall attack surface.
If you aren’t fully prepared, make changes as soon as possible to ensure that you are secure and patched. This includes doing the following:
- Reviewing your exposed borders/DMZs to ensure that you are limiting your attack surface. You can use tools such as search.censys.io and shodan.io for this.
- Deploying Sysmon within your environment if you haven’t yet done so.
- Enabling MFA via Microsoft 365, Google Workspace (formerly GSuite), Okta, and any other identity provider you are using.
- If you’re on Microsoft 365, disable legacy authentication wherever you can within your organization.
- Consider enabling Block macros from running in Microsoft Office files from the Internet through GPO (Group Policy Objects) if you have not yet done so.
- Notifying all employees to be more aware and cautious and to report any concerning emails or files ASAP.
- Discussing with your team what you will do in the event that your organization is breached. Planning now will save you time later during an incident.
Check Your Security Gaps
Taking time to go through the above steps is one of the best ways you can ensure that you are as protected as possible right now. It’s also important to measure your current security maturity and identify any missing capabilities. Our checklist of the different areas of threat detection and response – from logging to alerting to audits and compliance – can help you identify any security gaps.