Russia’s invasion of Ukraine has triggered several things globally. Even cyber attacks aren’t an exception. As tensions rise over Russia and Ukraine, the U.S and its allied countries have been imposing several economic costs against Russia and the materials provided to them.
Russian State-Sponsored threat actors have been conducting several cyberattacks recently which included DDoS and destructive malware deployment against Ukraine Government and their critical infrastructure-related organizations.
Some cybercrime groups have raised their support for Russia and several were against the nation. Recent CISA’s release provides an overview of commonly observed TTPs of Russia-state-sponsored APT hackers and their operations. This release was also supported by the following resources
- Cybersecurity and Infrastructure Security Agency (CISA)
- Australian Cyber Security Centre (ACSC)
- Canadian Centre for Cyber Security (CCCS)
- National Cyber Security Centre New Zealand (NZ NCSC)
- United Kingdom’s National Cyber Security Centre (NCSC-UK)
Russian State-Sponsored Cyber Operations
Cyber actors from Russia have compromised several infrastructures in recent months which shows a glimpse of their capability to hack into complex networks and exfiltrate data from systems. Two major destructive operations conducted by the state-sponsored actors were BlackEnergy and NotPetya which were against the Ukraine Government.
The State-sponsored actors were identified to be from the following organizations
- Russian Federal Security Service (FSB)
- Russian Foreign Intelligence Service (SVR)
- Russian General Staff Main Intelligence Directorate (GRU)
- GRU’s Main Center for Special Technologies (GTsST)
- Russian Ministry of Defense, Central Scientific Institute of Chemistry and Mechanics (TsNIIKhM)
CISA also published a complete overview of these organizations and their operative methods.
Russian-Aligned Cyber Threat Groups
PRIMITIVE BEAR – This group targeted Ukrainian Organizations since 2013 by using high-volume spearphishing campaigns to deliver custom malware. Reports also suggest that this group provided a lead-up to Russia’s invasion.
VENOMOUS BEAR – This group was targeting NATO (North Atlantic Treaty Organization), defense contractors as well as organizations that have intel value. This group is well-known for using a Satellite for command and control (c2). This group was also responsible for compromising several infrastructures by using custom-developed malware that is extremely complex. The malware developed by this group can also be leveraged with its next variant
Russian-Aligned Cyber Crime Groups
Cybercrime groups are financially motivated. The group that is state-sponsored has a great threat because of its operational methods which include,
- Ransomware deployment
- DDoS attacks against websites
- Extortion accompanied DDoS attacks
Several other cybercrime groups have been identified globally which pose a threat. CISA’s published document has a complete report about the below-mentioned cybercrime groups.
- The CoomingProject
- MUMMY SPIDER
- SALTY SPIDER
- SCULLY SPIDER
- SMOKEY SPIDER
- WIZARD SPIDER
- The Xaknet Team
CISA’s documentation to mitigate the threat includes several methods. Some of them are,
- Updating Software, OS’s, Applications, and Firmware on IT assets
- Enforcing MFA
- Close monitoring of RDP and potentially risky services
- End-user awareness training
- Secure OT assets from external access
The documentation also includes preparation for Cyber Incidents, Identity and Access Management, Protective Controls and Architecture, Vulnerability and Configuration Management, and Responding to Cyber Incidents and Resources.