Russian Cyber Playbook

Russia’s invasion of Ukraine on February 24, 2022, followed escalating cyber operations, categorized into six phases, by Russian troops amassed at the border.

Beyond the focus on wipers, Russian military intelligence (GRU) utilizes a unified wartime capability, incorporating cyber and information operations in Ukraine.

Apart from this, to help defenders, the cybersecurity researchers at Mandiant outline the disruptive playbook of GRU.

By understanding the GRU’s playbook, defenders can better defend themselves against these attacks.

PlayBook of GRU (Source – Mandiant)

UNC3810 used the CADDYWIPER malware to delete data from a Ukrainian government entity’s computer systems. 

During the fifth phase of the war, the attack took place on December 31, 2022. The attack was part of a renewed campaign of disruptive attacks by UNC3810.

Disruptive Playbook of GRU

Mandiant Intelligence has observed that the GRU has been employing a tried-and-true playbook to achieve its information warfare goals since Russia invaded Ukraine.

With the sophisticated playbook and TTPs GRU immuned its presence and persistence on the targeted network to successfully accomplish all its goals and operations. 

Here below we have mentioned the five operational phases:-

  • Living on the Edge: Exploiting hidden hacked routers, VPNs, firewalls, and mail servers for initial and renewed entry into targets.
  • Living off the Land: Target networks are infiltrated covertly using native tools to minimize malware trace and avoid detection while conducting reconnaissance, lateral movement, and data theft.
  • Going for the GPO: A proven PowerShell script establishes enduring privileged access to facilitate wiper deployment through group policy objects (GPO).
  • Disrupt and Deny: Versatile deployment of minimal-risk disruptive tools, including “pure” wipers and ransomware, tailored to various scenarios and contexts.
  • Telegraphing “Success”: Irrespective of operational impact, the narrative of effective disruption is magnified through a sequence of hacktivist personas on Telegram.

The GRU’s standard concept of operations is a clear indication that the GRU is intent on escalating its cyberwarfare activities.

The GRU’s playbook is a game-changer in the cyberwar in Ukraine since it’s helping Russia to achieve its wartime goals.

The GRU’s repeated use of the same tradecraft is a clear indication that they are comfortable with it and it is effective as well.

The disruptive playbook of GRU strives to equip the full power of information confrontation, which Russia defines as the use of information and communication technologies to achieve strategic objectives.

While all together, these capabilities are known as:-

  • KRIKS (Cryptographic reconnaissance of information and communication systems)
  • ITV (Information-technical effects)
  • IPV (Information-influence effects)
Information confrontation (Source – Maniant)

UNC3810 is a GRU-linked threat group that has conducted disruptive operations against Ukraine and other targets.

Not only that, even from a wide range of organizations, including government agencies and private businesses, it has also stolen credentials.

Hacktivist Identities In Disruptive Operations

Here below, we have mentioned all the identities involve in these disruptive operations:-

  • CyberBerkut
  • CyberCaliphate
  • Yemeni Cyber Army
  • Guccifer 2.0
  • AnPoland
  • Fancy Bears’ Hack Team
  • CyberArmyofRussia_Reborn
  • XakNet Team
  • Infoccentr
  • Free Civilian

Russia’s GRU strategically employs disruptive operations in Ukraine, effectively aligning strategic priorities for espionage and attack while integrating cyber and information operation capabilities into a compatible playbook applicable to various Russian threat clusters.

The observed playbook by Mandiant utilized in Russia’s war in Ukraine shares similarities with financially-motivated ransomware operations, exploiting edge infrastructure vulnerabilities for initial access, leveraging living off-the-land techniques, and modifying GPOs for malware propagation.

While the converging tactics aim to minimize breakout time, maximize disruption, and defend against Russia’s cyber playbook offers contagious benefits for countering ransomware groups’ tradecraft.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.