Amidst the conflict between Russia and Ukraine, US-led sanctions have created a very real concern that there will be retaliatory cyberattacks directed towards US organizations as well as those based in allied countries. With many of our federal departments and entities still failing to comply with the Canadian government’s cybersecurity framework, this has created a situation where large amounts of sensitive government information could potentially be exposed.
For example, in 2020, an unnamed crown corporation was compromised leading to several government departments experiencing significant data breaches. In 2022 where we are now on heightened alert during this global crisis, this is simply unacceptable, and the Canadian government has responded by rolling out a cybersecurity framework that aims to place government insitutions under a single, secure perimeter.
Private organizations and enterprises, then should also respond by rolling out heightened cybersecurity protections over the coming few weeks. Enterprises of all shapes and sizes should be on heightened alert for potential cyber attacks.
With this in mind, here is a quick guide to help you prepare for a potential Russian cyberattack:
Assess your Exposure:
It should be important to note that not every organization is going to face the same amount of exposure from this conflict. For example, organizations based in Ukraine should expect to experience a lot more criminal activity than one based in, say Canada. However, organizations that have done or are doing business in Ukraine or any surrounding regions should be careful.
Make Sure your Foundational Elements are in Place:
Russian Advanced Persistent Threats (APTs) follow similar playbooks to other groups – meaning that their tactics are not usually secrets. This means that preparing for these threats usually requires that special attention be paid to the basics, which includes things like regular patching, installing MFA and endpoint protection across your devices. Pay special attention to windows environments, make sure routers are updated, and always have a secure password.
Prepare for Ransomware and Backup Critical Systems:
A targeted cyber attack will either use ransomware or a wiper attack such as HermeticWiper that poses as ransomware. The best way to defend against this is to ensure that up-to-date backups are kept., Now Is the ideal time for organizations to test their backup and recovery plan, as well as testing the continuity of operations plan in case your network or other key systems are disabled in the event of an attack.
Secure your Network:
Minor policy changes can decrease the likelihood of a successful attack against your network. Many applications can be abused even if they are not necessarily malicious on their own. If your organization doesn’t require their functionality, blocking them will improve your security posture.
Harden External Facing Areas:
We have seen threat actors exploit technology in order to gain unauthorized remote access. You can do this by identifying, enumerating, and hardening externally facing assets. One way to do this is through MFA for externally facing services.
Hunt and Emulate Active Threats:
Running threat hunting engagements can be vital in detecting adversaries before they install spyware or cause serious destruction. For threat hunting, it is recommended that you use the known Tactics, Techniques and Procedures (TTPs) commonly use by Russian APTs. Running these emulation exercises can uncover configuration problems and blindspots that attackers might leverage to move around in your network undetected.
Here is a list of common threats, techniques and procedures used by Russian APTs:
|Reconnaissance [TA0043]||Active Scanning: Vulnerability Scanning [T1595.002]|
|Russian state-sponsored APT (Advanced Persistent Threat) actors have performed large-scale scans to find vulnerable servers.|
|Phishing for Information [T1598]||Russian state-sponsored APT actors have conducted spear phishing campaigns to gain credentials of target networks.|
|Resource Development [TA0042]||Develop Capabilities: Malware [T1587.001]||Russian state-sponsored APT actors have developed and deployed malware, including ICS-focused destructive malware.|
|Initial Access [TA0001]||Exploit Public Facing Applications [T1190]||Russian state-sponsored APT actors target publicly known vulnerabilities, as well as zero-days, in internet-facing systems to gain access to networks.|
|Supply Chain Compromise: Compromise Software Supply Chain [T1195.002]||Russian state-sponsored APT actors have gained initial access to victim organizations by compromising trusted third-party software. Notable incidents include M.E.Doc accounting software and SolarWinds Orion.|
|Execution [TA0002]||Command and Scripting Interpreter: PowerShell [T1059.003] and Windows Command Shell [T1059.003]||Russian state-sponsored APT actors have used cmd.exe to execute commands on remote machines. They have also used PowerShell to create new tasks on remote machines, identify configuration settings, exfiltrate data, and execute other commands.|
|Persistence [TA0003]||Valid Accounts [T1078]||Russian state-sponsored APT actors have used credentials of existing accounts to maintain persistent, long-term access to compromised networks.|
|Credential Access [TA0006]||Brute Force: Password Guessing [T1110.001] and Password Spraying [T1110.003]||Russian state-sponsored APT actors have conducted brute-force password guessing and password spraying campaigns.|
|OS Credential Dumping: NTDS [T1003.003]||Russian state-sponsored APT actors have exfiltrated credentials and exported copies of the Active Directory database ntds.dit.|
|Steal or Forge Kerberos Tickets: Kerberoasting [T1558.003]||Russian state-sponsored APT actors have performed “Kerberoasting,” whereby they obtained the Ticket Granting Service (TGS) Tickets for Active Directory Service Principal Names (SPN) for offline cracking.|
|Credentials from Password Stores [T1555]||Russian state-sponsored APT actors have used previously compromised account credentials to attempt to access Group Managed Service Account (gMSA) passwords.|
|Exploitation for Credential Access [T1212]||Russian state-sponsored APT actors have exploited Windows Netlogon vulnerability CVE-2020-1472 to obtain access to Windows Active Directory servers.|
|Unsecured Credentials: Private Keys [T1552.004]||Russian state-sponsored APT actors have obtained private encryption keys from the Active Directory Federation Services (ADFS) container to decrypt corresponding SAML (Security Assertion Markup Language) signing certificates.|
|Command and Control [TA0011]||Proxy: Multi-hop Proxy [T1090.003]||Russian state-sponsored APT actors have used virtual private servers (VPSs) to route traffic to targets. The actors often use VPSs with IP addresses in the home country of the victim to hide activity among legitimate user traffic.|
Need Help Securing your Network?
Over the past few weeks, the Stratejm intelligence team has been closely following the unfolding geopolitical situation in Europe and have experienced greatly increased activity from Russian state-backed threat actors. Stratejm recommends that all organizations proactively prepare to defend against this potential threat. That being said, we understand that each and every organization is at a different stage in their security journey, and may be caught unprepared during this time. Stratejm is here to help. Our Security-as-a-Service (SECaaS) platform utilizes a purpose-built secure multi-tenant Canadian and delivers end-to-end protection against common techniques and tactics used by Russian APT actors. Our turnkey solution ensures that we will get your data protected in weeks, and not months.
Contact us today to find out how we can help secure your data during this critical time.