While we all watch with heavy hearts as Russia continues its invasion of Ukraine, it’s important for security practitioners to keep clear heads and ensure that countermeasures to the tactics, techniques, and procedures (TTPs) that Russia-based threat groups have recently employed have been applied in your organization.
To help, iON has combined the top takeaways from the SANS Institute’s excellent February 25 webcast led by Kevin Holvoet, Jake Williams, Tim Conway and Rob T. Lee along with some of our own guidance. But first, we’ll start with some background…
Over the years, Russia has established a reputation as a powerful and malicious cyber actor. Most of all money made through ransomware in 2021 went to Russia-linked groups, for example. Part of what makes Russian-based advanced persistent threat (APT) groups so formidable is the fact that many are not just state affiliated but appear to be state run.
- Members of the GRU’s Unit 74455 were indicted by the US DOJ for several cyber-attacks, including the 2017 NotPetya malware attack, which spread beyond targets in the Ukraine and infected millions of systems around the world. Analysts refer to these units collectively as APT 28, Sandworm, Voodoo Bear, Fancy Bear, and Tsar Team.
- Russia’s domestic security agency, the FSB, has been linked by Ukrainian intelligence to the “Gamaredon” hacking group.
- Members of the SVR, Russia’s primary civilian foreign intelligence service, were held responsible by the US government for hacking into political campaigns during the 2016 U.S. presidential election. Cyber analysts have referred to SVR hackers as APT 29, the Dukes, and Cozy Bear.
These groups, along with several hacktivist groups, have conducted a litany of disruptive attacks on Ukrainian targets. This includes one threat cluster without a known affiliation, assigned the temporary codename of DEV-0586, that is responsible for the destructive WhisperGate wiper attack that took place in Ukraine on January 15, 2022.
The Attack Methods
Russian activity groups have struck on multiple fronts as observed by SANS webcast presenter, Kevin Holvoet:
- Distributed Denial of Service (DDoS) attacks on government, military, financial, and telecom targets
- Destructive wipers: WhisperGate (Jan 13, 2022) and HermeticWiper (Feb 22, 2022)
- Espionage of both Ukraine and other international targets (CISA Alert AA22-047A)
- Website defacement
- Supply Chain attacks (Kitsoft-based)
- Influence/Disinformation Operations using SMS messages, social media, and other media
Key targets for these groups’ espionage activities have been the Ukrainian Department of Defense systems. Whereas several influence campaigns including floods of disinformation hitting social media and MMS messages have targeted Ukrainian citizens.
One tactic that has rapidly grown is data theft, and the subsequent threat to publicize that data. This trend is likely to continue.
According to SANS presenter, Jake Williams, Russian-backed groups’ have continued their use of signed device drivers for wiper malware. This method was confirmed in the 2015 attack on Ukraine’s power grid (using the KillDisk device driver), while recent attacks have employed HermeticWiper, using drivers from EaseUS Partition Master. Microsoft requires that only signed device drivers can load into the Windows kernel, which this method exploits by using signed device drivers from other organizations. Because it appears legitimate, recovery from this type of attack is difficult.
The Takeaways: Important Security Measures to Implement
- Maximize visibility at egress points. While your organization is hopefully doing this already, it’s important to log all communication through the perimeter using firewalls and/or NETFLOW. Make it a priority to review these logs for indicators of compromise and regularly check the websites of CISA and other trusted government agencies.
- Protect your organization against supply chain attacks through an inventory of your B2B VPNs and block all high-risk protocols on them. Some high-risk protocols include:
- SSH (TCP Port 22)
- MSRPC (TCP Port 135)
- SMB (TCP Ports 139/445)
- LDAP (TCP Port 389)
- MSSQL (TCP Port 1433)
- RDP (TCP Port 3389)
- WinRM (TCP Ports 5985/5986)
- Monitor IP addresses used by attackers. A simple online search of “open-source IOCs” will direct you to several sources that identify the IP addresses currently and historically used by threat groups. You can then upload those IPs to your monitoring tools in case they use them again.
- Use the MITRE ATT&CK overlap matrix to inform your defense strategy. With the MITRE ATT&CK online knowledge base you can find information on threat groups, the TTPs they use, and defensive countermeasures you can implement.
- Prevent the loading of unknown device drivers. This is important if you believe your organization is at risk from wiper operations. If this is the case, and your tooling supports it, implement this policy to help prevent deployment of wiper malware.
- Monitor certificates users receive from secure sites. Verify that your current technology stack captures this information. Firewalls, for example, can be configured to capture certificates being used, as do endpoint protection solutions. A proxy server is typically where you can enforce a blacklist of certain certificates on your network.
Overall, the tools and tactics Russia has deployed are certainly not unique, and conversely, the recommendations listed above will protect against more than just Russian threat actors. In general, it’s important to maintain the fundamentals of a sound cybersecurity practice aligned to the CIS Critical Security Controls. Make sure your log collection and retention are robust and keep an eye out for any behavioural evidence of unusual activity or host-based artifacts. While preventing against wiper attack deployment methods is important, it is crucial to test your back-up and recovery plans and ensure your backed up data is free of malware. This practice should be a part of a detailed and well-maintained incident response plan.
Finally, for organizations with industrial control systems (ICS), be vigilant for any anomalous equipment behaviour like unexpected reboots of digital controllers or other OT systems and investigate any suspicious delays of disruptions in communications with field equipment or other OT devices.
Above all, stay informed about the latest threats. Two trusted sources are the Alerts and Advisories page of the Canadian Centre for Cyber Security and CISA’s National Cyber Awareness System Alerts page. Additionally, CISA has created a page dedicated to Russian Cyber Threats that is a resource worth regularly reviewing during the current crisis.
Russia’s cyber activities have shown us that twenty-first century conflicts are fought on multiple fronts, so having a sound cybersecurity practice in place is more important now than ever.
SANS Ukraine-Russia Conflict Cyber Resource Center: www.sans.org/blog/ukraine-russia-conflict-cyber-resource-center.