Disclaimer: LMNTRIX neither supports nor condones illegal acts of hacking and/or cyber war-like campaigns in any form. As a cyber defense company, we refuse to take sides with Russia or, Ukraine, LMNTRIX, and researchers in our Cyber Defense Centers strictly adhere to the morals, ethics, laws and the true spirit of freedom, where we live and let others live in peace. These views are strictly personal, and they do NOT represent LMNTRIX as a company.
While we have not given Russia’s nation-state threat actors a full article yet, like others in this series, the war in Ukraine has given security researchers ample opportunity to study how cyber warfare tactics are currently manifesting themselves. Not only is it the present reality that concerns security researchers but the impacts this war will have on the future of defending IT infrastructure.
Previously, we explored how cyber criminals were looking to take advantage of the war for their financial benefit. In this article, we will look at how state-sponsored threat groups are looking to further Russia’s military objectives and how Ukraine is combating these attempts.
Cyber Warfare Scenarios Played Out in Real-Time
Over the past year we have seen the Russian military employ several measures to assist in their invasion of Ukraine. While many of these measures closely resemble previously seen tactics and techniques often the motivation for their deployment differs from previous years. This has warranted several prominent security researchers and big tech firms to dedicate time to their studies so that defensive strategies can be modified to prevent disaster.
While the situation on the ground regarding the conventional war being fought has seen several fluctuations, all of which receiving significant coverage in the media, it is the war in the cyber front that has garnered only passing mention. However, this war has notable consequences not only for Ukraine as that nation looks to defend its borders and statehood but for North Atlantic Treaty Organisation (NATO) aligned countries and any state that finds itself in Russia’s crosshairs.
A Brief History of Russia’s Cyber Operations in the War
According to Microsoft commenting on the cyber activity at the start of the war, the Redmond tech giant stated in their report Microsoft Digital Defense Report 2022,
“Microsoft observed threat actors associated with the Russian military launch multiple waves of destructive cyberattacks against nearly 50 distinct Ukrainian agencies and enterprises and espionage-focused intrusions against many others. Excluding operations against online services customers, 64 percent of Russian threat activity against known targets was directed at Ukraine-based organizations between late February and June.”
A large majority of these attacks on Ukrainian agencies and enterprises were designed to cause significant disruption to operations and support the conventional war being fought at the outset of the invasion. As time has passed and Russian objectives have moved from a lightning strike to quickly replace the Ukrainian government with one more aligned with Moscow, to a war of attrition sometimes resembling the trenches of World War One, so to have the cyber warfare objectives.
Now, operations tend to be focused on disrupting the transporting of humanitarian assistance and military hardware. Operations are also targeting Ukrainian non-combatants as many of the attacks seen have targeted the public sector and the citizenry’s access to information through the media. The UN Crisis Coordinator for Ukraine said (find source) at least 15.7 million people in Ukraine were in urgent need of humanitarian assistance, this will only grow as the war rages and disruptions to the network responsible for the distribution of humanitarian aid will place lives at risk.
This is within Russia’s current objectives of striking critical infrastructure that leaves civilians without access to electricity and other services. The destruction is often done with missiles but security researchers have also seen malware being deployed to target critical infrastructure. It is not just Ukraine, be it government agencies, enterprises, or the public at large, that are targets. NATO allies and their perceived allies have also come under increased attack.
Referring to the same Microsoft study, it was stated,
“Outside of Ukraine, Microsoft detected Russian network intrusion efforts against 128 organizations in 42 countries between late February and June. The United States was Russia’s number one target. Poland, through which much of the international military and humanitarian assistance to Ukraine transits also, became a significant target during this period. Threat actors affiliated with the Russian state pursued organizations in Baltic countries and computer networks in Denmark, Norway, Finland [Applied for NATO membership following the invasion.], and Sweden [Despite a history of neutrality, Sweden applied for NATO membership following the invasion drawing much ire from the powers that be in Moscow.] in April and May as well.”
Russian Cyber Warfare in the Spotlight
With that very brief summary of the situation so far out the way it is important to go into more detail regarding current tactics and techniques.
Spear Phishing Tactics
Over the year that the war has been fought various Russian state-sponsored groups including ACTINIUM, NOBELIUM, STRONTIUM, DEV-0257, SEABORGIUM, and IRIDIUM (link), have used spear phishing tactics to gain initial access to both Ukranian targets and those further afield. In this regard, some groups favor accounting spoofing to try to lure the victim to click or download a malicious attachment.
Others like NOBELIUM used compromised accounts belonging to diplomats to disguise malicious mail as diplomatic communications. SEABORGIUM favors a different approach by using lures related to reporting on the Ukraine conflict to gain initial access to accounts at international affairs think tanks in the Nordic countries.
Targeting IT Services Supply Chain
Security researchers have seen DEV-0586 targeting the IT service supply chain. The basic methodology here is to compromise an enterprise supplying IT services to other organizations. Once the IT service is compromised it is hoped by the threat actor that they can gain access to the customers of the service. These organizations are often said to be downstream in terms of the supply chain. In the case of DEV-0586, threat actors compromised the network of an IT firm that built resource management systems for Ukraine’s Ministry of Defense. It is easy to see how compromising upstream services can be an advantage to Russia’s war effort.
Initial Access Granted Through Public-facing Applications
In 2021, security researchers discovered that the advanced persistent threat (APT) group tracked as STRONTIUM by Microsoft was developing and refining tactics to abuse publicly-facing applications like Microsoft’s Exchange Server. Initial access is gained by exploiting unpatched vulnerabilities in said applications. This just serves as another reminder to keep software up to date with patch releases.
STRONTIUM used these tactics to gain initial access to several Ukrainian government agencies. DEV-0586 has also been known to use similar tactics and was seen in the wild exploiting Confluence server vulnerabilities to gain initial access to government and IT sector organizations in Ukraine and other Eastern European countries.
Gaining Administrative Account Access for Lateral Movement
Another favored tactic used by Russian state-sponsored threat groups is to gain access to IT infrastructure through legitimate account details, more often than not spear phished directly from employees of the organization. The ultimate goal here is to gain account credentials to an administrative account with high privileges to allow for lateral movement and the ability to remain undetected for extended periods. Microsoft stated,
“Microsoft observed Russian state actors leveraging legitimate accounts and software utilities used to perform basic maintenance tasks to evade detection for as long as possible. They relied on compromised identities with administrative capabilities and valid administration protocols, tools, and methods to move laterally within networks without immediately attracting the attention of automated monitors and network defenders.”
Real-World Deployment of Tactics
It is important to note that none of these tactics are new and have been the favored tactics and techniques for some years now. However, in the context of the war, two attack campaigns have stood out due to their potential for destruction.
IRIDIUM Deploys Industroyer2
As early as the sixth week of the war Russian groups were looking to deploy destructive malware. Security researchers that attempts to deploy the malware tracked as Industroyer2 were being carried out by IRIDIUM in a campaign to disrupt critical services. Industroyer2 can be used in conjunction with another malware payload Sandworm to render Industrial Control Systems (ICS) inoperable. This combo is often deployed to target Ukraine’s electricity network and can cause significant blackouts, as Ukraine experienced in the past before the war.
Several other forms of destructive malware have been deployed since the start of the war. This operation is done in support of the conventional war being fought. Sadly, they can also have a terrible impact on innocent civilians, including children and the elderly. While Ukraine is no stranger to defending against these cyber attacks the possibility of malware knocking out the power grid still likely keeps Ukrainians up at night if the bombs and missiles don’t do the same.
Ukraine’s Cyber Defense
How Ukraine has looked to defend itself against cyber attacks while in the middle of a war can fill an article in itself. The exact how they have achieved what they have is a lesson to other nations on how to harden IT networks and critical infrastructure against such attacks. The financial times summarised their effective tactics by stating,
“Kyiv’s cyber tactics — including switching data to the cloud, partnerships with western companies, and using Elon Musk’s mobile Starlink terminals to connect to the internet via satellite — have proved highly effective. Ukraine’s defenses have also been shored up by a £6mn package of IT support and help in detecting Russian cyber threats provided by the UK”
One Year On, while the war still rages on…
The war has just passed a significant and tragic milestone in that it has been a year since the invasion and subsequent war fought within the borders of the sovereign territory of Ukraine. While the cyber war currently playing out does not result in the direct loss of life the conventional war does, information stolen by Russian forces can be used to their military’s benefit. The loss of life then is facilitated by the cyber war being played out. It is hoped humanity will learn some of the lessons this war is trying to teach us.