In a recent report issued by the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) titled “Russia’s Cyber Tactics: Lessons Learned in 2022 — SSSCIP analytical report on the year of Russia’s full-scale cyberwar against Ukraine” readers obtained a 10,000-foot overview of what a hot cyberwar entails from the Ukrainian perspective.
The SSSCIP report highlights the major targets, the coordination between government-advanced persistent threat groups and “hacktivists”, espionage operations and influence operations, and the Ukrainian analysis and discoveries.
SSSCIP Deputy Chairman Victor Zhora highlights in his introduction that Ukraine has been both the active testing ground and the target of choice for Russia’s cyber efforts since 2014. He takes an interesting tack by noting that each attacker is a person being directed to achieve a given result and that the SSSCIP report attempts to include the human context in observed tactics, techniques, and procedures (TTP). Zhora notes that Russia has had some success but has not been successful overall due to the resilience of the Ukrainian defensive methodologies and the assistance of the many partners in defending Ukraine’s cyber landscape.
CISOs should take note of potential spillover from the war
Two of those partners, who have invested heavily both monetarily and technologically, are Microsoft and Google. Both entities have also recently published pieces providing optics into the Russian cyberwar against Ukraine. When reading these the CISO (and staff) should be looking to better understand the ramifications of any cyber spillover from the conflict between Russia and Ukraine.
The report notes that the Russian cyberwar is proceeding in lockstep with kinetic efforts directed against the Ukrainian energy sector, a shift that occurred in October 2022. The report also mentions that the purposes of Russian hackers have changed as well from a large number of attacks aimed at disruption to more precisely targeted spying and data theft. Of every 10 attacks, two or three are focused on the destruction of information and capability, while the remaining are focused on the acquisition of information using spear-phishing as the tool of choice to gain the requisite footholds.
The Gamaredon group of the Russian security service FSB is noted as being particularly active and successful in conducting operational forays into Ukrainian entities and exfiltrating a good deal of information, all of which falls under the “espionage” umbrella. Similarly, the GRU group Unit-74455 has been actively engaged in “wiper” attacks destroying data and capability. Interestingly, detection is happening predominately at the endpoint level (EDR) as compared to network or email servers.
Russia’s attacks focused heavily on infrastructure
The “most heavily attacked sector in terms of cyberespionage and aggressive operations from adversaries remains Ukraine’s civilian infrastructure, including government institutions and critical infrastructure (energy companies, commercial organisations, logistics companies)” and various government ministries. In addition, the defence organisations — both uniformed and civilian — are also targeted. The focus was “credential-harvesting to gain impersonated and legitimate access through email or VPN without 2FA for collecting data.”
Throughout the second half of 2022, Russia was targeting Security Service of Ukraine (SBU) personnel, “to compromise the Signal messenger accounts and leak data and impersonate users.” Similarly, the “Shliakh” system used by Ukrainian border guards was attacked. This system allows the border guards to check the identify of persons entering Ukraine.
The common goals of the Russian activities, even when not acting in a coordinated manner, “were mostly penetrating the energy segment and pursuing intelligence collection and data exfiltration.” Turning off the ability for Ukrainians, both civilian and government, to communicate and foster “disorganisation, and panic across the civilian population” is Russia’s goal in targeting the telecom sector. Without the capability to communicate or gain access to the internet, “civilians, as well as military personnel and intelligence officers, can’t coordinate to take action or call for help.”
Refugees are another Russian target
Microsoft in its posting pointed out that Russian influence operations were targeting Ukrainian refugees and that “Moscow’s propaganda machine has recently taken aim at Ukrainian refugee populations across Europe, trying to convince them that they could be deported and conscripted into the Ukrainian military.”
While Google noted that attacks on NATO countries “increased over 300 per cent … Russian government-backed attackers targeted users in Ukraine more than any other country. While we see these attackers focus heavily on Ukrainian government and military entities, the campaigns we disrupted also show a strong focus on critical infrastructure, utilities, and public services, and the media and information space.”
Inspiration for CISOs to review their own security
The SSSCIP provides us with some recommendations based on its experiences to help thwart and survive the cyberwar experience:
- Minimise credential theft — protect the identities of users. Multifactor authentication should be “everywhere”, and organisations should undertake “Active Directory hardening or migrate domain controllers to Azure AD).”
- Institute least-privileged access. “Secure access to the most sensitive and privileged accounts and systems.”
- Isolate legacy systems so they may not be used as a point of entry. For remote access, multifactor authentication is a must. “Remove or restrict outbound access wherever possible to mitigate egress-based kill chains…. Secure internet-facing systems and remote access solutions.”
- Trained and capable individuals coupled with defence-in-depth security solutions “can empower your organisation to identify, detect, and prevent intrusions impacting your business. Enabling native cloud workloads protection allows the identification and mitigation of known and novel threats to your network at scale.”
Cyberwar is no longer hypothetical — we are watching one play out as Ukraine defends itself against Russia and Russian-backed organisations. The lessons learned and shared by the Ukrainian SSSCIP are inspiration for CISOs to review their own security protocols and tactics. A thorough read of the SSCIP report, coupled with those from Google and Microsoft, will provide a plethora of opportunities to go to school off the “lessons learned” by Ukraine.