Our threat landscapes are ever changing. What’s considered cyber public enemy No. 1 today may fall dormant the next day. Shifts in the geopolitical landscape, such as the Russian invasion of Ukraine, can quickly paint new crosshairs from adversaries who previously weren’t interested. While as of writing, there is no credible intelligence of U.S. organizations being targeted, this could quickly shift based on international developments. Some of the mitigation techniques mentioned here may sound simplistic, but this is often because threat actors are seeking out the low hanging fruit from vulnerable organizations – unless they have a specific motive to target someone.
If we think ideologically for a moment, what would a foreign government attack in order to cause the biggest impact on a nation? The answer isn’t surprising: popular targets include critical infrastructure (such as power and water), manufacturing, communications and other organizations that could support the war effort if needed. Generally, a nation-state actor wouldn’t be interested in just any organization. We need to understand the motive behind the willingness to spend the time and resources needed to perform these attacks.
Any organization that provides these services should certainly be reviewing their threat landscape and, as the Cybersecurity & Infrastructure Security Agency puts it, have your “shields up.” It’s time to check the list of your unpatched, pushed aside vulnerabilities, and really hunker down and harden your systems. In this blog, I explore some of the threat actors and methods they’d most likely use to perform these attacks – plus ways to mitigate.
Active Since: 2004
Primary Methods of Intrusion: Phishing Messages, Credential Harvesting, Typosquatting
Motivation: Strategic Interests of the Russian Government
APT28, also known as FancyBear (among several other names), is a group of threat actors who have strong connections to the Russian General Staff Main Intelligence Directorate (GRU) and is suspected to be a part of the Russian Military Intelligence Unit. Reports from the threat intelligence community state that this group reportedly was involved with the compromise of the Democratic National Committee in 2016 in an attempt to disrupt and interfere with the U.S. presidential election. More recently, APT28 has been attributed to brute-forcing campaigns and exploiting publicly known vulnerabilities of Microsoft Exchange servers. Additionally, they’ve been witnessed working operations with Sandworm Team, another group of threat actors on this list.
Active Since: 2008
Primary Methods of Intrusion: Highly Effective Spear-Phishing Messages
Motivation: Information gathering and disruption of NATO and NATO allies along with countries of interest to Russian government.
APT29, also known as CozyBear, is a group of threat actors associated with the Russian government’s intelligence. Previous operations show them involved primarily with intelligence gathering on behalf of the government. They are highly sophisticated and often dwell within a compromised network for an extended period of time to gather as much information as possible. Most of their tools are custom built and they use numerous trojans and malware to breach a target. They’ve been attributed to attacking many foreign governments and the United States, going as far as breaching the Pentagon’s unclassified email system in 2015. More recently, they’ve been suspected by the threat intelligence community as responsible for the SolarWinds supply chain attack, but ultimately, there isn’t enough evidence to confirm these suspicions.
Sandworm Team (VoodooBear)
Active Since: 2009
Primary Methods of Intrusion: Spear-Phishing, Publicly Known Exploits and Zero-Day Exploits
Motivation: Destructive and aggressive attacks on behalf of Russia’s interests
SandWorm Team is a group that has been attributed to Russia’s General Staff Main Intelligence Directorate (GRU) and performs aggressive and destructive attacks on their behalf. This group was tied to the attacks in 2015 and 2016 against Ukrainian government and infrastructure companies, and most notoriously for the 2017 NotPetya attack. Most recently, they’ve being attributed to the HermeticWiper destructive malware currently being used during Russia’s invasion of Ukraine.
Active Since: 2019
Primary Methods of Intrusion: Phishing, Malicious File Downloads, Exposed Vulnerabilities, Cobalt Strike, TrickBot, IcedID
Conti Ransomware is a ransomware gang that has used spear-phishing emails with malicious word attachments, fake software promoted through search engine optimization, weak or stolen RDP credentials, and more. They are financially motivated as a ransomware gang, but recently have announced ideological support against those who “take action” against the Russian government during its invasion of Ukraine. After announcing their support for Russia, an insider of the group who supported Ukraine leaked numerous chats, logs and even the source code to the malware TrickBot. These leaks provided insight to show this group was extremely organized between “tiers of support” –knowledgebases on how to perform attacks – and selective targeting based on if a target had cybersecurity insurance or not.
When reviewing these threat actors, the one most likely to launch an attack against U.S.-based organizations is Conti Ransomware. This isn’t specifically due to the geopolitical developments in Eastern Europe, but more likely due to the fact that they’re opportunistic and target vulnerable organizations. This doesn’t mean the threat landscape can’t shift and the other groups begin to launch U.S.-based attacks.
Something to note about these groups is that they use phishing and malicious files as a delivery mechanism. User awareness training cannot be understated, as employees must be aware of how to identify suspicious and malicious emails. Organizations should ensure they have processes in place to report these emails to the right teams for review and support.
Below is a list of the most common tactics, techniques and procedures (TTPs) used by these threat actor groups. Organizations should review to make sure they have controls in place to detect/block these types of events.
|MITRE ATT&CK® Technique||Name||Tactic|
|T1059.003||Windows Command Shell||Execution|
|T1203||Exploitation for Client Execution||Execution|
|T1105||Ingress Tool Transfer||Command and Control|
|T1027||Obfuscated Files or Information||Defense-Evasion|