All through the continuing conflict on Ukraine, recognized and suspected Russian nation-state actors have compromised Ukrainian targets. They’ve used a mixture of strategies together with phishing campaigns, exploiting unpatched vulnerabilities in on-premises servers, and compromising upstream IT service suppliers. These menace actors have additionally developed and used harmful wiper malware or equally harmful instruments on Ukrainian networks.
Between late February and early April 2022, Microsoft noticed proof of almost 40 discrete harmful assaults that completely destroyed recordsdata in a whole lot of programs throughout dozens of organizations in Ukraine. After every wave of assaults, menace actors modified the malware to higher keep away from detection. Primarily based on these observations, we’ve developed strategic suggestions to world organizations on the way to strategy community protection within the midst of army battle.
Frequent Russian Intrusion Methods
Russia-aligned cyber operations have deployed a number of widespread techniques, strategies, and procedures. These embody:
- Exploiting public-facing functions or spear-phishing with attachments/hyperlinks for preliminary entry.
- Stealing credentials and leveraging legitimate accounts all through the assault life cycle, together with inside Energetic Listing Area Companies and thru digital personal networks (VPNs) or different distant entry options. This has made identities a key intrusion vector.
- Utilizing legitimate administration protocols, instruments, and strategies for lateral motion, counting on compromised administrative identities specifically.
- Using recognized, publicly accessible offensive capabilities, generally disguising them with actor-specific strategies to defeat static signatures.
- “Residing off the land” throughout system and community discovery, usually utilizing native utilities or instructions which are nonstandard for the environments.
- Leveraging harmful capabilities that entry uncooked file programs for overwrites or deletions.
5 Methods to Safeguard Your Operations
Primarily based on our observations in Ukraine to this point, we suggest taking the next steps to safeguard your group.
1. Decrease credential theft and account abuse: Defending consumer identities is a important element of community safety. We suggest enabling multifactor authentication (MFA) and identification detection instruments, making use of least-privilege entry, and securing probably the most delicate and privileged accounts and programs.
2. Safe Web-facing programs and distant entry options: Guarantee your Web-facing programs are up to date to probably the most safe ranges, usually evaluated for vulnerabilities and audited for adjustments to system integrity. Anti-malware options and endpoint safety can detect and forestall attackers, whereas legacy programs must be remoted to forestall them from changing into an entry level for persistent menace actors. Moreover, distant entry options ought to require two-factor authentication and be patched to probably the most safe configuration.
3. Leverage anti-malware, endpoint detection, and identification safety options: Protection-in-depth safety options mixed with educated, succesful personnel can empower organizations to establish, detect, and forestall intrusions impacting their enterprise. You too can allow cloud-protections to establish and mitigate recognized and novel community threats at scale.
4. Allow investigations and restoration: Auditing of key assets may help allow investigations as soon as a menace is detected. You too can stop delays and reduce dwell time for harmful menace actors by creating and enacting an incident response plan. Guarantee your small business has a backup technique that accounts for the chance of harmful actions and is ready to train restoration plans.
5. Overview and implement greatest practices for protection in depth: Whether or not your setting is cloud-only or a hybrid enterprise spanning cloud(s) and on-premises information facilities, we now have developed intensive assets and actionable steerage to assist enhance your safety posture and scale back threat. These safety greatest practices cowl matters like governance, threat, compliance, safety operations, identification and entry administration, community safety and containment, info safety and storage, functions, and companies.
What This Means for the International Cybersecurity Panorama
Because the conflict in Ukraine progresses, we count on to find new vulnerabilities and assault chains because of the continuing battle. This may power already well-resourced menace actors to reverse patches and perform “N-day assaults” tailor-made to underlying vulnerabilities. All organizations related to the battle in Ukraine ought to proactively shield themselves and monitor for comparable actions of their environments.
Microsoft respects and acknowledges the continuing efforts of Ukrainian defenders and the unwavering help offered by the nationwide Laptop Emergency Response Workforce of Ukraine (CERT-UA) to guard their networks and preserve service throughout this difficult time. For a extra detailed timeline of Russia’s cyber assault on Ukraine, discover the complete report.
Learn extra Companion Views from Microsoft.
