Cybersecurity insights from industry experts.

Once isolated occurrences, nation-state attacks are now commonplace; security professionals should know the elements of defense.

Microsoft Security, Microsoft

November 29, 2022

3 Min Read
National flag and target as metaphor - Ukraine and being under attack, assault and aggressive aggression. Flag with target.
Source: M-SUR via Alamy Stock Photo

Throughout the ongoing war on Ukraine, known and suspected Russian nation-state actors have compromised Ukrainian targets. They’ve used a combination of techniques including phishing campaigns, exploiting unpatched vulnerabilities in on-premises servers, and compromising upstream IT service providers. These threat actors have also developed and used destructive wiper malware or similarly destructive tools on Ukrainian networks.

Between late February and early April 2022, Microsoft saw evidence of nearly 40 discrete destructive attacks that permanently destroyed files in hundreds of systems across dozens of organizations in Ukraine. After each wave of attacks, threat actors modified the malware to better avoid detection. Based on these observations, we’ve developed strategic recommendations to global organizations on how to approach network defense in the midst of military conflict.

Common Russian Intrusion Techniques

Russia-aligned cyber operations have deployed several common tactics, techniques, and procedures. These include:

  • Exploiting public-facing applications or spear-phishing with attachments/links for initial access.

  • Stealing credentials and leveraging valid accounts throughout the attack life cycle, including within Active Directory Domain Services and through virtual private networks (VPNs) or other remote access solutions. This has made identities a key intrusion vector.

  • Using valid administration protocols, tools, and methods for lateral movement, relying on compromised administrative identities in particular.

  • Utilizing known, publicly available offensive capabilities, sometimes disguising them with actor-specific methods to defeat static signatures.

  • “Living off the land” during system and network discovery, often using native utilities or commands that are nonstandard for the environments.

  • Leveraging destructive capabilities that access raw file systems for overwrites or deletions.

5 Ways to Safeguard Your Operations

Based on our observations in Ukraine so far, we recommend taking the following steps to safeguard your organization.

1. Minimize credential theft and account abuse: Protecting user identities is a critical component of network security. We recommend enabling multifactor authentication (MFA) and identity detection tools, applying least-privilege access, and securing the most sensitive and privileged accounts and systems.

2. Secure Internet-facing systems and remote access solutions: Ensure your Internet-facing systems are updated to the most secure levels, regularly evaluated for vulnerabilities and audited for changes to system integrity. Anti-malware solutions and endpoint protection can detect and prevent attackers, while legacy systems should be isolated to prevent them from becoming an entry point for persistent threat actors. Additionally, remote access solutions should require two-factor authentication and be patched to the most secure configuration.

3. Leverage anti-malware, endpoint detection, and identity protection solutions: Defense-in-depth security solutions combined with trained, capable personnel can empower organizations to identify, detect, and prevent intrusions impacting their business. You can also enable cloud-protections to identify and mitigate known and novel network threats at scale.

4. Enable investigations and recovery: Auditing of key resources can help enable investigations once a threat is detected. You can also prevent delays and decrease dwell time for destructive threat actors by creating and enacting an incident response plan. Ensure your business has a backup strategy that accounts for the risk of destructive actions and is prepared to exercise recovery plans.

5. Review and implement best practices for defense in depth: Whether your environment is cloud-only or a hybrid enterprise spanning cloud(s) and on-premises data centers, we have developed extensive resources and actionable guidance to help improve your security posture and reduce risk. These security best practices cover topics like governance, risk, compliance, security operations, identity and access management, network security and containment, information protection and storage, applications, and services.

What This Means for the Global Cybersecurity Landscape

As the war in Ukraine progresses, we expect to discover new vulnerabilities and attack chains as a result of the ongoing conflict. This will force already well-resourced threat actors to reverse patches and carry out “N-day attacks” tailored to underlying vulnerabilities. All organizations associated with the conflict in Ukraine should proactively protect themselves and monitor for similar actions in their environments.

Microsoft respects and acknowledges the ongoing efforts of Ukrainian defenders and the unwavering support provided by the national Computer Emergency Response Team of Ukraine (CERT-UA) to protect their networks and maintain service during this challenging time. For a more detailed timeline of Russia’s cyber assault on Ukraine, explore the full report.

Read more Partner Perspectives from Microsoft.

Read more about:

Partner Perspectives

About the Author(s)

Microsoft Security

Microsoft

Protect it all with Microsoft Security.

Microsoft offers simplified, comprehensive protection and expertise that eliminates security gaps so you can innovate and grow in a changing world. Our integrated security, compliance, and identity solutions work across platforms and cloud environments, providing protection without compromising productivity.

We help customers simplify the complex by prioritizing risks with unified management tools and strategic guidance created to maximize the human expertise inside your company. Our unparalleled AI is informed by trillions of signals so you can detect threats quickly, respond effectively, and fortify your security posture to stay ahead of ever-evolving threats.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights