Throughout the ongoing war on Ukraine, known and suspected Russian nation-state actors have compromised Ukrainian targets. They’ve used a combination of techniques including phishing campaigns, exploiting unpatched vulnerabilities in on-premises servers, and compromising upstream IT service providers. These threat actors have also developed and used destructive wiper malware or similarly destructive tools on Ukrainian networks.
Between late February and early April 2022, Microsoft saw evidence of nearly 40 discrete destructive attacks that permanently destroyed files in hundreds of systems across dozens of organizations in Ukraine. After each wave of attacks, threat actors modified the malware to better avoid detection. Based on these observations, we’ve developed strategic recommendations to global organizations on how to approach network defense in the midst of military conflict.
Common Russian Intrusion Techniques
Russia-aligned cyber operations have deployed several common tactics, techniques, and procedures. These include:
- Exploiting public-facing applications or spear-phishing with attachments/links for initial access.
- Stealing credentials and leveraging valid accounts throughout the attack life cycle, including within Active Directory Domain Services and through virtual private networks (VPNs) or other remote access solutions. This has made identities a key intrusion vector.
- Using valid administration protocols, tools, and methods for lateral movement, relying on compromised administrative identities in particular.
- Utilizing known, publicly available offensive capabilities, sometimes disguising them with actor-specific methods to defeat static signatures.
- “Living off the land” during system and network discovery, often using native utilities or commands that are nonstandard for the environments.
- Leveraging destructive capabilities that access raw file systems for overwrites or deletions.
5 Ways to Safeguard Your Operations
Based on our observations in Ukraine so far, we recommend taking the following steps to safeguard your organization.
1. Minimize credential theft and account abuse: Protecting user identities is a critical component of network security. We recommend enabling multifactor authentication (MFA) and identity detection tools, applying least-privilege access, and securing the most sensitive and privileged accounts and systems.
2. Secure Internet-facing systems and remote access solutions: Ensure your Internet-facing systems are updated to the most secure levels, regularly evaluated for vulnerabilities and audited for changes to system integrity. Anti-malware solutions and endpoint protection can detect and prevent attackers, while legacy systems should be isolated to prevent them from becoming an entry point for persistent threat actors. Additionally, remote access solutions should require two-factor authentication and be patched to the most secure configuration.
3. Leverage anti-malware, endpoint detection, and identity protection solutions: Defense-in-depth security solutions combined with trained, capable personnel can empower organizations to identify, detect, and prevent intrusions impacting their business. You can also enable cloud-protections to identify and mitigate known and novel network threats at scale.
4. Enable investigations and recovery: Auditing of key resources can help enable investigations once a threat is detected. You can also prevent delays and decrease dwell time for destructive threat actors by creating and enacting an incident response plan. Ensure your business has a backup strategy that accounts for the risk of destructive actions and is prepared to exercise recovery plans.
5. Review and implement best practices for defense in depth: Whether your environment is cloud-only or a hybrid enterprise spanning cloud(s) and on-premises data centers, we have developed extensive resources and actionable guidance to help improve your security posture and reduce risk. These security best practices cover topics like governance, risk, compliance, security operations, identity and access management, network security and containment, information protection and storage, applications, and services.
What This Means for the Global Cybersecurity Landscape
As the war in Ukraine progresses, we expect to discover new vulnerabilities and attack chains as a result of the ongoing conflict. This will force already well-resourced threat actors to reverse patches and carry out “N-day attacks” tailored to underlying vulnerabilities. All organizations associated with the conflict in Ukraine should proactively protect themselves and monitor for similar actions in their environments.
Microsoft respects and acknowledges the ongoing efforts of Ukrainian defenders and the unwavering support provided by the national Computer Emergency Response Team of Ukraine (CERT-UA) to protect their networks and maintain service during this challenging time. For a more detailed timeline of Russia’s cyber assault on Ukraine, explore the full report.
Read more Partner Perspectives from Microsoft.