The 2022 Russian invasion of Ukraine has shed light on the implications of cybersecurity being used in war. Before the physical invasion of the Ukraine occurred, Russia preemptively disrupted government operations by taking down Ukrainian government websites and infecting many domestic organizations with malicious content (malware).
While these attacks may feel far from home, they could potentially be used against organizations globally, with the goal of disrupting, degrading, or denying access to critical systems. These attacks are particularly concerning as they are state sponsored, by one of the most prominent Advanced Persistent Threats (APTs) of modern times. APT groups from Russia are well-known for their stealthy methods of infiltrating networks, collecting valuable intelligence, and going undetected.
In the following blog, we will discuss the organizations that are most likely to be affected by Russian APTs, methods used for exploitation, and best practices to avoid being the victim of an APT cyber-attack.
Who is most likely to be targeted by an APT cyber-attack?
While APT actors are not concerned with the size of organizations, they do take advantage of certain sectors driven by motive. They are looking to disrupt a supply chain, eliminate a competitors internet presence, and in this case disrupt a government’s ability to run. If your vertical is not listed here, it doesn’t mean you cannot be targeted.
Defense Contractors- Defense contractors have long been a primary target of Russian APT groups. Defense contractors typically work closely with government organizations to develop proprietary technologies, strategies and equipment used for war-time activities. By gaining access to Defense contractor IT environments, APTs can access sensitive information that could supply insights into the capabilities and plans of the government. While larger defense contractors have sizable budgets to protect themselves against cyber-attacks.
Critical Infrastructures- Disruption of critical services such as water sanitization, electricity, public healthcare, and telecommunications could quickly create a chaotic outcome for any community. APT actors have proved on several occasions their ability to maintain a persistent, undetected presence on operational technology (OT) and industrial control systems (ICS). Between 2011-2018, state-sponsored Russian hackers infiltrated the US energy sector and remained undetected collecting data from critical systems. From 2015-2016, an attack on the Ukrainian power grid was detected, a likely pre-emptive attack to learn if systems could be rendered inoperable for future purposes. Attacks could also include private organizations that support critical infrastructure and can be used as “hop points” to OT and ICS environments for intelligence gathering and access.
Local Government- Local governments are a prime target as they often manage cybersecurity with limited resources and budgets and have access to sensitive and critical systems. In 2020, a Russian-sponsored APT campaign was found targeting state, local, tribal and territorial networks with the goal of extracting sensitive information.
Financial Services industry- Financial organization have been notified by government authorities to be on high alert as the Russia-Ukraine conflict grows. Attacks on these institutions can cause economic disruptions through economic loss, or even just loss of confidence by their customer base. Additionally, financial institutions, specifically in the US and Europe, are tied directly to critical infrastructures such as SWIFT. Any damage to these institutions could cause international turmoil.
Healthcare- Healthcare organization may not seem like a relevant target for war-level cyber-attacks, however they are considered “soft” or easy targets. Attacks on the healthcare industries can also come down to life-or-death situations. This poses a prime opportunity for ransom situations for either financial gain to continue to fund war efforts, or for the purposes of getting a government to give in to demands. When human lives are at stake, time becomes a crucial factor. By hacking healthcare systems, holding them ransom, or disrupting healthcare services, Russian APTs put government officials in difficult positions to make decisions that could affect the well-being of their citizens.
What are the common tactics, techniques and procedures used by Russian APT’s?
The tactics used by an APT do not differ from common exploit methods. What is different, is the APT’s ability to go untraced, giving them an opportunity to move laterally to other systems, and sometimes other networks and organization altogether. Below are common methods that have been found to be used by Russian-state APTs:
Password Spraying: Password spraying is a common attack method that allows attackers to conduct a “brute force” attack using generic passwords across multiple accounts to avoid detection. In the case of Russian APT groups, these attacks are done sporadically on administrative accounts that lack multi-factor authentication using multiple local IPs to go undetected by common security controls.
Spearphishing: Spearphishing continues to be one of the most effective ways to compromise an organization. Russian APTs are notorious for using advanced message crafting, which entice users to click on malicious links. These links could lead to man-in-the middle attacks with fake login pages requesting credentials, or malicious downloads used to gain access to the end user system.
Third-party/Supply Chain Attacks: Third-party compromises are particularly concerning because they are not within the control of an organization. An example of a significant third-party compromise is the SolarWinds breach conducted by Russian APTs. This attack affected commercial and government organizations of all sizes by exploiting a popular IT network management software. The exploit was deployed via a fake patch update, giving Russian hackers access to hundreds of networks almost at once. Once deployed, the hackers could then further exploit the networks and their supply chain.
Zero-Day Exploits: Zero days are by far the most complicated method used for exploitation as it requires the attacker to find an unknown vulnerability that doesn’t have a patch. While zero-days can be hard to find, their exploits are especially dangerous because they do not have a mitigation method and can go undetected for extended periods of time.
How to protect your organization from Russian APT attacks
While it may seem unlikely that your organization would be the victim of a Russian APT attack, the current state of the Ukrainian-Russian conflict has put most governments on high alert. Russia is well known for its advanced cyber tactics, and could easily use smaller, softer targets as access points to disrupt larger more critical infrastructures. Best practices to protect yourself from a nation-state attack include:
- Multi-factor authentication to prevent password spraying and brute force attack.
- Create non-identifiable administrative accounts with limit remote access to avoid ease of compromise.
- Implement a regular spearphishing training for employees to help find, avoid and report suspicious emails.
- Enable context-based email tags that automatically show e-mails that are not sent from within the organization.
- Apply strong geo-location access controls that prevent connections to IP addresses from countries you do not typically do business in or with.
- Implement log, monitoring, detection and alerting to find any anomalous activities. Since APTs are often stealthy in their methods, it’s important to go beyond basic detection methods to look for disparities in activities. This could include anomalies in geo-location, login times, access of new network areas, file creations or deletions, or administrative behaviors.
- Develop an incident response plan. Having a strong mitigation plan can make or break an organization after a breach, especially when an APT is involved. Advanced hackers can often spread across networks quietly leaving unnoticed access points even after a breach has been mitigated.
Finally, the best method to protect yourself against an APT is to set up a strong cybersecurity program. Foresite Cybersecurity offers holistic cybersecurity operations and compliance solutions that help you proactively prevent attacks, by providing you with visibility into what systems you have deployed in your IT environment, what risks they are susceptible to, and supplying a plan of mitigation to reduce downtime. Foresite Cybersecurity will also help you keep a secure environment by continuously monitoring, patching, and detecting any anomalies that may lead to a cyber incident.
Contact us today to learn more about how you can protect yourself from APTs and other cyber threats to your organization.
Marcela Denniston is a Cybersecurity Expert who has been building military-grade security operations teams since 2002. Today, she is the SVP of Marketing for Foresite Cybersecurity, where she uses her subject matter expertise to drive meaningful content and messaging that speaks to true cyber practitioners.