Latest Guidance for Ongoing Cyber Attacks in Ukraine

By Aspire Security Operations Center (SOC) Team

INTRODUCTION

In the past 20 years, there has been a massive shift in geopolitical conflict from traditional kinetic, “symmetric” warfare to what is now known as “asymmetric” warfare. Asymmetric warfare refers to conflicts between smaller factions and larger nation states, or groups that have disparate capabilities and strategies.¹ Terrorist attacks like 9/11 are a prime example, but even more recent is the rise of cyber-warfare. Especially in this current Ukraine conflict, we are witnessing cyber attacks on the forefront, and precursor to military force.

The Aspire SOC team has been monitoring the situation, and have identified activity attributed to three distinct groups, all with direct or loose association with Russian military. In this blog, we will focus on the activities of three prominent groups of actors – APT28, Sandworm, and Conti. We will also provide guidance on how to protect your organization from these and other threats.

APT 28 – Fancy Bear

APT 28, otherwise known as “Fancy Bear”, is a familiar name within the security realm – they are the same hacker group associated with the Democratic National Convention breach during the 2016 Presidential election.² Fancy Bear primarily targets government, defense contractors, and energy companies. They do not restrict themselves to only US interests; China, Japan, Iran, Brazil, Canada, and multiple countries in Europe have also been victims.³

Sandworm or Voodoo Bear

Sandworm, otherwise known as “Voodoo Bear”, is another division of the GRU that primarily targets energy infrastructure, and in particular, Eastern Europe. They are responsible for the attacks on Ukraine in 2015, which resulted in widespread power outages.⁴ Sandworm was also a key contributor to the spread of NotPetya ransomware in 2017.⁵

Conti or Ryuk

Conti Gang represents both the Ryuk Ransomware as a Service (RaaS) and the association of hackers (known as “access brokers”) responsible for breaching businesses and spreading the ransomware. Conti maintains and sells the ransomware much like a legitimate software company would sell Software as a Service (SaaS). Conti is sold both on the dark web (online illegal market) as a subscription, and in a more traditional sales model, where associates split the proceeds of successful ransoms with the Conti authors.⁶

Tactics, Techniques, and Procedures

In this section, we will discuss how the three groups plan and conduct cyber-attacks on businesses and governments. We call these methods TTP, or Tactics, Techniques, and Procedures.

Fancy Bear often attempts initial penetration into an organization by phishing and credential harvesting. Phishing can come in the form of emails, text messages, or links to websites. Emails are intended to mimic, or “spoof,” to fool the recipient into believing it is from a coworker, manager, executive, or another authority. The email may have an attachment that is infected with malware designed to steal credentials. Also, a website link may be employed to lure the user to an infected webpage, or the page mimics a familiar login. Either way, the end goal is to steal credentials, then use them later to break into the network. Once inside the network, Fancy Bear deploys special software to compromise other servers, gain a persistent presence (otherwise known as “backdoors”), and steal more data.

Sandworm targets industrial networks, so the techniques are more tailored to breaking the machines at which they aim their efforts. Sandworm concentrates on more brazen methods, such as scanning the target for security holes, and exploiting those weaknesses. They frequently deploy exploits on devices with known vulnerabilities, some with no known fix (otherwise known as “zero-day” exploits). Sandworm’s goal is disruption and destruction of their victim.

Conti, compared to the other two groups, is much more financially motivated. Their goal is to extort money from their victims. Also, because of the loose affiliation, the techniques used by Conti access brokers widely vary. Phishing, malware, or exploits may all be employed in breaching a victim. In most cases, Conti utilizes the trojan Trickbot or Emotet to establish persistence and deliver the Conti ransomware.

How to protect your business

The best approach to safeguard your organization from these types of threats is to utilize a “defense in depth” strategy. This entails a multi-layered set of cybersecurity tools aimed at preventing the initial penetration from occurring. This is especially important for ransomware; by the time the victim sees the ransom note, it is too late to react. We recommend an integrated architecture that addresses the cloud, network, and endpoint layers. The foundational set of security solutions that typically make up this design include a combination of DNS-layer security, next generation firewall, network traffic analysis, and endpoint security software. Another important element (not related to the security architecture) is security awareness training to protect users from phishing and other social engineering tactics.

The most common DNS security solution we see is Cisco Umbrella. It’s a cloud-delivered Secure Internet Gateway that enforces security at the DNS and IP layers. Umbrella blocks requests to malware, ransomware, phishing, and botnets before a connection is established — stopping threats over any port or protocol before they reach your network or endpoints. It can be deployed in minutes and provides protection from Internet-based threats, whether users are on the network, connected via VPN, or roaming.

Today’s Next Generation Firewalls go beyond the traditional technique of blocking network ports. They utilize live threat intelligence feeds to identify threats both inside and outside the network. This allows the device to automatically stop the threats and alert on malicious activity.

Over the past 12-18 months we’ve seen endpoint detection and response (EDR) software replace traditional antivirus. EDR is next generation software installed on laptops, workstation, and servers. It closely watches the processes and applications running on a computer, and if it sees evidence of malicious activity, it can automatically stop the attack, and alert the security operations team.

Another incredibly valuable method to identify threats is through network traffic analytics. These platforms typically involve sensors on the network and leverage NetFlow to perform behavioral analytics. The tool watches every detail of the network traffic and creates a baseline. Built in intelligence identifies anomalies based on how a particular device is behaving and creates an alert, allowing the security operations team to investigate further.

It’s critical to have these tools configured, implemented, and tuned properly. It’s equally important to continuously monitor events and respond to potential threats in real-time. Many organizations lack the security resources needed for 24×7 monitoring as well as the skills needed for ongoing management of the security tools. We recommend partnering with a MSSP that offers Managed Detection and Response (MDR) services. The tools discussed here provide a ton of visibility and security context, but only if someone is watching. MDR services provide 24×7 threat detection to identify, investigate, and mitigate malicious activities before they can harm your environment.

CONCLUSION

Even if Ukraine and Russia make an agreement and the ground invasion ceases, we anticipate the cyber campaigns to continue for months. Some important things to consider about your organization’s network:

1. Review your business continuity plans – consider what may happen if a major network infrastructure, like Amazon Web Services, was disrupted for an extended amount of time. Are our cloud services redundant? If you use AWS, do you have another site where your data can be held and brought up quickly for access?
2. Vulnerable devices – reviewing legacy systems, their access from the outside, and the risk of those systems being compromised should be a big priority. If feasible, consider hardening those assets by restricting network access.
3. Employee education – make sure your employees know what your emergency plans are and evaluate them. Dry runs and simulations are great ways to make sure your gameplans are good to go.

If you have any questions, concerns, or specific needs, please reach out to your Account Manager or Customer Service Manager for help. We are ready to stand by you and help you through these unsettling times.

1 https://www.rand.org/topics/asymmetric-warfare.html
2 https://attack.mitre.org/groups/G0007/
3 https://www.crowdstrike.com/blog/who-is-fancy-bear/
4 https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/
5 https://attack.mitre.org/software/S0368/
6 https://www.darktrace.com/en/blog/the-double-extortion-business-conti-ransomware-gang-finds-new-avenues-of-negotiation/