Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
August 25, 2023
The Russia/Ukraine war has been active for roughly 18 months, characterized by both physical and cyber warfare. Ukraine has continued its defensive strategies, while cybercriminal groups in support of each country have launched information-stealing and DDoS attacks. Russia is also dealing with internal struggles, including issues with the Wagner Group – a paramilitary organization and ally of Russian President Vladimir Putin.
Optiv’s Global Threat Intelligence Center (gTIC) has provided periodic updates on Russian and Ukrainian actions, as well as estimated cyber-related implications, in advisories and blog posts on February 4, February 22, February 24, June 30, August 25, September 29, October 31, November 29, December 20, March 02, 2023 and May 30, 2023. This update will provide information on the events of the previous 90 days and what we can expect looking forward.
Over the course of the previous 18 months, Russia-based threat actors have deployed wiper attacks, ransomware attacks and information-stealing attacks. Active groups over the previous 90 days include Shuckworm, Cadet Blizzard, Midnight Blizzard and NoName057(16).
In June 2023, security researchers with Microsoft linked a threat group, Cadet Blizzard (aka DEV-0586, UAC-0056) to Russia’s Main Directorate of the General Staff of the Armed Forces (GRU). Microsoft’s researchers have linked Cadet Blizzard to multiple cyberattacks, including the deployment of the WhisperGate wiper malware against Ukrainian organizations. The group is believed to have been active since at least 2020 and is a separate operation from other GRU-linked threat groups, including Forest Blizzard (aka Strontium, Fancy Bear, APT28) and Seashell Blizzard (aka Iridium, Sandworm). Cadet Blizzard has launched attacks against Ukraine, Eastern Europe, Central Asia and Latin America. Verticals targeted include technology and government, as well as institutions and organizations. Cadet Blizzard has previously gained initial access via vulnerabilities, such as the Confluence vulnerability, CVE-2021-20684 (CVSS 9.8), and Exchange vulnerabilities like CVE-2022-41040 (CVSS 8.8) and the ProxyShell flaws – CVE-2021-34473 (CVSS 9.8), CVE-2021-34523 (CVSS 9.8) and CVE-2021-31207 (CVSS 7.2). The group has employed the following tools and malware over the previous 18 months for persistence and lateral movement:
Cadet Blizzard uses living-off-the-land (LOL or LOTL) techniques as much as possible, and they leverage tools like procdump Sysinternals to dump Local Security Authority Subsystem Service (LSASS) credentials. CERT-UA reported Cadet Blizzard for February 2023 attacks against government entities in an attempt to steal sensitive data. Cadet Blizzard has been observed conducting attacks and then going quiet for some time before returning with another attack. It is likely that the threat actors are using this time to improve their TTPs to gain persistence, evade detection, elevate privileges and move laterally.
In June 2023, security researchers with Symantec reported that Shuckworm (aka Gamaredon, Primitive Bear, Trident Ursa) has continued to launch cyberattacks against Ukraine, with recent victims including military and government organizations. Shuckworm sent phishing emails to gain initial access. According to Symantec, the malicious attachments often contained lures related to “armed conflicts, criminal proceedings, combating crime and protection of children.” Shuckworm has used a custom backdoor, Ptedero, to maintain persistence and download additional code. The group was observed targeting machines containing file names that Symantec claims appeared to be “sensitive military information.” It is likely that Shuckworm is responsible for obtaining information that could be of strategic interest to the Russian government and support Russian military efforts.
Also in June 2023, security researchers with Microsoft disclosed a spike in credential-stealing cyberattacks conducted by the Midnight Blizzard (aka Nobelium, Cozy Bear, The Dukes, APT29). The threat actors used “residential proxy services to obfuscate the source [IP address] of their attacks” and targeted verticals that included governments, technology companies, industrials and manufacturing.
CERT-UA warned of cyberattacks attributed to Forest Blizzard (aka Fancy Bear, APT28, FROZENLAKE) that included a phishing campaign targeting government bodies in Ukraine. The phishing emails featured the subject line, “Windows Update,” and purportedly contained Ukranian-language instructions to run a PowerShell command under the pretext of performing security updates. When victims ran the script, this executed a next-stage PowerShell script that collected basic system information.
In June 2023, security researchers with Sekoia reported that the pro-Russia hacktivist group, NoName057(16), had grown their DDoS attack toolkit, “DDoSia,” by more than 2,400%. NoName057 has been among the most prolific and active DDoS groups since the start of the Russian-Ukraine conflict. The group and their community have conducted DDoS attacks against European, Ukrainian and U.S. websites of government agencies, media companies and private companies.
The Wagner Group is a private military company founded by Yevgeny Prigozhin (aka “Putin’s Chef”). It became the Kremlin’s go-to group for operations he wanted to reject. The group has previously conducted actions on behalf of Russia, including in 2013 when Prigozhin ran the Internet Research Agency. This agency employed hundreds of people to participate in influence operations online, including in the U.S. leading up to the 2016 presidential election. In 2014, the Wagner Group battled the Ukrainian army in a revolt in Eastern Ukraine. In 2022, when Russia invaded Ukraine, the Wagner Group was called upon to fight on the ground against Ukrainian troops.
On June 30, 2023, the Russian satellite telecommunications company, Dozor-Teleport CJSC, confirmed that they had suffered a data breach and that “infrastructure on the side of the cloud provider was compromised.” The unnamed hackers claimed to have targeted the company and defaced four Russian websites in support of the Wagner Group's actions.
The hackers leaked nearly 700 files related to the organization. While the attack was believed to be in support of the Wagner Group’s actions against Russia, there is an Even Chance that the attack was conducted in support of Ukraine. A conflict between Russia’s military and its biggest private military group would be an advantage for Ukrainian troops. At the time of writing, the motive behind the attack is speculation and Unlikely to be confirmed.
Prigozhin recently took to social media to accuse Russian military leadership of providing the Wagner Group with insufficient weaponry and demonstrating incompetence and corruption. In June 2023, Prigozhin ordered the Wagner Group troops to advance on Moscow, calling for the resignation of top defense officials. Before reaching Moscow, Prigozhin ordered the troops to turn back and claimed that he did not want to harm Russian fighters. Putin stated in a press conference that Prigozhin would be charged for a coup attempt. However, an agreement was reached and Prigozhin was allegedly in negotiation to be exiled to Belarus.
On August 23, 2023, multiple news outlets began reporting that a private Embraer jet carrying Yevgeny Prigozhin had crashed northwest of Moscow—killing all 10 people on board, including Prigozhin. The flight data indicates that the plane reached an altitude of about 28,000 feet before it stopped transmitting tracking details. While the specific reason for the crash is not known at the time of writing, and Russian authorities are reportedly investigating the crash, many witnesses reported that the plane appeared to be missing a wing and they heard “explosions” prior to the plane’s dive toward the ground. Russia has not commented publicly about the crash. While the cause remains not known, Russia has a known history of “getting back at” those who they feel have wronged them in some way. Despite the proposed negotiation to exile Prigozhin to Belarus, there is an Even Chance that the crash was not accidental and was intended to permanently prevent Prigozhin from regrouping or posing any threat to Russia’s government.
In May 2023, security researchers with Kaspersky reported that the APT group, CloudWizard, had targeted “diplomatic and research organizations” involved in the region of the Russian-Ukrainian conflict. The group has reportedly not ceased operations since the start of the Russia-Ukraine war.
In August 2023, security researchers with SentinelLabs reported that the North Korean state-sponsored threat group, ScarCruft, was behind a hack of NPO Mashinostroyeniya, a Russian space rocket designer and intercontinental ballistic missile engineering organization. ScarCruft allegedly targeted the email server and IT systems and planted a Windows backdoor named OpenCarrot for remote access to the network. It is Likely that this attack was an attempt to advance North Korea’s missile development objectives.
The IT Army of Ukraine, which has nearly 10,000 volunteers, continues to be active against Russian organizations. While the group has been unable to target the Russian military specifically, due to their security and likelihood of being detected, the group has targeted several organizations and verticals that the Russian military relies on. The group operates and maintains a Telegram channel and an X (formerly known as Twitter) account and has proven adept at overwhelming the cyber defenses of Russian organizations, TV stations and government organizations.
Some of their victims have included the weather forecast that Russian military members relied on, the national rail company’s online ticketing service and payment system used to collect tolls, the websites used by alcohol production and distribution companies to register deliveries and the computerized licensing system used to approve meat and dairy products in Russia. The group also identified compromised cameras after the Ukrainian security agency, SBU, discovered that Russian hackers were using CCTV streams to spy on Ukrainian positions and to direct missiles.
In an interview in The Times, a leader of the IT Army of Ukraine using the alias “Joe,” claimed that the hacking groups enjoy showing the petty concerns of ordinary Russians. For example, when a Russian gas station launched a promotional two-for-one offer on hot dogs and burgers for app users, the IT Army of Ukraine took the app down. The hackers have worked to consistently remind Russian citizens that they are at war.
In June 2023, a Ukrainian hacking group, Cyber Anarchy Squad, announced on X (formerly known as Twitter) that they had successfully disrupted Russian banking services. The group claimed to have “blown up” InfoTel, a telecommunications company that supplied services to hundreds of companies—a quarter of which are banks. Security researcher Kevin Beaumont reported that the threat actors “remotely wiped the infrastructure” of the company. It took roughly two days for the company to restore BGP routing, with outages for organizations persisting as routers failed. Targeting the financial services vertical likely has a significant impact on the Russian economy.
In July 2023, Ukrainian law enforcement successfully disrupted a bot farm where over 100 operators allegedly spread fake information related to the Russian invasion. As the investigation is ongoing, little information is available on the operation.
Ukraine has been relatively successful in defending against Russian cyberattacks, including preventing multiple wiper malware attacks on energy vertical organizations in 2022. Russia’s cyberattacks increased by 250% in 2022 against Ukraine and 300% against NATO countries. These attacks, while considered sophisticated in the first months of the war, have slowed and become less organized over time. With the technical assistance of Western allies, Ukraine has significantly boosted its continuous security monitoring capabilities, which has aided in detecting and preventing multiple cyberattacks from Russia. It is Likely that Ukraine will continue to improve its security posture over the next 12 months.
There has historically been a high level of solidarity between Russia-linked threat groups, which has contributed to the groups’ perceived sophistication and capabilities. However, the disagreements over support for the war, the leaks and the splits over the previous 12 months have likely challenged that belief. It is Likely that more threat actors will target Russia-based organizations over the next 12 months to steal sensitive information and launch malware-based attacks. Rumors of Russia absolving Russian cybercriminals of their crimes have circulated, which would Likely supply Russia with more cybercriminals to support their cyber efforts. There is an Even Chance that threat actors will shift to more English-language forums and marketplaces over the next 12 months as the war continues.
Despite reports that Russia-linked threat groups have not been as successful as expected, it is Likely that these groups will continue launching attacks against Ukraine and NATO countries over the next 12 months. This is Likely to include critical infrastructure verticals – energy, financial services, government, manufacturing and transportation – in destructive cyberattacks that include wiper and ransomware malware. There is an Even Chance that Russian President Putin will refocus efforts on cyberattacks as military actions face setbacks, including the loss of support from the Wagner Group, shifts in leadership and an ever-changing view of the countries’ strengths.
China and India also have a history of state-sponsored and/or APT attacks which have indirectly aligned or maintained suspicious neutrality towards Russia. While China-linked threat groups have a proven history of targeting the U.S. and other Western countries in espionage campaigns, there is an Even Chance that these groups could target countries of strategic interest to Russia over the next 12 months.
Threat actors are Likely to target known vulnerabilities, including older vulnerabilities of 2+ years, in widely used software and services to gain access to victim networks. This is Likely due to the success of compromise in employing the same techniques and utilizing minimal resources. Optiv’s gTIC assesses with High Confidence that DDoS attacks will remain an effective and relevant threat to organizations in countries that are openly opposed to Russian activity or in support of Ukraine.
In addition to multiple vulnerabilities, Optiv’s gTIC assesses it is Likely that cybercriminals and fringe state-sponsored campaigns will use common software and malware in the coming months, such as:
It is Likely that threat actors will continue to use the same tactics observed in cyberattacks attributed to Russia-linked and Russia-supporting groups.
Optiv Security: Secure greatness.®
Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
May 30, 2023
Optiv's gTIC addresses the latest cyberattacks launched in the Russia-Ukraine war.
June 08, 2023
The COSMICENERGY malware targets OT/ICS systems to cause electric power outages. Read more about the threat outlook and mitigation strategies.
July 18, 2023
Read which adversaries pose significant threats to critical verticals.
Let us know what you need, and we will have an Optiv professional contact you shortly.