A Single Partner for Everything You Need Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner. However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Russia/Ukraine Update - December 2023 Breadcrumb Home Insights Blog Russia/Ukraine Update - December 2023 December 6, 2023 The Russia/Ukraine war is approaching its second year, and both physical and cyber warfare continue. Ukraine has continued to conduct defensive strategies, while cybercriminal groups have also persisted in launching DDoS, information stealing, and wiper attacks. Russia has launched further attacks while dealing with internal struggles. The war has caused a rippling effect of destruction and disruption across the world, including a persistent impact within the cybercriminal landscape. Optiv’s Global Threat Intelligence Center (gTIC) has provided periodic updates on Russian and Ukrainian actions as well as estimated cyber-related implications in advisories and Optiv blog posts on February 4, February 22, February 24, June 30, August 25, September 29, October 31, November 29, December 20, March 02, 2023, May 30, 2023 and August 25, 2023. This update will provide information on the events of the previous 90 days and what we can expect looking forward. This will be the last quarterly update related to the ongoing Russia/Ukraine conflict. Optiv’s gTIC will provide updates via blog posts and advisories on an ad-hoc basis. Russia In June 2023, the Computer Emergency Response Team of Ukraine (CERT-UA) warned that the Russia-linked threat group, APT28 (aka BlueDelta, Sofacy, PawnStorm, Fancy Bear, Forest Blizzard, FROZENLAKE) had conducted phishing attacks with malicious attachments that exploited vulnerabilities in Roundcube servers (CVE-2020-35730, CVE-2020-12641, and CVE-2021-44026) to run reconnaissance and exfiltrate sensitive data. The scripts redirected incoming emails and gathered session cookies, user information, and address books. CERT-UA reported that phishing emails were sent to more than 40 government organizations. In October 2023, CERT-UA shared that threat actors tracked as UAC-0165 had “interfered” with at least 11 Ukrainian telecommunications organizations between May - September 2023, which led to service interruptions that impacted customers. The threat group conducted reconnaissance and post-exploitation activities from previously compromised servers and utilized two programs, POEMGATE and POSEIDON, which enable credential theft and remote control of the infected hosts. The group also reportedly used a utility called WHITECAT to erase any forensic trail. Once the group successfully breached the network, they attempted to disable network and MikroTik server equipment, as well as data storage systems. In May 2023, CERT-UA reported that threat actors, attributed to as UAC-0006, had conducted a phishing campaign with invoice-themed lures to deploy the SmokeLoader malware in a polyglot file. CERT-UA regards this as a financially motivated operation designed to steal credentials and make unauthorized transfers of funds. In another advisory from April 2023, CERT-UA warned of destructive attacks attributed to UAC-0165 against public sector organizations. The group deployed a script-based wiper malware called RoarBAT, which searched for files with a specific extension list before permanently using the legitimate WinRAR utility to permanently delete them. CERT-UA attributed UAC-0165 to the Russia-linked Sandworm Team (aka FROZENBARENTS, SeaShell Blizzard, Voodoo Bear), which has historically used wiper malware to target Ukrainian organizations. In July 2023, The CERT-UA shared their discovery of Microsoft Excel (xls) documents containing a legitimate macro and a macro that launches the PicassoLoader malware and subsequently execute the njRAT malware. CERT-UA attributed this activity to UAC-0057 (aka GhostWriter), a threat actor that they had also observed sending phishing emails with malicious attachments containing an exploit for CVE-2023-38831 (CVSS 7.8), a vulnerability impacting WinRAR archiving software. The adversary’s goal was to deploy the Cobalt Strike beacon, followed by the PicassoLoader malware. The use of njRAT, a strain of malware active since 2010, proves how threat actors do not necessarily have to create custom or bespoke malware when older and more simple tools and procedures are still effective. In July 2023, security researchers with BlackBerry reported that the threat actors behind the RomCom malware had carried out phishing attacks against Ukraine and supporting countries just before a NATO Summit in Lithuania. The threat actor appeared to use this important, Ukraine-specific event as a lure to push the malware to victims, and researchers discovered a website impersonating the Ukrainian World Congress non-profit organization. The execution chain used in this campaign exploited the Follina remote code execution vulnerability, CVE-2022-30190, which impacts Microsoft's Support Diagnostic Tool (MSDT). Reported in May 2022, this vulnerability is an attractive attack vector for threat actors of all sophistication levels. Optiv’s gTIC conducted analysis of more than 45 ransomware groups and 26 APT groups across multiple countries, including Russia, North Korea, China, and Iran, and identified 5 ransomware groups and 13 APT groups that have been observed exploiting the Follina vulnerability since its disclosure. In August 2023, Microsoft security researchers reported that Midnight Blizzard (aka Nobelium, APT29, UNC2452, and Cozy Bear) was observed using Microsoft Teams to mount targeted campaigns aimed at stealing Microsoft 365 passwords and pivoting into organizations’ Azure Active Directory and other sensitive environments. The group reportedly targeted 40 global government, technology, manufacturing, and media organizations. Midnight Blizzard used previously compromised valid accounts to send social engineering messages while impersonating technical support. The threat actor attempted, in some cases, to add a device to the organization as a managed device via Microsoft Entra ID. While the victims of these campaigns were located worldwide, there is an Even Chance that future attacks and espionage/information gathering campaigns carried out by APT29 will be targeted toward Ukrainian and NATO country’s organizations to gather strategic information. In August 2023, U.S. federal agencies and international partners in the U.K., New Zealand, Australia, and Canada published a report warning that the Sandworm Team threat actor was deploying a new strain of malware called “Infamous Chisel.” This malware, while not highly sophisticated, enables persistent remote access to infected Android devices over the TOR network and the subsequent exfiltration of strategic system information that would provide value to the Russian government. In September 2023, CERT-UA reported that it stopped a cyberattack attributed to APT28 against an unnamed Ukrainian critical energy infrastructure facility. The attack began with a phishing email that, when clicked by the victim, activated an infection chain and downloaded a malicious ZIP archive. A scheduled task enabled persistence, and RCE was implemented using a cURL through a legitimate service called webhook.site. In September 2023, Reuters reported that “Russian spies were using hackers to target computer systems at law enforcement agencies in Ukraine in a bid to identify and obtain evidence related to alleged Russian war crimes,” according to Ukraine’s cyber defense chief. Reuters also indicates that these adversaries have increased their targeting of the Ukrainian Prosecutor General’s office and “departments documenting war crimes.” Ukraine’s cyber defense chief reported that the focus of Russia-linked APT groups has shifted from energy facilities to law enforcement agencies, which had previously not been targeted. The purported goal of the campaigns, according to Reuters, was to help Russian individuals “avoid prosecution and move them back to Russia.” In October 2023, the website of the British royal family suffered a DDoS attack that the Russian-linked threat group, KillNet, claimed responsibility for. The site was down for nearly 90 minutes, and the threat group reportedly did not gain access to its systems, content, or site. The website was targeted days after King Charles condemned the invasion of Ukraine, indicating that the DDoS attack was Likely in retaliation for speaking against the Russian actions. KillNet has previously targeted government websites within Europe, including the European Parliament website after the lawmakers approved a resolution calling Moscow a state sponsor of terrorism in November 2022. Image Figure 1: KillNet claimed responsibility for the DDoS attack on the official website of the royal family (Source: Telegram) In October 2023, a Ukrainian official stated that Russian cyberattacks had become more sophisticated and frequent, the daily goal of disrupting vital infrastructure. Deputy Foreign Minister Anton Demokhin reported that the cyberattacks, while not as devastating as expected, were consuming significant time, attention, and resources to defend networks and prevent damage and further disruption. Ukraine recorded 3,974 cyber incidents between January 2022 and September 2023, with most coming from Russian attackers. In October 2023, the Cyber Army of Russia Reborn, a Russian-affiliated threat group, openly advertised for a “chat admin or moderator” position on cybercriminal forums. The Cyber Army of Russia Reborn is a hacktivist group that is widely believed to be a replica of another hacktivist group, IT Army of Ukraine. The Cyber Army of Russia reportedly conducts DDoS attacks on Ukrainian organizations and government agencies of countries in support of Ukraine. The group has claimed that conflicts and geopolitical tensions is the motivation of their attacks. It is not clear why the Cyber Army of Russia Reborn advertised for a position openly on the dark web. However, it raises concerns for security researchers about the group’s intentions. There is an Even Chance that this position advertisement indicates that the group is seeking to strengthen capabilities and expand operations. Ukraine The IT Army of Ukraine, a collective that has nearly 10,000 volunteers, continues to be active against Russian organizations. The group claimed responsibility for temporarily disabling internet services in some of the territories occupied by the Russian army. The group reportedly conducted attacks against Russia the internet providers, “Miranda-media,” “Krimtelekom,” and MirTelekom,” and has invited supporters to install their software to increase the botnet network. As with most DDoS attacks, the companies mitigated the attacks and restored services within 24 hours. Image Figure 2: IT Army of Ukraine claims responsibility for DDoS attacks (Source: Telegram) In October 2023, Recorded Future indicated that Ukrainian hackers had reportedly teamed up with the nation’s security services, the SBU, to “breach Russia’s largest private bank” and “obtain the data of more than 30 million customers.” These hackers told Recorded Future that they would share this data with journalists. In October 2023, the Ukrainian Cyber Alliance (UCA), a Ukrainian hacktivist group, infiltrated and disrupted the Trigona ransomware operation. Initiated in 2021, the UCA is comprised of volunteers worldwide that purportedly work to defend the country’s cyberspace against Russian attacks. UCA hackers reportedly gained access to the Trigona ransomware infrastructure by leveraging a public exploit for CVE-2023-22515 (CVSS 9.8) in Confluence Data Center and Server. UCA maintained persistence and eventually wiped the servers completely. Image Figure 3: Trigona data leak site Based on ransomware variant similarities, the Trigona ransomware group is believed to have ties to the Russia-linked Alphv ransomware operation (aka BlackCat). The UCA reported that they would provide decryption keys found in the stolen data and any relevant information to law enforcement agencies. Other Countries From August to September 2023, the U.S. Cyber Command (CYBERCOM) deployed a team of cyberwarfare experts in Lithuania, which borders Moscow’s heavily militarized Kaliningrad enclave, to conduct a “defensive hunt operation.” The specialists reportedly searched for evidence of malicious activities, and the purported goal of the operation was to “defend the nation in and through cyberspace.” The operation was not conducted to directly benefit Ukraine, but rather because the same threat actors often conduct operations against NATO countries like Lithuania. Russia-linked cyberattacks targeting NATO countries in 2022 increased by 300%. Operations like the one conducted by CYBERCOM can be helpful in information sharing and mitigation techniques. Since the start of the Russian/Ukraine conflict, thousands of people have joined hacktivist and hacker groups. While many of their attacks are DDoS attacks or unsophisticated in nature, they can cause disruptions and have led to the temporary disruption of business and operations in critical verticals including banks, pharmacies, hospitals, transportation services, and government operations. In October 2023, the International Committee of the Red Cross (ICRC), published its first set of rules of engagement for civilian hackers. The rules have been dubbed a “Geneva Code” of cyber warfare and includes the following eight quoted rules. Do not direct cyberattacks against civilian objects. Do not use malware or other tools or techniques that spread automatically and damage military objectives and civilian objects indiscriminately. When planning a cyberattack against a military objective, do everything feasible to avoid or minimize the effects your operation may have on civilians. Do not conduct any cyber operation against medical and humanitarian facilities. Do not conduct any cyberattack against objects indispensable to the survival of the population or that can release dangerous forces. Do not make threats of violence to spread terror among the civilian population. Do not incite violations of international humanitarian law. Comply with these rules even if the enemy does not. Both Ukrainian and Russian hacking groups have reported that they will work to de-escalate cyberattacks and comply with the rules that have been proposed. One of the groups, KillNet, reported to BBC News that they agree to the terms and rules, and it should be considered as a first step from the group towards peace. Additionally, the IT Army of Ukraine has vowed to avoid cyberattacks that would impact civilians. If the commitments to follow these rules are sincere, there will Likely be a reduction in the number of cyberattacks causing disruptions to civilian operations over the next 12 months. However, these vows have previously proven to be untrue or unsuccessful. For example, in 2020, multiple ransomware groups – Maze, REvil, DoppelPaymer, and more – vowed to avoid healthcare organizations during the COVID-19 pandemic, which lasted for a few months before healthcare organizations were targeted again. Therefore, there is an Even Chance that the hacker groups will continue to target organizations and cause disruptions that affect civilians over the next 12 months. Outlook In September 2023, the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) released a report covering Russia’s cyber tactics in the first half of 2023. The goal of the report is to help Ukrainian cybersecurity specialists and international partners in mitigating and defending against Russia-linked cyberattacks. The report highlighted an increase in Russia-linked threat actors’ attention on law enforcement agencies, energy and media organizations, and their targeting of Ukraine has more than doubled (1.9 per day in H2 2022 to 4-5 per day in H1 2023). There were 342 confirmed incidents targeting Ukraine in the second half of 2022, and 762 in the first half of 2023 – an increase of 123%. The analysis revealed that Russia-linked threat actors often revisit victims that handle and maintain critical data of interest to the Russian military. This report, along with reports from Mandiant, highlight the increased use of living-off-the-land (LOTL) techniques observed in Russia-linked cyberattacks. This type of report can be incredibly beneficial in information sharing operations, which enable accurate mitigation techniques and the spread of knowledge on groups’ and malware activities. It is Likely that Russia-linked threat groups will continue to target Ukraine and NATO countries, improve their TTPs, and identify ways to conduct more complex and successful attacks over the next 12 months. Also over the next 12 months, it is Likely that Russia-linked groups will increasingly focus on evading detection and conducting long-term espionage attacks targeting Ukraine and supporting countries to steal sensitive information that would be of strategic value to the Russian government. Other countries that have a history of state-sponsored and/or APT attacks which have indirectly aligned or maintained suspicious neutrality towards Russia include China and India, which could also pose additional risks or proxies for cyberattacks. While China has ultimately avoided physical involvement in the war, they have maintained a suspicious balance between suspending and continuing trade and business suspended business. China-linked threat groups have also parroted Russian narratives when they aligned with China’s criticism of the U.S. Despite a focus on the U.S., there is an Even Chance that these groups could target countries of strategic interest to Russia over the next 12 months. It is Likely that Russian and Ukrainian hackers will continue to target vulnerabilities in ubiquitous software over the next 12 months. In addition to multiple vulnerabilities, Optiv’s gTIC assesses it is Likely that cybercriminals and fringe state-sponsored campaigns will use common software and malware in the coming months, such as: RDP SMB/Samba UPnP Oracle WebLogic Microsoft Exchange Microsoft SharePoint VMware - vCenter, ESXi, vSphere, vAccess, Workspace ONE, Horizon VPN clients – Pulse Secure, Fortinet Fortigate, Citrix Gateway Jenkins Atlassian – Jira, Confluence Routers – Asus, MikroTik Content management system (CMS) platforms - WordPress – Joomla!, Drupal, Magento, Adobe Commerce Mimikatz AdFind AnyDesk Rclone Ngrok reverse proxy Zoho ManageEngine LogMeIn TeamViewer It is Likely that threat actors will continue to use the same tactics observed in cyberattacks attributed to Russia-linked and Russia-supporting groups. Table 1: MITRE ATT&CK techniques observed in reported cyberattacks related to the Russia/Ukraine conflict Tactic Technique Description Reconnaissance T1595.002 Active Scanning: Vulnerability Scanning T1589.001 Gather Victim Identity Information: Credentials T1598 Phishing for Information: T1598.003 Phishing for Information: Spearphishing Link Resource Development T1583.001 Acquire Infrastructure: Domains T1583.006 Acquire Infrastructure: Web Services T1608.001 Stage Capabilities: Upload Malware T1584.001 Compromise Infrastructure: Domains T1584.003 Compromise Infrastructure: Virtual Private Server T1584.004 Compromise Infrastructure: Server T1584.006 Compromise Infrastructure: Web Services T1586.002 Compromise Accounts: Email Accounts T1586.003 Compromise Accounts: Cloud Accounts T1587.001 Develop Capabilities: Malware T1587.003 Develop Capabilities: Digital Certificates T1585.001 Establish Accounts: Social Media Accounts T1588.001 Obtain Capabilities: Malware T1588.002 Obtain Capabilities: Tool Initial Access T1566.001 Phishing: Spearphishing Attachment T1566.002 Phishing: Spearphishing Link T1566.003 Phishing: Spearphishing via Service T1190 Exploit Public-Facing Application T1133 External Remote Services T1195.002 Supply Chain Compromise: Compromise Software Supply Chain T1199 Trusted Relationship T1078 Valid Accounts T1078.002 Valid Accounts: Domain Accounts T1078.003 Valid Accounts: Local Accounts T1078.004 Valid Accounts: Cloud Accounts T1189 Drive-by Compromise Execution T1059.001 Command and Scripting Interpreter: PowerShell T1059.003 Command and Scripting Interpreter: Windows Command Shell T1059.005 Command and Scripting Interpreter: Visual Basic T1059.006 Command and Scripting Interpreter: Python T1059.007 Command and Scripting Interpreter: JavaScript T1059.009 Command and Scripting Interpreter: Cloud API T1559.001 Inter-Process Communication: Component Object Model T1559.002 Inter-Process Communication: Dynamic Data Exchange T1106 Native API T1053.005 Native API T1204.001 User Execution: Malicious Link T1204.002 User Execution: Malicious File T1047 Windows Management Instrumentation T1651 Cloud Administration Command T1203 Exploitation for Client Execution Persistence T547.001 Server Software Component: Web Shell T1136.003 Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder T1137 Boot or Logon Autostart Execution: Time Providers T1137.002 Create Account: Local Account T1098.001 Account Manipulation: Additional Cloud Credentials T1098.002 Account Manipulation: Additional Email Delegate Permissions T1098.003 Account Manipulation: Additional Cloud Roles T1098.005 Account Manipulation: Device Registration T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription T1546.013 Event Triggered Execution: PowerShell Profile T1546.015 Event Triggered Execution: Component Object Model Hijacking T1556.007 Modify Authentication Process: Hybrid Identity T1505.003 Server Software Component: Web Shell T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows) T1542.003 Pre-OS Boot: Bootkit Privilege Escalation T1546.008 Event Triggered Execution: Accessibility Features T1546.015 Event Triggered Execution: Component Object Model Hijacking T1068 Exploitation for Privilege Escalation T1134.001 Access Token Manipulation: Token Impersonation/Theft T1134.002 Access Token Manipulation: Create Process with Token Defense Evasion T1055 Process Injection T1055.012 Process Injection: Process Hollowing T1140 Deobfuscate/Decode Files or Information T1564.003 Hide Artifacts: Hidden Window T1562.001 Impair Defenses: Disable or Modify Tools T1562.002 Impair Defenses: Disable Windows Event Logging T1562.004 Impair Defenses: Disable or Modify System Firewall T1070.004 Indicator Removal: File Deletion T1070.006 Indicator Removal: Timestomp T1070.008 Indicator Removal: Clear Mailbox Data T1112 Modify Registry T1121 Template Injection T1027 Obfuscated Files or Information T1027.001 Obfuscated Files or Information: Binary Padding T1027.004 Obfuscated Files or Information: Compile After Delivery T1027.005 Obfuscated Files or Information: Indicator Removal from Tools T1027.010 Obfuscated Files or Information: Command Obfuscation T1027.011 Obfuscated Files or Information: Fileless Storage T1218.005 System Binary Proxy Execution: Mshta T1218.011 System Binary Proxy Execution: Rundll32 T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control T1484.002 Domain Policy Modification: Domain Trust Modification T1553.002 Subvert Trust Controls: Code Signing T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass T1553.006 Subvert Trust Controls: Code Signing Policy Modification T1036.001 Masquerading: Invalid Code Signature T1036.004 Masquerading: Masquerade Task or Service T1036.005 Masquerading: Match Legitimate Name or Location T1211 Exploitation for Defense Evasion T1150.004 Use Alternate Authentication Material: Web Session Cookie T1014 Rootkit Credential Access T1528 Steal Application Access Token T1552.004 Unsecured Credentials: Private Keys T1110 Brute Force T1110.001 Brute Force: Password Guessing T1110.003 Brute Force: Password Spraying T1555.003 Credentials from Password Stores: Credentials from Web Browsers T1555.004 Credentials from Password Stores: Windows Credential Manager T1621 Multi-Factor Authentication Request Generation T1606.001 Forge Web Credentials: Web Cookies T1606.002 Forge Web Credentials: SAML Tokens T1003.003 OS Credential Dumping: NTDS T1003.006 OS Credential Dumping: DCSync T1649 Steal or Forge Authentication Certificates T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting T1539 Steal Web Session Cookie Discovery T1083 File and Directory Discovery T1120 Peripheral Device Discovery T1057 Process Discovery T1082 System Information Discovery T1016.001 System Network Configuration Discovery: Internet Connection Discovery T1033 System Owner/User Discovery T1087.001 Account Discovery: Local Account T1087.002 Account Discovery: Domain Account T1087.004 Account Discovery: Cloud Account T1482 Domain Trust Discovery T1069.001 Permission Groups Discovery: Local Groups T1069.002 Permission Groups Discovery: Domain Groups T1018 Remote System Discovery T1040 Network Sniffing T1615 Group Policy Discovery T1201 Password Policy Discovery T1012 Query Registry T1049 System Network Connections Discovery T1007 System Service Discovery T1124 System Time Discovery Lateral Movement T1534 Internal Spearphishing T1080 Taint Shared Content T1021.001 Remote Services: Remote Desktop Protocol T1021.002 Remote Services: SMB/Windows Admin Shares T1021.005 Remote Services: VNC T1021.006 Remote Services: Windows Remote Management T1021.007 Remote Services: Cloud Services T1550.001 Use Alternate Authentication Material: Application Access Token T1550.003 Use Alternate Authentication Material: Pass the Ticket T1210 Exploitation of Remote Services T1091 Replication Through Removable Media T1570 Lateral Tool Transfer Collection T1119 Automated Collection T1074.001 Data Staged: Local Data Staging T1074.002 Data Staged: Remote Data Staging T1025 Data from Removable Media T1113 Screen Capture T1560 Archive Collected Data T1560.001 Archive Collected Data: Archive via Utility T1005 Data from Local System T1213 Data from Information Repositories T1213.002 Data from Information Repositories: SharePoint T1213.003 Data from Information Repositories: Code Repositories T1114.002 Email Collection: Remote Email Collection T1039 Data from Network Shared Drive T1123 Audio Capture Command & Control T1132 Data Encoding T1102 Web Service T1102.002 Web Service: Bidirectional Communication T1071.001 Application Layer Protocol: Web Protocols T1071.003 Application Layer Protocol: Mail Protocols T1568 Dynamic Resolution T1105 Ingress Tool Transfers T1001.001 Data Obfuscation: Junk Data T1001.002 Data Obfuscation: Steganography T1573 Encrypted Channel T1573.001 Encrypted Channel: Symmetric Cryptography T1092 Communication Through Removable Media T1090.001 Proxy: Internal Proxy T1090.003 Proxy: Multi-hop Proxy T1090.004 Proxy: Domain Fronting Exfiltration T1041 Exfiltration Over C2 Channel T1048.002 Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol T1020 Automated Exfiltration T1030 Data Transfer Size Limits T1567 Exfiltration Over Web Service T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage Impact T1561 Disk Wipe T1561.002 Disk Wipe: Disk Structure Wipe T1486 Data Encrypted for Impact T1485 Data Destruction T1491.001 Defacement: Internal Defacement T1498 Network Denial of Service T1529 System Shutdown/Reboot By: Andi Ursry Intelligence Analyst | Optiv Andi Ursry has over four years of experience in Threat Intelligence. Ursry began her career in the retail sector in Loss Prevention and Safety positions. She worked on-site to help stores mitigate risks. After seeing a shift toward cybercrime, she changed focus to cyber intelligence. Ursry’s research focuses on ransomware groups and their tactics. Prior to joining Optiv, Ursry was a Cyber Threat Intelligence Analyst for a California-based cybersecurity company that specializes in digital risk. She earned a bachelor’s and master’s degree in criminal justice from Colorado Technical University, Online. Share: Optiv Security: Secure greatness.® Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
Optiv Security: Secure greatness.® Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.