Russia/Ukraine Update - February 2023

March 2, 2023

The Russia-Ukraine war has lasted for a full year at the time of this update, with no indication of ending in the near future. Cybercriminals have continued to show their support for both sides of the war, targeting organizations and government agencies to obtain sensitive data, disrupt operations, and wreak havoc. Destructive cyberattacks were a large portion of Russia’s strategy during the invasion. However, Russia has continued to move their focus beyond Ukraine. Countries offering financial, military, and cyber defensive support of Ukraine have also become targets for cybercriminals and state-sponsored groups aligned with Russia. This war has caused a rippling effect of destruction and disruption across the world, including the cybercriminal landscape. During the first half of the war, groups split, turned on each other, and announced support for one country or the other. To date, groups have still launched attacks in support of Russia or Ukraine and have continued to move cybercriminal activity into a political arena.


Optiv’s Global Threat Intelligence Center (gTIC) has provided periodic updates on Russian and Ukrainian actions and estimated cyber-related implications in Advisories and Optiv Blog posts on February 4, February 22, February 24, June 30, August 25, September 29, October 31, November 29 and December 20. This update will provide information on the events of the previous 90 days and what we can expect looking forward.




Russia continued to launch cyberattacks against Ukraine and supporting countries. From additional wiper attacks to ransomware to DDoS attacks, Russia-linked threat actors have relentlessly launched attacks to show support for their government. The most active groups during this period were Sandworm and Gamaredon APT groups. Additionally, Killnet continued their onslaught of DDoS attacks, which were inconvenient rather than truly disruptive. Lastly, a new threat group, NoName057(16), made headlines for launching attacks in support of Russia.




Sandworm (aka IRON VIKING, BlackEnergy, Voodoo Bear) is an APT group that is attributed to Russia’s General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455. The group has been one of the most active groups in targeting Ukraine since at least 2012. However, the use of wiper malware increased significantly since the invasion of Ukraine in February 2022. In January 2023, the Computer Emergency Response Team of Ukraine (CERT-UA) linked Sandworm to a destructive malware attack targeting Ukraine’s national news agency (Ukrinform). The attackers launched the CaddyWiper malware on the news agency’s systems using a Windows group policy (GPO), indicating the group had breached the target’s network prior to launching the wiper malware. Ukrinform was able to prevent the wiper malware from having a significant impact on the organization. This attack was linked to Sandworm based on the group’s tactics and Sandworm’s use of CaddyWiper in a previously failed cyberattack targeting a Ukrainian energy organization.


On January 27, 2023, CERT-UA released an advisory that a post related to the targeting of Ukrinform was added to the Telegram channel, “CyberArmyofRussia_Reborn”. CERT-UA identified five samples of wiper malware, including CaddyWiper, ZeroWipe, SDelete, AwfulShred, and BidSwipe. The investigation revealed that the attackers obtained access to the network in December 2022 and launched the final payload on January 17, 2023, which was only partially successful. This post was Likely related to the January targeting using CaddyWiper and has been attributed to the Sandworm APT group.


On January 25, 2023, Sandworm deployed a new wiper, dubbed SwiftSlicer, using Group Policy of Active Directory. SwiftSlicer is a Golang-based malware that deletes shadow copies, recursively overwrites files, and reboots the computer. Although additional details related to the attack and the malware are limited at the time of writing, Sandworm has a proven history of the use of wiper malware targeting Ukraine. Over the next 12 months, it is Likely that Sandworm will continue to develop new wiper malware variants, as well as continue to use older variants.




Gamaredon (aka IRON TILDEN, Primitive Bear, Shuckworm, UAC-0010) is a cyber espionage group attributed to Russia’s Federal Security Service (FSB) Center 18. Gamaredon has been observed targeting Ukrainian organizations since at least 2013 and has been observed providing services to other APT actors. Gamaredon has notoriously used phishing emails for malware distribution and provides the access to compromised networks and intelligence to other threat actors. According to researchers with Palo Alto Networks’ Unit 42, Gamaredon is one of the most intrusive, continuously active APTs targeting Ukraine. The group has been observed using phishing lures in the Ukrainian and English languages, Likely to target both Ukrainian and NATO members. Although the group has used similar tactics and malware variants for the last 10+ years and has experienced multiple failed attacks, it is the group’s persistence and dedication make them a credible threat to organizations.


In January 2023, the group was observed leveraging the Telegram messaging app to target military and law enforcement agencies in Ukraine. The group reportedly used Telegram accounts for victim profiling and confirmation of geographic location before leading the victim to the next-stage server for the final payload. Telegram has grown in popularity over the past 12 months for multiple reasons. If both parties engaged in a communication exchange are online simultaneously, Telegram offers near-real-time encrypted communications. Law enforcement often monitors underground forums in certain geographic locations, such as China. But by using an anonymous chat platform that offers encrypted channels and little to no monitoring, threat actors can remain undetected for longer periods. This is Likely the reason for the shift to Telegram for communications.


In February 2023, the State Cyber Protection Centre (SCPC) of Ukraine linked Gamaredon to cyberattacks targeting public authorities and critical information infrastructure in the country. The SCPC reported that Gamaredon had launched attacks deploying GammaLoad and GammaSteel spyware in their campaigns. GammaLoad is a VBScript dropper malware engineered to download next-stage VBScript from a remote server. GammaSteel is a PowerShell script that is capable of conducting reconnaissance and executing additional commands.


The GammaLoad and GammaSteel spyware variants were deployed via spearphishing emails with a .RAR attachment that contained a .LNK file. According to the alert published by the SCPC, “the current activity of the UAC-0010 group is characterized by an approach to the multi-stage loading and execution of payloads of WPS, which is used to maintain control over infected hosts.”



Cold River

Cold River (aka Calisto, Callisto) is an APT group attributed to Russia. The Security Service of Ukraine (SBU) has previously associated Cold River with the Gamaredon group and the Russian FSB – however, this has not been confirmed. Cold River has been observed targeting military and strategic research verticals, such as NATO entities and a Ukraine-based defense contractor. Additionally, the group has been observed targeting former intelligence officials, experts in Russian matters, and Russian citizens abroad.


In January 2023, reports emerged that Cold River had targeted three nuclear research laboratories in the United States in the summer of 2022. Between August and September 2022, there were multiple reports of Russian President Putin claiming that he would be willing to use nuclear weapons to defend its territory. Cold River was identified as the threat group behind cyberattacks targeting the Brookhaven, Argonne, and Lawrence Livermore National Laboratories. The attackers reportedly created fake login pages for each institution and sent phishing emails to nuclear scientists in an attempt to harvest credentials.


In December 2022, security researchers with Sekoia reported that Cold River targeted six private companies based in the U.S. and Eastern Europe and four non-governmental organizations (NGO), all involved in Ukraine support. Cold River reportedly sent phishing emails containing a malicious PDF attachment. The emails reportedly appeared to come from a trusted source and did not contain the malicious attachment in the first email. Rather, the attacker waited for a reply and then sent the malicious attachment in a subsequent email. Cold River has not been named as one of the more prominent threat groups active in the Russia-Ukraine war. However, these reports indicate that the group may be collecting data from organizations indirectly related to supporting Ukraine. Additionally, the targeting of NGOs, including the Commission for International Justice and Accountability, indicates the group is Likely collecting intelligence related to war actions and international procedures that could give Russia an insight into emerging news and activities of Ukrainian and Western countries.




Killnet is a pro-Russian hacktivist group that emerged during the ongoing Russian invasion of Ukraine. The group has been active since at least January 2022, largely executing attacks in response to pro-Ukrainian and pro-Western hacktivism. Killnet uses botnets to perform DDoS attacks. While more than 100 threat groups have deployed cyberattacks during the war, Killnet is the most vocal and active group.


Killnet uses Telegram to claim responsibility for attacks and announce future attacks. The group lists potential future targets and calls for action against certain countries that refuse to stop supporting Ukraine. The group uses Telegram to boast their disdain for countries that refuse to stop supporting Ukraine. These are all Russian-language messages, and they often include aggressive and/or obscene comments.


Killnet is reportedly comprised of smaller, lesser-known groups that are in support of Russia’s actions. The group is most known for its use of DDoS attacks, but also has been observed spreading propaganda and disinformation. Although Killnet is not considered highly sophisticated or well-organized, the group can still cause service outages for hours or even days, which could have a significant impact on health care and critical infrastructure organizations.


In January 2023, Killnet posted an alleged attack list for hospitals and medical organizations in several countries. The list included 15 URLs and called for action against the U.S. government and health-care organizations. This threat was Likely in response to President Biden’s promise to provide dozens of military tanks to Ukraine. On January 30, 2023, several of the listed organizations reported disruptions on their public-facing webpages.


In February 2023, Killnet announced via their Telegram channel that they were “carrying out strikes on NATO”. NATO’s Special Operations Headquarters and Strategic Airlift Capability were among NATO organizations disrupted by the Killnet attacks. These organizations were involved in humanitarian aid to victims of the Turkish-Syrian earthquake. The attacks limited communications between SAC and a C-17 aircraft in flight, which was able to land safely despite the attack. The group’s attacks did not result in network breaches, but they were successful in disrupting aid missions and NATO countries operations.



Figure 1: Killnet Telegram Channel



Other Notable Groups

In December 2022, the CERT-UA disclosed that users of the Delta situational awareness program received phishing emails from a compromised email account belonging to the Ministry of Defense. CERT-UA attributed the attacks to a threat cluster tracked as UAC-0142, with the goal of deploying FateGrab and StealDeal data-stealing malware. Delta is a cloud-based operational situation display system developed by Aerorozvidka that allows real-time monitoring of troops on the battlefield, making it a lucrative target for threat actors. The phishing emails used lures with fake warning to update root certificates in the Delta software, included malicious PDF documents containing links to archive files hosted on a fraudulent Delta domain, and dropped the malware on compromised systems.


FateGrab is designed to exfiltrate flies with specific extensions through FTP, and StealData targets web browsers to steal passwords and other sensitive information. The attack targeting users of the Delta program was launched just days after Ukraine presented the system to the NATO Consultation, Command, and Control Organizations (NC3O).


In January 2023, security researchers with Mandiant reported that the Russia-linked APT group, Turla, was observed targeting Ukrainian systems by using run-of-the-mill commodity malware and piggybacking on infrastructure used in earlier criminal operations. Turla has been active since at least 2004 and has previously been observed targeting government and military-related organizations. Turla is known for conducting watering hole and spearphishing campaigns and has been linked to Russia. This indicates Turla Likely acts at the direction of, and/or to fulfill the intelligence requirements of, the Russian government. Its objective is Likely to gather intelligence.


Turla’s cyberattacks targeting Ukrainian systems began with the insertion of an infected USB stick into a Ukrainian system in December 2021. The USB contained a 2013 version of the Andromeda malware that began sending beacons to Turla’s C2 infrastructure. Interestingly, Turla appeared to have re-registered domains—including expired ones—used in an earlier criminal campaign. In September 2022, the threat actors then downloaded and executed a WinRAR Self-Extracting Archive containing KOPILUWAK, which was run seven times between September 6 and September 8. Each time, the malware attempted to transfer significant amounts of data to the C2. On September 8, 2022, the threat actors downloaded QUIETCANARY to a host that was used to gather and exfiltrate data from the victim.


Turla has not been a significant threat actor active in the targeting of Ukraine during the Russia-Ukraine war. However, the identification of a campaign taking advantage of another threat actor’s C2 and malware indicates that Turla could still select victims of strategic interest, while removing themselves from the responsibility of spreading malware singlehandedly.


In January 2023, security researchers with SentinelLabs reported that the Pro-Russian hacking group, NoName057(16) (aka NoName05716, 05716nnm or Nnm05716), was observed conducting a campaign of DDoS attacks on Ukraine and NATO organizations. This campaign began shortly after the start of the war. The group has been reportedly conducting DDoS attacks in support of Russia since March 2022 alongside Killnet. However, the group remains relatively underreported – Likely due to DDoS attacks causing minimal disruption to organizations. The group is reportedly focused on disrupting websites relevant to nations that are critical of Russia’s invasion of Ukraine. Early attacks reportedly targeted Ukrainian media organizations and later shifted to NATO-associated targets.


NoName057(16), similar to Killnet, reportedly operates through Telegram to claim responsibility for their attacks, mock their targets, and make additional threats. Posts on the group’s channel indicate the group considers themselves more prominent and important than they actually are. The group has been observed utilizing GitHub to host their DDoS tool website and the latest version of their tools that are advertised in the Telegram channel. NoName057(16) victims include the Polish government in December 2022, after the Sejm of the Republic of Poland recognized Russia as a state sponsor of terrorism; Lithuanian organizations in the Transportation vertical in January 2023; and 2023 Czech presidential election candidates in January 2023. Tools utilized by the group include the Bobik botnet and two variants of the DDOSIA tool (aka Dosia, Go Stresser). Over the next 12 months, it is Likely that NoName057(16) will continue to target organizations in Ukraine and Western countries that publicly scrutinize Russian actions.


In February 2023, security researchers with the Symantec Threat Hunter Team reported that the Russia-linked threat actor, Nodaria (aka UAC-0056, DEV-0586, UNC2589, TA471), deployed a new information-stealing malware, Graphiron, targeting Ukraine. Graphiron is a two-stage malware consisting of a download and a payload. The downloader is configured to run once, meaning if it fails to download and install the payload, it will not attempt to do it again. The payload, similar to previously observed malware variants, GraphSteel and GrimPlant, can carry out various tasks, including:


  • Reading MachineGuid
  • Obtaining the IP address from
  • Retrieving the hostname, system info, and user info
  • Stealing data from Firefox and Thunderbird
  • Stealing private keys from MobaXTerm
  • Stealing SSH known hosts
  • Stealing data from PuTTY
  • Stealing stored passwords
  • Taking screenshots
  • Creating a directory
  • Listing a directory
  • Running a shell command
  • Stealing an arbitrary file


The Nodaria threat group has previously remained under the radar. However, their activity over the previous 12 months indicates the group has become a key part of Russia’s ongoing cyber campaigns targeting Ukraine and Western-supporting countries.


In February 2023, CERT-UA warned of phishing attacks targeting state authorities that were deploying the legitimate remote access software, Remcos. The phishing emails contained a .RAR attachment that claimed to be a court letter including information related to a debt. The phishing emails featured the subject, “Court claim against your personal accounts # 7192206443063763 dated: 06.02.2023”. The .RAR archive contained two documents: a .txt file with a “personal access code” and a password-protected RAR-archive that contained the executable. CERT-UA attributed this campaign to UAC-0050, which has been active since at least 2020—previously targeting Ukrainian state authorities. It is Likely that this group is actively conducting espionage campaigns to gather information related to Ukraine’s government actions. If successful, the installation of Remcos would provide threat actors complete access to the compromised device.


In February 2023, Russian media reported that Alexander Khinshtein, the head of the Duma committee on information policy, announced that the Russian government was evaluating whether to avoid punishing hackers acting in the interests of Moscow. The Russian government reportedly recognizes the importance of the cybercriminal groups and hacktivists’ contribution to the defense of its interests. Russia has a reputation as a cybercriminal safe haven, including for ransomware operations creating malware to avoid victims in Russia or the Commonwealth of Independent States (CIS) regions. However, the current Russian law framework currently punishes criminals charged with creating, using, and distributing malware with up to seven years in jail. The Russian Parliament announced that they would discuss the proposal in more detail in the coming months, with the intent to better formulate the initiative.




In January 2023, Ukrainian air defense forces shot down a total of 45 drones, most of which were supplied by Iran. As a result of Iran purportedly supporting Russia’s actions, pro-Ukrainian hacktivists claimed they launched DDoS attacks against Iranian websites. Affected websites included those of Iranian supreme leader Ali Khamenei and the National Iranian Oil Company. Multiple pro-Ukrainian hackers turned to Telegram channels to voice their disdain for Iran’s involvement in the war. No specific threat group has been attributed to the attacks. But multiple hacking group’s Twitter and Telegram accounts host messages related to DDoS attacks, including ones launched by Anonymous and a hacker by the Twitter username “rootkit_sec” (aka “rootkitsecurity”).



Figure 2: rootkitsecurity Twitter post related to Iranian DDoS attacks


DDoS attacks conducted during the Russia-Ukraine war have not created as big of an impact as the wiper or ransomware attacks conducted over the previous 12 months. Most of the DDoS attacks lasted only minutes or hours, with some lasting a few days. However, Ukrainian hacktivists do not appear to be deterred, claiming via Telegram channels that they will continue to launch attacks until Iran stops supplying Russia with drones.


In February 2022, the hacking group, Anonymous, pushed the #OpRussia tag to prioritize attacks against Russia interests in cyberspace after the invasion of Ukraine. A year later, news relating to cyberattacks has largely waned. Most headlines now cover new attacks launched by Russian-based threat actors against Ukraine and Western-supporting countries. However, #OpRussia is still active. There are 150,000 to 400,000 active subscribers to various Telegram channels, as well as 200,000 Discord channel subscribers. These active members include multiple hacking groups, including Anonymous and IT Army of Ukraine. But they also include individual volunteers and pro-Ukrainian outfits, such as Network Battalion 65. Some of the known activity is listed below:


  • Disbalancer - A DDoS tool used to take down infrastructure targets, with more than 200,000 downloads at the time of writing. Users download and run the tool. The user’s bandwidth is used to attack a rotating target list. Disbalancer claims to have attacked more than 700 Russian targets.
  • PlayforUkraine[,]life – A web-based game performing application-level DDoS in the background. The game is no longer active, but it was responsible for taking down Alfabank, Russia’s largest private bank.
  • WasteRussianTime[.]today – A website that connected two government officials with each other. The site, which is no longer active, sought to simply waste the time of government officials.


During the first six months of the war, Russia was suffering a data breach every three days on average. However, after August 2022, a majority of the groups had gone quiet. Most of the current activity remains with Disbalancer, with their rotating target list, and with the IT Army of Ukraine, who reportedly targeted two Russian organizations in January 2023.


Unfortunately, as attention and interest in the Russia-Ukraine war wanes, it is Likely that fewer Russian victims will be disclosed. Additionally, as most of the groups targeting victims on behalf of Ukraine are volunteer based or hacktivist groups, most of these members have Likely moved on to other targets. Additionally, as Russia-linked groups continue to deploy information-stealing malware, backdoors, ransomware, and wiper malware, these attacks are Likely to make headlines before hacktivist groups launch DDoS attacks. It is Likely that Russian organizations have been targeted more often than what has been publicly reported.


As Russia has continued to launch attacks targeting Ukraine, Yurii Shchyhol, the head of Ukraine’s State Service of Special Communications and Information Protection, has reportedly called for a “Cyber United Nations”. The goal is to establish a single global organization uniting nations in cyberspace to share threat information and prepare for future attacks. There is little information on global support for the idea; there is an Even Chance that NATO countries’ sharing cyberattack information would help to detect and mitigate known cyberattacks more quickly.



Other Countries

Russia has increasingly targeted other countries that either support Ukraine or publicly reprimand Russia’s actions in the war. Moldovan Prime Minister Natalia Gavrilița accused Russia of trying to destabilize the country by sponsoring protests and carrying out cyberattacks. A few of the attacks targeting Moldova from 2022-2023 include Killnet’s announcement of a week-long hacking campaign against the nation of Moldova in August 2022. Moreover, an unknown attacker targeted 80 Moldovan state computer systems with DDoS attacks in October 2022. Not long after, in November 2022, a hacker leaked purported private Telegram conversations between Moldovan political figures (chats that the Moldovan President’s office claimed were fake). And in January 2023, a phishing campaign lured Moldovan government victims to a fake payment page to renew the alleged expiration of the .md government domain. Moldova is also connected to Ukraine’s power grid, and therefore Russia’s missile strikes on Ukraine have caused internet and power disruptions in Moldova.


Also in February 2023, although unrelated to the Russia-Ukraine war, the U.S. and U.K. sanctioned members of the Russia-based TrickBot cybercriminal group. The sanctions were placed on six Russian nationals and one Ukrainian that were associated with Russian intelligence services. The individuals designated under sanctions are Vitaly Kovalev (aka Alex Konor, Bentley, or Bergen), Maksim Mikhailov (aka Baget), Valentin Karyagin (aka Globus), Mikhail Iskritskiy (aka Tropa), Dmitry Pleshevskiy (aka Iseldor), Ivan Vakhromeyev (aka Mushroom), and Valery Sedletski (aka Strix). These individuals are purportedly involved in the development of ransomware, other malware projects, money laundering, and injecting malicious code into websites to steal victims’ credentials.


The U.S. Treasury Department released a statement that the TrickBot group’s preparations in 2020 aligned them to Russian state objectives and targeting previously conducted by Russian Intelligence Services. TrickBot is attributed to Wizard Spider (aka ITG23, Blackburn) and has been previously observed deploying additional malware payloads, including Conti and Ryuk ransomware variants. In mid-2022, the Conti ransomware group took over the TrickBot enterprise and implemented it as a malware-as-a-service prior to the group’s shutdown.


TrickBot has previously faced disruptions, such as the 2020 disruption by Microsoft. The group shut down for a majority of the year but was able to resume operations. Following the shutdown of Conti ransomware operations, TrickBot operations have slowed down/ But there is an Even Chance that the group will rebrand and re-emerge in an attempt to continue operations while avoiding sanctions. While these sanctions are intended to impact cybercrime rather than directly relate to the war, the timing of the sanctions could spark retaliatory attacks by Russia-based threat actors.




Dating back to 2014, Russia-linked and Russia-supporting threat groups have launched hundreds of attempted cyberattacks, including ransomware, wiper, and information stealers against Ukrainian organizations. Since the invasion of Ukraine in February 2022, Russia-linked and Russia-supporting groups have conducted cyberattacks and spread disinformation in an attempt to gather information and show their support for Russia. However, the larger strikes that would have crippled Ukrainian critical infrastructure, such as its electrical grid, have not been as successful as expected. Ukraine has recovered quickly from successful attacks, restoring systems and communications.


Russia’s cyber capabilities have previously proven to be significant, based off previous cyberattacks reportedly linked to Russia-linked and Russia-supporting threat groups. However, many state-sponsored and state-supported groups are linked to military organizations. With the military organizations focused on physical war, it is Likely resources typically allocated to cyber capabilities are currently dedicated to the physical war. Additionally, the U.S. and other NATO countries, as well as companies, such as Microsoft and Google, have offered their support to Ukrainian experts. This support has included hands-on recovery efforts, communication devices and critical infrastructure operators, and financial and technical help to improve cyber resilience against cyberattacks. Ukraine’s analysis in January 2023 stated that “cyberattacks are entirely consistent with Russia’s overall military strategy” and Russian cyberattacks targeting Ukraine have tripled over 2022. It is Very Likely that Russia will continue targeting Ukraine and supporting countries over the next 12 months.


Despite reports that Russia-linked groups have not been as successful as expected, it is Likely that these groups will continue launching attacks against Ukraine and Western-supporting countries over the next 12 months. This is Likely to encompass critical infrastructure verticals, such as Energy, Government, Manufacturing, and Transportation in destructive cyberattacks that include wiper or ransomware malware. There is an Even Chance that Russian President Putin will refocus efforts on cyberattacks as kinetic military action sees setbacks, including reshuffling of military leaders and high turnover.


It is Likely that the U.S. and other countries that provide support and offer alliances to Ukraine, as well as publicly criticize Russia’s actions, will remain attractive targets for Russia-linked and supporting threat groups. It is Likely that these countries will be targeted in cyberattacks conducted by Russia-linked or Russia-supporting threat actors, including DDoS attacks, wiper malware, information stealing, and ransomware attacks. Iran’s purported involvement in supporting Russia will Likely include Iran-linked threat groups targeting Ukraine and Western-supporting countries. Countries like China and India also have a history of state-sponsored and/or APT attacks that have indirectly aligned or maintained suspicious neutrality toward Russia. This could also pose additional risks or proxies for cyberattacks. While China has ultimately avoided physical involvement in the war, they have suspended business when threats to Chinese interests called for it, continued business and trading when they could, and parroted Russian narratives when they aligned with China’s criticism of the U.S. While China-linked threat groups have a proven history of targeting U.S. and other Western countries in espionage campaigns related to China’s strategic interests, there is an Even Chance that these groups could target countries of strategic interest to Russia over the next 12 months.


As Russia continues to launch cyberattacks against Ukraine, it is Likely that the impact of those will affect other countries as well. Similar to the internet availability issues faced by Moldova, attacks targeting Ukraine’s critical infrastructure verticals are Likely to impact the citizens of nearby countries that have interwoven systems, networks, and grids. Additionally, as South Korea and Japan have joined the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) and Ukraine has singed the Treaty of Amity and Cooperation (TAC) with ASEAN, it is Likely that Asia-Pacific countries will also experience cyberattacks at the hands of both China-linked and Russia-linked threat groups over the next 12 months.


It’s Likely that cyber adversaries, regardless of attribution, will continue to leverage and employ techniques, tools, and vulnerabilities used in previous cyberattacks and campaigns. Threat actors are Likely to target known vulnerabilities, including older (2+ year-old) vulnerabilities, in widely used software and services to gain access to victim networks. This is Likely due to the success of compromise in employing the same techniques and the utilization of minimal resources by reusing open-source and commercially available tools, software, and malware.


In addition to multiple vulnerabilities, Optiv’s gTIC assesses it is Likely that cybercriminals and fringe state-sponsored campaigns will use common software and malware in the coming months, such as:


  • RDP
  • SMB/Samba
  • UPnP
  • Oracle WebLogic
  • Microsoft Exchange
  • Microsoft SharePoint
  • VMware vCenter, ESXi, vSphere, vAccess
  • VPN clients – Pulse Secure, Fortinet Fortigate, Citrix Gateway
  • Jenkins
  • Content management system (CMS) platforms
  • WordPress – Joomla!, Drupal, Magento, Adobe Commerce
  • Mimikatz
  • AdFind
  • AnyDesk
  • Rclone
  • Ngrok reverse proxy
  • Zoho ManageEngine
  • LogMeIn
  • TeamViewer


It is Likely that threat actors will continue to use the same tactics observed in cyberattacks attributed to Russia-linked and Russia-supporting groups.


Table 1: MITRE ATT&CK techniques associated with groups mentioned


Tactic Technique Description
Reconnaissance T1595.002 Active Scanning: Vulnerability Scanning
T1592.002 Gather Victim Host Information: Software
T1589.002 Gather Victim Identity Information: Email Addresses
T1589.003 Gather Victim Identity Information: Employee Names
T1590.001 Gather Victim Network Information: Domain Properties
T1591.002 Gather Victim Org Information: Business Relationship
T1598.003 Phishing for Information: Spearphishing Link
T1594 Search Victim-Owned Websites
T1593 Search Open Websites/Domains
Resource Development T1583.001 Acquire Infrastructure: Domains
T1583.003 Acquire Infrastructure: Virtual Private Server
T1583.004 Acquire Infrastructure: Server
T1583.006 Acquire Infrastructure: Web Services
T1586 Compromise Accounts
T1587.001 Develop Capabilities: Malware
T1587.003 Develop Capabilities: Digital Certificates
T1585.001 Establish Accounts: Social Media Accounts
T1585.002 Establish Accounts: Email Accounts
T1588.001 Obtain Capabilities: Malware
T1588.002 Obtain Capabilities: Tool
T1588.003 Obtain Capabilities: Code Signing Certificates
T1588.006 Obtain Capabilities: Vulnerabilities
T1608.001 Stage Capabilities: Upload Malware
T1586.003 Compromise Infrastructure: Virtual Private Server
T1586.004 Compromise Infrastructure: Server
T1586.005 Compromise Infrastructure: Botnet
T1586.006 Compromise Infrastructure: Web Services
Initial Access T1566.001 Phishing: Spearphishing Attachment
T1566.002 Phishing: Spearphishing Link
T1195.002 Supply Chain Compromise: Compromise Software Supply Chain
T1199 Trusted Relationship
T1078 Valid Accounts
>T1078.002 Valid Accounts: Domain Accounts
>T1078.003 Valid Accounts: Local Accounts
T1189 Drive-by Compromise
T1190 Exploit Public-Facing Application
T1133 External Remote Services
Execution T1059.001 Command and Scripting Interpreter: PowerShell
T1059.003 Command and Scripting Interpreter: Windows Command Shell
T1059.005 Command and Scripting Interpreter: Visual Basic
T1059.006 Command and Scripting Interpreter: Python
T1059.007 Command and Scripting Interpreter: JavaScript
T1204.001 User Execution: Malicious Link
T1204.002 User Execution: Malicious File
T1047 Windows Management Instrumentation
T1559.001 Inter-Process Communication: Component Object Model
T1106 Native API
T1053.005 Scheduled Task/Job: Scheduled Task
T1072 Software Deployment Tools
T1106 Native API
T1203 Exploitation for Client Execution
T1569.002 Exploitation for Client Execution
T1569.002 System Services: Service Execution
Persistence T1098 Account Manipulation
T1136 Create Account
T1136.002 Create Account: Domain Account
T1505.001 Server Software Component: SQL Stored Procedures
T1505.003 Server Software Component: Web Shell
T1547.001 Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder
T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL
T1547.009 Boot or Logon Autostart Execution: Shortcut Modification
T1137 Office Application Startup
T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription
T1546.013 Event Triggered Execution: PowerShell Profile
T1053 Scheduled Task/Job
T1574.008 Hijack Execution Flow: Path Interception by Search order Hijacking
Privilege Escalation T1134.001 Access Token Manipulation: Token Impersonation/Theft
T1134.002 Access Token Manipulation: Create Process with Token
T1068 Exploitation for Privilege Escalation
T1055 Process Injection
T1055.001 Process Injection: Dynamic-link Library Injection
T1055.002 Process Injection: Portable Executable Injection
T1484.002 Domain Policy Modification: Domain Trust Modification
T1078.001 Valid Accounts: Default Accounts
T1078.002 Valid Accounts: Domain Accounts
T1611 Escape to Host
Defense Evasion T1140 Deobfuscate/Decode Files or Information
T1562.001 Impair Defenses: Disable or Modify Tools
T1562.002 Impair Defenses: Disable Windows Event Logging
T1070 Indicator Removal
T1070.001 Indicator Removal: Clear Windows Event Logs
T1070.004 Indicator Removal: File Deletion
T1070.006 Indicator Removal: Timestomp
T1221 Template Injection
T1112 Modify Registry
T1036.005 Masquerading: Match Legitimate Name or Location
T1027.001 Obfuscated Files or Information: Binary Padding
T1027.002 Obfuscated Files or Information: Software Packing
T1027.003 Obfuscated Files or Information: Steganography
T1027.004 Obfuscated Files or Information: Compile After Delivery
T1027.005 Obfuscated Files or Information: Indicator Removal from Tools
T1218.005 System Binary Proxy Execution: Mshta
T1218.011 System Binary Proxy Execution: Rundll32
T1153.006 Subvert Trust Controls: Code Signing Policy Modification
T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1127 Trusted Developer Utilities Proxy Execution
T1055.001 Process Injection: Dynamic Link Library Injection
T1480 Execution Guardrails
T1497 Virtualization/Sandbox Evasion
T1497.003 Virtualization/Sandbox Evasion: Time Based Evasion
T1550.001 Use Alternate Authentication Material: Application Access Token
Credential Access T1110.003 Brute Force: Password Spraying
T1555.003 Credentials from Password Stores: Credentials from Web Browsers
T1555.004 Credentials from Password Stores: Windows Credential Manager
T1555.005 Credentials from Password Stores: Password Managers
T1040 Network Sniffing
T1003 OS Credential Dumping
T1003.001 OS Credential Dumping: LSASS Memory
T1003.003 OS Credential Dumping: NTDS
T1003.006 OS Credential Dumping: DCSync
T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow
T1111 Multi-Factor Authentication Interception
T1212 Exploitation for Credential Access
T1552.001 Unsecured Credentials: Credentials in Files
T1552.004 Unsecured Credentials: Private Keys
T1552.006 Unsecured Credentials: Group Policy Preferences
T1558 Steal or Forge Kerberos Tickets
T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting
T1606.001 Forge Web Credentials: Web Cookies
T1606.002 Forge Web Credentials: SAML Tokens
Discovery T1087.001 Account Discovery: Local Account
T1087.002 Account Discovery: Domain Account
T1087.003 Account Discovery: Email Account
T1016.001 System Network Configuration Discovery: Internet Connection Discovery
T1120 Peripheral Device Discovery
T1018 Remote System Discovery
T1083 File and Directory Discovery
T1082 System Information Discovery
T1615 Group Policy Discovery
T1049 System Network Connections Discovery
T1033 System Owner/User Discovery
T1012 Query Registry
T1057 Process Discovery
T1201 Password Policy Discovery
T1069.001 Permission Group Discovery: Local Groups
T1069.002 Permission Group Discovery: Domain Groups
T1518.001 Software Discovery: Security Software Discovery
T1007 System Service Discovery
T1124 System Time Discovery
T1046 Network Service Discovery
T1135 Network Share Discovery
T1526 Cloud Service Discovery
Lateral Movement T1570 Lateral Tool Transfer
T1021.002 Remote Services: SMB/Windows Admin Shares
T1021.003 Remote Services: Distributed Component Object Model
T1021.005 Remote Services: VNC
T1534 Internal Spearphishing
T1580 Taint Shared Content
Collection T1005 Data from Local System
T1056.001 Input Capture: Keylogging
T1119 Automated Collection
T1039 Data from Network Shared Drive
T1025 Data from Removable Media
T1113 Screen Capture
T1074 Data Staged
T1114.002 Email Collection: Remote Email Collection
T1213 Data from Information Repositories
T1213.002 Data from Information Repositories: SharePoint
T1213.003 Data from Information Repositories: Code Repositories
T1560.001 Archive Collected Data: Archive via Utility
Command & Control T1071.001 Application Layer Protocol: Web Protocols
T1071.003 Application Layer Protocol: Mail Protocols
T1071.004 Application Layer Protocol: DNS
T1132.001 Data Encoding: Standard Encoding
T1102 Web Service
T1102.002 Web Service: Bidirectional Communication
T1105 Ingress Tool Transfer
T1571 Non-Standard Port
T1090 Proxy
T1090.001 Proxy: Internal Proxy
T1090.003 Proxy: Multi-Hop Proxy
T1219 Remote Access Software
T1568 Dynamic Resolution
T1568.002 Dynamic Resolution: Domain Generation Algorithms
T1573.001 Encrypted Channel: Symmetric Cryptography
Exfiltration T1041 Exfiltration Over C2 Channel
T1020 Automated Exfiltration
T1567.001 Exfiltration Over Web Service: Exfiltration to Code Repository
T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1030 Data Transfer Size Limits
Impact T1491.001 Defacement: Internal Defacement
T1491.002 Defacement: External Defacement
T1485 Data Destruction
T1561.001 Disk Wipe: Disk Content Wipe
T1561.002 Disk Wipe: Disk Structure Wipe
T1499 Endpoint Denial of Service
T1499.002 Endpoint Denial of Service: Service Exhaustion Flood
T1486 Data Encrypted for Impact
T1489 Service Stop
T1498.001 Network Denial of Service: Direct Network Flood
T1531 Account Access Removal
Intelligence Analyst | Optiv
Andi Ursry has over four years of experience in Threat Intelligence. Ursry began her career in the retail sector in Loss Prevention and Safety positions. She worked on-site to help stores mitigate risks. After seeing a shift toward cybercrime, she changed focus to cyber intelligence. Ursry’s research focuses on ransomware groups and their tactics.

Prior to joining Optiv, Ursry was a Cyber Threat Intelligence Analyst for a California-based cybersecurity company that specializes in digital risk. She earned a bachelor’s and master’s degree in criminal justice from Colorado Technical University, Online.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit