Russian Cyber Operations Supplementing Kinetic Military and Shaping Operations (UPDATE)

Executive Summary

Optiv’s Global Threat Intelligence Center (gTIC) is distributing this advisory as an update to our previous report summarizing recent cyber incidents related to ongoing tensions in Ukraine between October 2021 and January 2022, as well as previous cyber activity attributed to the Russian government in support of military operations in Eastern Europe. The report also included the gTIC’s estimate of potential Russian cyber courses of action over the next 30 to 90 days (since February 4, 2022), industry verticals that remain at higher risk, and defensive and mitigation recommendations.

 

Cyber activity and Russian influence operations against Ukraine and NATO supporting Russian military-shaping operations since February 4, 2022 include denial-of-service (DoS) attacks, psychological operations (PSYOPs) and disinformation campaigns as pretexting for military operations. Additionally, the release of the Truth Social platform for iOS may provide an opportunity for further Russian misinformation, disinformation and malinformation (MDM) campaigns. Optiv’s gTIC also identified supplementary information on vulnerability trends to support mitigating and defensive efforts.

 

 

Key Findings and Analysis

 

Key Findings

 

  • On February 15, a large DoS attack against Ukrainian government and financial organizations was later attributed to the Russian Military Intelligence Group (GRU) by the U.S. and U.K., based off overlapping technical indicators. This incident corroborates Optiv gTIC’s previous estimate of DoS attacks being leveraged by the Russian government over the next 30 to 90 days, and that the government industry vertical will very likely be targeted.
  • As of February 16, the U.S. Department of State warned that Vladimir Putin and the Russian government were delivering unfounded claims and rhetoric, which are assessed to serve as pretexts for ground operations in the Ukraine. These unfounded claims include reports of “genocide” by the Ukrainian government in Ukraine’s pro-Russian and rebel-controlled Donbas region, and development of chemical weapons to be used against Russian-controlled territories.
  • Russia reneged on previous promises that Russian troops were involved in military exercises at the Belarus-Ukraine border and would withdraw by February 21. Russian military forces remain alongside the Ukrainian border as of February 22.
  • On February 22, the Truth Social social media platform, founded by former U.S. President Donald Trump, was launched for iOS mobile devices. This could serve as an additional platform for pro-Russian disinformation, as well as social and political disruption within the U.S., due to suspected limited content management and moderately confident reporting of links between far-right extremist ideology and Russian influence within the United States.
  • On February 4, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) identified 26 vulnerabilities in key software being actively exploited. Mitigation of these vulnerabilities is likely to protect against multiple adversary attacks and attempts, including Russian state-sponsored and state-supported actors. Several of these vulnerabilities supplement Optiv gTIC’s standing assessment that older vulnerabilities (greater than two years) in popular software will continue to be exploited by cyber adversaries in intrusion attempts and attack campaigns.

 

Optiv gTIC Analysis and Comments

Since Optiv gTIC’s previous report disseminated on February 4, 2022, the situation in Ukraine continues to deteriorate and provide opportunities for Russian cyber and military shaping operations. Cyber “kinetic” operations that were formally attributed to Russia by the U.S. and U.K. include a large DoS attack that disrupted and degraded web services for the Ukrainian Ministry of Defense, as well as multiple Ukrainian financial institutions, which resulted in customers being unable to withdraw money from ATMs or transfer funds online. This action corroborates Optiv gTIC’s previous estimate that organizations in government and other high-risk verticals like energy and utilities remain at highest risk of Russian offensive cyber activity over the next 30 to 90 days.

 

The gTIC also estimated that it was probable that Russia would demonstrate its capability to execute DoS attacks against Ukraine. Russia’s employment of a DoS attack is predicated by information allegedly leaked from Russia’s Federal Security Service (FSB) in 2020, suggesting Russia’s intent to establish a large Internet of Things (IoT)-based botnet, dubbed “Fronton” and inspired by the infamous Mirai botnet. The reference to Mirai suggests the botnet will likely be weaponized for DoS attacks against identified targets or rivals. It is unconfirmed at this time whether the “Fronton” project was directly involved in the February 2022 DoS attacks against Ukrainian government and financial services organizations. Optiv’s gTIC assesses with high confidence that Russia will continue to experiment with, and leverage, tactical DoS attacks focused against organizations in key verticals in Ukraine and other former Eastern bloc countries over the next 12 months to disrupt lines of communication (LOCs) and demonstrate its “soft” influence via sporadic and tactical cyberattacks.

 

Over the last seven days, Russia has demonstrated its use of disinformation and PSYOPs to influence civilians in volatile regions of interest, and as pretext for a possible invasion. Vladimir Putin and the Russian government have made unsubstantiated and unfounded claims of “genocide” by the Ukrainian government in Ukraine’s pro-Russian and rebel-controlled Donbas region, as well as development of chemical weapons to be used against Russia-controlled territories. Russia has also been granting passports to citizens in the Donbas regions in a perception-management campaign to allow them to evacuate to Russia as a result of any potential conflict between pro-Russian rebels and the Ukranian military. Although geopolitical and military experts admit it’s “very hard to say what he’s [Putin] planning at this point other than that he has certainly positioned all of his forces to invade Ukraine,” his divisive rhetoric and recognition of independent states and republics in Ukraine “[…]is a prelude to having Russian forces go in there [Ukraine]”. Optiv’s gTIC also assesses with moderate confidence that, beyond disinformation and PSYOPs campaigns aimed directly at Ukrainian and other Eastern block citizens, over the next 12 months Russia will continue to attempt to undermine Western governments through perception management campaigns via social and alternative media. It is very likely that the Truth Social platform, founded by former U.S. President Donald Trump and his close associates and released on February 21 for iOS mobile devices, will serve as an opportunity for Russia to influence the userbase with pro-Russian rhetoric and undermine the current U.S. White House and other Western government administrations, which in turn can influence future elections.

 

Between February 4 and February 15, 2022, the U.S. CISA added 26 vulnerabilities to its ongoing KNOWN EXPLOITED VULNERABILITIES CATALOG. Vulnerabilities were represented by products from 10 vendors and include older vulnerabilities going back as far as 2014, 2015, 2017 and 2018. Products and vendors include Jenkins, Microsoft Server Message Block (SMB) protocol, Apache Struts, Oracle WebLogic, Adobe Flash and content management system (CMS) platforms. This supports Optiv gTIC’s standing assessment that cyber adversaries will very likely continue to exploit older (greater than two years) vulnerabilities in ubiquitous software over the next 12 months. Optiv gTIC’s list of high-risk and high-priority software, which is shared with Optiv Threat customers, also reflect those consistently appearing in U.S. CISA’s catalog of exploited vulnerabilities. Although not all vulnerabilities added since February 4 are confirmed to be targeted or exploited by Russian threat groups, addressing and hardening against exploitation of these vulnerabilities will likely mitigate attack attempts by multiple cybercriminal or state-sponsored adversary groups.

 

Additionally, there is an even chance that Russia may attempt to compromise multiple organizations and entities across Europe by targeting technology and software service providers in countries where information security and technology service outsourcing is a key export. These include countries like Ukraine, Poland and Romania. Ukraine is reported to at least partially provide IT services to more than 100 of the world’s Fortune 500 companies. Romania and Poland are both frequently reported as attractive options and alternatives for technology and IT services outsourcing. This very likely increases the risk of a supply-chain attack against a large number of organizations if a key entity or software like a managed security services provider (MSSP) or company like MeDocs (compromised to spread the NotPetya ransomware in 2017) is successfully compromised.

 

In light of recent Russian military activity and mobilization, any political, military or economic counteraction by NATO will likely be met with additional cyber activity and perception-management campaigns [i.e., PSYOPs, misinformation/disinformation/malinformation (MDM)] by Russia to disrupt supply lines and LOCs and provide general social and economic destabilization. Optiv gTIC assesses with moderate confidence that over the next 30 to 90 days, organizations in the government, financials, utilities, energy and telecommunications verticals in Eastern Europe and the United States are at highest risk of cyberattacks, including DoS and disruptive malware attacks, to destabilize economic and social order, disrupt military planning and undermine local governments.

 

 

Mitigation Recommendations

Optiv’s gTIC makes the following recommendations on mitigation for the threats highlighted in this report:

 

  • Ensure that all remote access to organizations’ network and administrative access requires multi-factor authentication (MFA) and users’ account activities are dictated by least-privilege policies.
  • Ensure that a vulnerability management program is in place that prioritizes patching based on the severity of a vulnerability, the number of systems and devices affected and how widely known the vulnerability is.
  • Ensure all non-essential ports and protocols are disabled and not internet-facing. These include Remote Desktop Protocol (RDP) and Universal Plug and Play (UPnP).
  • Deploy endpoint security controls to monitor for behavioral indicators of compromise, and deny unwanted code execution.
  • Employ behavior-based detection and preventive measures, rather than attribution-based indicators.
  • Ensure that all vendors and partners in the supply chain are held to the same security standards, and affected organizations’ traffic is isolated and closely reviewed.
  • Create and implement an incident response plan that includes a designated incident response team.
  • Conduct penetration testing to identify points of weakness. Combine this with tabletop exercises to ensure the incident response plan is effective and all members of the incident response team understand their roles in the event of a cyberattack.
  • Ensure offline backups are available, updated and can be used effectively in the event of an incident.

 

Appendix A – References


References

Chalfant, Morgan (2022, February 18) White House Says Russia Behind Cyberattack on Banks, Ministry in Ukraine.


Ikeda, Scott (2020, April 3) Leaked Documents Reveal Russia’s FSB Is Seeking to Build a Massive IoT Botnet.


Pamuk, Humeyra (2022, February 16) U.S. Warns Against Russian False Claims Being Used as Pretext for Ukraine Invasion.


Petraeus, David (Gen.) (2022, February 21) Putin's Is Preparing to Deliver a Russian Example of 'Shock and Awe'.


US Cybersecurity and Infrastructure Security Agency (2022, February 21) Known Exploited Vulnerabilities Catalog.

 

 

Appendix B – Assessments and Probability Statements:


Analytical Comments and Probability Statements

Most Likely Course of Action (MLCOA) – the expected and probable tactics, techniques and actions carried out by a threat actor. COA statements are well established and accepted in estimative and predictive intelligence assessments.

 

Most Dangerous Course of Action (MDCOA) – tactics, techniques or actions carried out or taken by an adversary that result in a worst-case scenario outcome or impact, regardless of probability. COA statements are well established and accepted in estimative and predictive intelligence assessments.

 

Words of Estimated Probability – Tactics, techniques or actions carried out or taken by an adversary that result in a worst-case scenario outcome or impact, regardless of probability. COA statements are well established and accepted in estimative and predictive intelligence assessments.

 

Words of Estimated Probability – Optiv EIM Intelligence employs the use of both probability statements for likelihood of events or actions and confidence levels for analytic assessments and judgements. Probability statements and confidence statements are inherently subjective; however, Optiv EIM Intelligence leverages professional experience and intelligence fundamentals to deliver reasonable and relevant statements and assessments. Probability statements and the degree of likelihood of an assessed event/incident are modeled after the Intelligence Community Directive (ICD) 203: Analytic Standards, published by the United States’ Office of the Director of National Intelligence (ODNI), and are as follows:

 

Image
russian_cyber_update_img1

 

Confidence statements, as defined by Optiv EIM Intelligence, apply to reliability and relevance of information reported and are as follows:

 

Confidence Level Optiv EIM Definition Factors Quantitative Relevance
High Confidence information and/or intelligence is assessed to be of high reliability and value to drive operations and decision Established history, repeated observations and patterns, strong precedence to form professional assessment and prediction/extrapolation 75%+
Moderate Confidence information and/or intelligence is reasonable and warrants consideration or action or response where applicable Sporadic observations, limited historical references (too recent or too long of a gap to be considered “established”) 45-65%
(+/- 10%)
Low Confidence Information and/or intelligence is unreliable or less relevant and provided as situational awareness lack of established history or observations, unreliable or circumstantial evidence < 35%

 

Per ICD 203 standards, confidence-level statements are not combined with probability and degree of likelihood terms proposed in the above chart.

Optiv Security: Secure greatness.™

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.