Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Russian Cyber Operations Supplementing Kinetic Military and Shaping Operations (UPDATE)
Optiv’s Global Threat Intelligence Center (gTIC) is distributing this advisory as an update to our previous report summarizing recent cyber incidents related to ongoing tensions in Ukraine between October 2021 and January 2022, as well as previous cyber activity attributed to the Russian government in support of military operations in Eastern Europe. The report also included the gTIC’s estimate of potential Russian cyber courses of action over the next 30 to 90 days (since February 4, 2022), industry verticals that remain at higher risk, and defensive and mitigation recommendations.
Cyber activity and Russian influence operations against Ukraine and NATO supporting Russian military-shaping operations since February 4, 2022 include denial-of-service (DoS) attacks, psychological operations (PSYOPs) and disinformation campaigns as pretexting for military operations. Additionally, the release of the Truth Social platform for iOS may provide an opportunity for further Russian misinformation, disinformation and malinformation (MDM) campaigns. Optiv’s gTIC also identified supplementary information on vulnerability trends to support mitigating and defensive efforts.
Optiv gTIC Analysis and Comments
Since Optiv gTIC’s previous report disseminated on February 4, 2022, the situation in Ukraine continues to deteriorate and provide opportunities for Russian cyber and military shaping operations. Cyber “kinetic” operations that were formally attributed to Russia by the U.S. and U.K. include a large DoS attack that disrupted and degraded web services for the Ukrainian Ministry of Defense, as well as multiple Ukrainian financial institutions, which resulted in customers being unable to withdraw money from ATMs or transfer funds online. This action corroborates Optiv gTIC’s previous estimate that organizations in government and other high-risk verticals like energy and utilities remain at highest risk of Russian offensive cyber activity over the next 30 to 90 days.
The gTIC also estimated that it was probable that Russia would demonstrate its capability to execute DoS attacks against Ukraine. Russia’s employment of a DoS attack is predicated by information allegedly leaked from Russia’s Federal Security Service (FSB) in 2020, suggesting Russia’s intent to establish a large Internet of Things (IoT)-based botnet, dubbed “Fronton” and inspired by the infamous Mirai botnet. The reference to Mirai suggests the botnet will likely be weaponized for DoS attacks against identified targets or rivals. It is unconfirmed at this time whether the “Fronton” project was directly involved in the February 2022 DoS attacks against Ukrainian government and financial services organizations. Optiv’s gTIC assesses with high confidence that Russia will continue to experiment with, and leverage, tactical DoS attacks focused against organizations in key verticals in Ukraine and other former Eastern bloc countries over the next 12 months to disrupt lines of communication (LOCs) and demonstrate its “soft” influence via sporadic and tactical cyberattacks.
Over the last seven days, Russia has demonstrated its use of disinformation and PSYOPs to influence civilians in volatile regions of interest, and as pretext for a possible invasion. Vladimir Putin and the Russian government have made unsubstantiated and unfounded claims of “genocide” by the Ukrainian government in Ukraine’s pro-Russian and rebel-controlled Donbas region, as well as development of chemical weapons to be used against Russia-controlled territories. Russia has also been granting passports to citizens in the Donbas regions in a perception-management campaign to allow them to evacuate to Russia as a result of any potential conflict between pro-Russian rebels and the Ukranian military. Although geopolitical and military experts admit it’s “very hard to say what he’s [Putin] planning at this point other than that he has certainly positioned all of his forces to invade Ukraine,” his divisive rhetoric and recognition of independent states and republics in Ukraine “[…]is a prelude to having Russian forces go in there [Ukraine]”. Optiv’s gTIC also assesses with moderate confidence that, beyond disinformation and PSYOPs campaigns aimed directly at Ukrainian and other Eastern block citizens, over the next 12 months Russia will continue to attempt to undermine Western governments through perception management campaigns via social and alternative media. It is very likely that the Truth Social platform, founded by former U.S. President Donald Trump and his close associates and released on February 21 for iOS mobile devices, will serve as an opportunity for Russia to influence the userbase with pro-Russian rhetoric and undermine the current U.S. White House and other Western government administrations, which in turn can influence future elections.
Between February 4 and February 15, 2022, the U.S. CISA added 26 vulnerabilities to its ongoing KNOWN EXPLOITED VULNERABILITIES CATALOG. Vulnerabilities were represented by products from 10 vendors and include older vulnerabilities going back as far as 2014, 2015, 2017 and 2018. Products and vendors include Jenkins, Microsoft Server Message Block (SMB) protocol, Apache Struts, Oracle WebLogic, Adobe Flash and content management system (CMS) platforms. This supports Optiv gTIC’s standing assessment that cyber adversaries will very likely continue to exploit older (greater than two years) vulnerabilities in ubiquitous software over the next 12 months. Optiv gTIC’s list of high-risk and high-priority software, which is shared with Optiv Threat customers, also reflect those consistently appearing in U.S. CISA’s catalog of exploited vulnerabilities. Although not all vulnerabilities added since February 4 are confirmed to be targeted or exploited by Russian threat groups, addressing and hardening against exploitation of these vulnerabilities will likely mitigate attack attempts by multiple cybercriminal or state-sponsored adversary groups.
Additionally, there is an even chance that Russia may attempt to compromise multiple organizations and entities across Europe by targeting technology and software service providers in countries where information security and technology service outsourcing is a key export. These include countries like Ukraine, Poland and Romania. Ukraine is reported to at least partially provide IT services to more than 100 of the world’s Fortune 500 companies. Romania and Poland are both frequently reported as attractive options and alternatives for technology and IT services outsourcing. This very likely increases the risk of a supply-chain attack against a large number of organizations if a key entity or software like a managed security services provider (MSSP) or company like MeDocs (compromised to spread the NotPetya ransomware in 2017) is successfully compromised.
In light of recent Russian military activity and mobilization, any political, military or economic counteraction by NATO will likely be met with additional cyber activity and perception-management campaigns [i.e., PSYOPs, misinformation/disinformation/malinformation (MDM)] by Russia to disrupt supply lines and LOCs and provide general social and economic destabilization. Optiv gTIC assesses with moderate confidence that over the next 30 to 90 days, organizations in the government, financials, utilities, energy and telecommunications verticals in Eastern Europe and the United States are at highest risk of cyberattacks, including DoS and disruptive malware attacks, to destabilize economic and social order, disrupt military planning and undermine local governments.
Optiv’s gTIC makes the following recommendations on mitigation for the threats highlighted in this report:
Chalfant, Morgan (2022, February 18) White House Says Russia Behind Cyberattack on Banks, Ministry in Ukraine.
Ikeda, Scott (2020, April 3) Leaked Documents Reveal Russia’s FSB Is Seeking to Build a Massive IoT Botnet.
Pamuk, Humeyra (2022, February 16) U.S. Warns Against Russian False Claims Being Used as Pretext for Ukraine Invasion.
Petraeus, David (Gen.) (2022, February 21) Putin's Is Preparing to Deliver a Russian Example of 'Shock and Awe'.
US Cybersecurity and Infrastructure Security Agency (2022, February 21) Known Exploited Vulnerabilities Catalog.
Analytical Comments and Probability Statements
Most Likely Course of Action (MLCOA) – the expected and probable tactics, techniques and actions carried out by a threat actor. COA statements are well established and accepted in estimative and predictive intelligence assessments.
Most Dangerous Course of Action (MDCOA) – tactics, techniques or actions carried out or taken by an adversary that result in a worst-case scenario outcome or impact, regardless of probability. COA statements are well established and accepted in estimative and predictive intelligence assessments.
Words of Estimated Probability – Tactics, techniques or actions carried out or taken by an adversary that result in a worst-case scenario outcome or impact, regardless of probability. COA statements are well established and accepted in estimative and predictive intelligence assessments.
Words of Estimated Probability – Optiv EIM Intelligence employs the use of both probability statements for likelihood of events or actions and confidence levels for analytic assessments and judgements. Probability statements and confidence statements are inherently subjective; however, Optiv EIM Intelligence leverages professional experience and intelligence fundamentals to deliver reasonable and relevant statements and assessments. Probability statements and the degree of likelihood of an assessed event/incident are modeled after the Intelligence Community Directive (ICD) 203: Analytic Standards, published by the United States’ Office of the Director of National Intelligence (ODNI), and are as follows:
Confidence statements, as defined by Optiv EIM Intelligence, apply to reliability and relevance of information reported and are as follows:
Per ICD 203 standards, confidence-level statements are not combined with probability and degree of likelihood terms proposed in the above chart.
Optiv Security: Secure greatness.®
Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
February 10, 2022
This advisory offers recommendations for organizations potentially affected by Russian state-sponsored activity in Ukraine.
January 26, 2022
We identified Ivy framework fileless attack techniques that execute undetected in Microsoft Office. Here's how with suggested security augmentations.
January 11, 2022
Let us know what you need, and we will have an Optiv professional contact you shortly.