• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Resources
  • Podcasts
  • Project of the Week
  • About Us
    SEARCH
Compliance, IT Infrastructure, Network Security

This is What A Russian Cyberattack Looks Like

In light of recent geopolitical events involving Russia, U.S. agencies release detailed guidance on how to spot a Russian cyberattack.

January 18, 2022 Zachary Comeau Leave a Comment

Threat Detection Trends, 2023 Hacking Trends, Expel
stock.adobe.com

Many organizations that have valuable data or even come close to touching sectors of the U.S. government are likely fending off cyberattacks from nation-state countries, with Russia among the top such threats.

Now, due to increasing tensions between Russia, Ukraine and western countries, IT and cybersecurity professionals should be on the lookout for sophisticated threat actors associated with the former Soviet Union. To help defenders be prepared for those threats, several U.S. agencies have released information and guides to help spot those potential attacks.

That includes a joint cybersecurity advisory from the Cybersecurity and Infrastructure Security Agency, FBI and NSA on commonly observed tactics, techniques and procedures of a typical Russian threat actor along with actions defenders should take.

According to the advisory, Russian state-sponsored actors use common techniques to gain initial access to target networks, including spearphishing, brute force and exploiting these known vulnerabilities:

  • CVE-2018-13379 FortiGate VPNs
  • CVE-2019-1653 Cisco router
  • CVE-2019-2725 Oracle WebLogic Server
  • CVE-2019-7609 Kibana
  • CVE-2019-9670 Zimbra software
  • CVE-2019-10149 Exim Simple Mail Transfer Protocol
  • CVE-2019-11510 Pulse Secure
  • CVE-2019-19781 Citrix
  • CVE-2020-0688 Microsoft Exchange
  • CVE-2020-4006 VMWare (note: this was a zero-day at time.)
  • CVE-2020-5902 F5 Big-IP
  • CVE-2020-14882 Oracle WebLogic
  • CVE-2021-26855 Microsoft Exchange. The agencies note this vulnerability is frequently observed used in conjunction with CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065)

The advisory also included several recent examples of Russian state-sponsored operations compromising third-party software, deploying their own custom malware and targeting industrial control systems networks with destructive malware.

Below are some common tactics and techniques employed by Russian state-sponsored hackers, per the advisory:

  • Reconnaissance. Hackers perform large-scale vulnerability scans in an attempt to find severs that contain known vulnerabilities that haven’t yet been patched. They also conduct spearphishing campaigns to gain credentials to target networks.
  • Resource Development. Russian actors develop and deploy their own custom malware, much of which is designed to disrupt industrial control systems.
  • Initial access. In addition to phishing campaigns and vulnerability scanning, Russian actors exploit vulnerable internet-facing applications and compromise the build environments of trusted third-party software. An example of this was the compromise of the SolarWinds Orion IT management software discovered in December 2020.
  • Execution. Agencies say hackers backed by the Russian government use cmd.exe to execute commands on remote machines and use PowerShell to create new tasks on remote machines, identity configuration settings, exfiltrate data and execute other commands.
  • To maintain persistence, threat actors use credentials of valid accounts, giving them unfettered, long-term access to victim IT environments.
  • Credential access. To gain credentials, Russian threat actors use a variety of tactics, including brute force, credential dumping, stealing or forging Kerberos tickets, compromising account credentials to access Group Managed Service Account passwords, exploiting Windows Netlogon via CVE-2020-1472 to gain access to Windows Active Directory Servers and obtaining private encryption keys from the Active Directory Federation Services container to decrypt corresponding SAML singing certificates.
  • Command and Control. Russian-state sponsored hackers have been observed using virtual private servers to route traffic to targets, using IP addresses in the home country of the victim to hide their activity.

Given the advanced tools and techniques used by Russian hackers, detecting that activity can be difficult. However, the agencies lay out some steps to take to help organizations identify malicious activity, including:

  • Implementing robust log collection and retention. The agencies suggest using native tools such as Microsoft 365 Sentinel in addition to other tools such as Sparrow, Hawk or CrowdStrike’s Azure Reporting Tool.
  • Searching for behavioral evidence or network and host-based artifacts. The agencies suggest reviewing authentication logs for multiple login failures of valid accounts and other suspicious activity, including:
    • Changing usernames and strange IP addresses that don’t match the expected user’s location.
    • One IP address used for multiple accounts.
    • Logins from multiple IP addresses that are a significant geographical distance apart.
    • signs of credential dumping, suspicious privileged account activity, activity in typically dormant accounts and unusual user agent strings.

If malicious activity is detected, organizations should immediately isolate affected stems, secure backups, collect and review relevant data, contact a third-party security team, ensure the actor is eradicated from the network and avoid residual issues that could enable follow-on exploitation.

Organizations are urged to contact CISA, the FBI and law enforcement when malicious activity is discovered in the corporate network.

Agencies also urge organizations to be vigilant and practice good cybersecurity hygiene and take continuous steps to harden their network against compromise. That includes multi-factor authentication, practicing good password security habits, securing credentials, a strong patch management program, segmenting networks, leverage monitoring tools and endpoint protection and response tools and deploy strong email security tools to prevent phishing attacks.

Read the advisory here for more information. 

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!

Tagged With: Cybersecurity, Russia

Related Content:

  • Cloud, SASE, Aryaka How the Cloud is Redefining Media Production and…
  • Software License Spending, SaaS, cloud apps Your Guide to Choosing the Best Cloud Security…
  • IT Budget 2025 Budgeting Tips for IT Pros/CIOs in 2025
  • A close-up of a technician’s hands typing and navigating through troubleshooting steps on a computer in a well-lit office. , natural light, soft shadows, with copy space Five Ways to Reduce Desktop Support Troubleshooting Time

Free downloadable guide you may like:

  • Practical Design Guide for Office SpacesPractical Design Guide for Office Spaces

    Recent Gartner research shows that workers prefer to return to the office for in-person meetings for relevant milestones, as well as for face-to-face time with co-workers. When designing the office spaces — and meeting spaces in particular — enabling that connection between co-workers is crucial. But introducing the right collaboration technology in meeting spaces can […]

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Latest Downloads

Practical Design Guide for Office Spaces
Practical Design Guide for Office Spaces

Recent Gartner research shows that workers prefer to return to the office for in-person meetings for relevant milestones, as well as for face-to-fa...

New Camera Can Transform Your Live Production Workflow
New Camera System Can Transform Your Live Production Workflow

Sony's HXC-FZ90 studio camera system combines flexibility and exceptional image quality with entry-level pricing.

Creating Great User Experience and Ultimate Flexibility with Clickshare

Working and collaborating in any office environment today should be meaningful, as workers today go to office for very specific reasons. When desig...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Contact Us
  • Comment Guidelines
  • RSS Feeds
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!
Emerald Logo
ABOUTCAREERSAUTHORIZED SERVICE PROVIDERSYour Privacy ChoicesTERMS OF USEPRIVACY POLICY

© 2025 Emerald X, LLC. All rights reserved.