Many organizations that have valuable data or even come close to touching sectors of the U.S. government are likely fending off cyberattacks from nation-state countries, with Russia among the top such threats.
Now, due to increasing tensions between Russia, Ukraine and western countries, IT and cybersecurity professionals should be on the lookout for sophisticated threat actors associated with the former Soviet Union. To help defenders be prepared for those threats, several U.S. agencies have released information and guides to help spot those potential attacks.
That includes a joint cybersecurity advisory from the Cybersecurity and Infrastructure Security Agency, FBI and NSA on commonly observed tactics, techniques and procedures of a typical Russian threat actor along with actions defenders should take.
According to the advisory, Russian state-sponsored actors use common techniques to gain initial access to target networks, including spearphishing, brute force and exploiting these known vulnerabilities:
- CVE-2018-13379 FortiGate VPNs
- CVE-2019-1653 Cisco router
- CVE-2019-2725 Oracle WebLogic Server
- CVE-2019-7609 Kibana
- CVE-2019-9670 Zimbra software
- CVE-2019-10149 Exim Simple Mail Transfer Protocol
- CVE-2019-11510 Pulse Secure
- CVE-2019-19781 Citrix
- CVE-2020-0688 Microsoft Exchange
- CVE-2020-4006 VMWare (note: this was a zero-day at time.)
- CVE-2020-5902 F5 Big-IP
- CVE-2020-14882 Oracle WebLogic
- CVE-2021-26855 Microsoft Exchange. The agencies note this vulnerability is frequently observed used in conjunction with CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065)
The advisory also included several recent examples of Russian state-sponsored operations compromising third-party software, deploying their own custom malware and targeting industrial control systems networks with destructive malware.
Below are some common tactics and techniques employed by Russian state-sponsored hackers, per the advisory:
- Reconnaissance. Hackers perform large-scale vulnerability scans in an attempt to find severs that contain known vulnerabilities that haven’t yet been patched. They also conduct spearphishing campaigns to gain credentials to target networks.
- Resource Development. Russian actors develop and deploy their own custom malware, much of which is designed to disrupt industrial control systems.
- Initial access. In addition to phishing campaigns and vulnerability scanning, Russian actors exploit vulnerable internet-facing applications and compromise the build environments of trusted third-party software. An example of this was the compromise of the SolarWinds Orion IT management software discovered in December 2020.
- Execution. Agencies say hackers backed by the Russian government use cmd.exe to execute commands on remote machines and use PowerShell to create new tasks on remote machines, identity configuration settings, exfiltrate data and execute other commands.
- To maintain persistence, threat actors use credentials of valid accounts, giving them unfettered, long-term access to victim IT environments.
- Credential access. To gain credentials, Russian threat actors use a variety of tactics, including brute force, credential dumping, stealing or forging Kerberos tickets, compromising account credentials to access Group Managed Service Account passwords, exploiting Windows Netlogon via CVE-2020-1472 to gain access to Windows Active Directory Servers and obtaining private encryption keys from the Active Directory Federation Services container to decrypt corresponding SAML singing certificates.
- Command and Control. Russian-state sponsored hackers have been observed using virtual private servers to route traffic to targets, using IP addresses in the home country of the victim to hide their activity.
Given the advanced tools and techniques used by Russian hackers, detecting that activity can be difficult. However, the agencies lay out some steps to take to help organizations identify malicious activity, including:
- Implementing robust log collection and retention. The agencies suggest using native tools such as Microsoft 365 Sentinel in addition to other tools such as Sparrow, Hawk or CrowdStrike’s Azure Reporting Tool.
- Searching for behavioral evidence or network and host-based artifacts. The agencies suggest reviewing authentication logs for multiple login failures of valid accounts and other suspicious activity, including:
- Changing usernames and strange IP addresses that don’t match the expected user’s location.
- One IP address used for multiple accounts.
- Logins from multiple IP addresses that are a significant geographical distance apart.
- signs of credential dumping, suspicious privileged account activity, activity in typically dormant accounts and unusual user agent strings.
If malicious activity is detected, organizations should immediately isolate affected stems, secure backups, collect and review relevant data, contact a third-party security team, ensure the actor is eradicated from the network and avoid residual issues that could enable follow-on exploitation.
Organizations are urged to contact CISA, the FBI and law enforcement when malicious activity is discovered in the corporate network.
Agencies also urge organizations to be vigilant and practice good cybersecurity hygiene and take continuous steps to harden their network against compromise. That includes multi-factor authentication, practicing good password security habits, securing credentials, a strong patch management program, segmenting networks, leverage monitoring tools and endpoint protection and response tools and deploy strong email security tools to prevent phishing attacks.