As tensions rise between Russia and Ukraine, it is a certainty that many battles are already occurring in cyberspace. United States government, manufacturing, academic, and infrastructure targets have historically been chosen by Russian and other Eastern European nation-state sponsored Advanced Persistent Threat (APT) groups, so it is logical to expect that the United States will continue to be a target of cyber espionage and attacks from one or both countries. Ankura has extensive experience defending against these types of attacks and investigating incidents involving these APT groups. We have compiled the following intelligence and recommendations based on that experience.
This should serve as a high-level overview of these threats, and the mitigations that have been most effective but should not be considered a comprehensive report or list of protections.
Methods of Attack
- Utilize spearphishing and password brute-forcing to obtain credentials and/or deploy malware.
- Exploit vulnerabilities on software and hardware (e.g., SolarWinds, Cisco, FortiGate, Oracle, VMWare, Microsoft Exchange, Log4J).
- Deploy web shells for persistent access and seek data for exfil.
- Deploy ransomware or other malware to disrupt industry or services.
Protections and Mitigations
- IP Geofencing: While threat actors will utilize proxy VPN providers, many will still originate from neighboring countries. If your enterprise doesn’t have Eastern European or Asian clients, blocking these IP ranges provides some protection.
- Diligent and Thorough Patch Management: Many APT groups leverage vulnerabilities that have available patches.
- Multi-Factor Authentication: MFA can prevent up to 99.9% of password-based attacks.
- Privacy Audits and Data Retention Policies: Knowing where your sensitive data lives enables better protections to be placed; only keeping what you need limits the sensitive/protected data that can be accessed/stolen.
- Endpoint Detection and Response: EDR is the gold standard for protecting against advanced polymorphic threats and those that live off the land. Remember that it is not functional out of the box and requires configuration and regular monitoring to be effective.
- Version Control for Web-Hosted Applications or Third-Party Outsourcing: Threat actors cannot hide web shells or other back doors on a server that is being regularly checked against a gold image for integrity.
- Network Segmentation and Zero-Trust: DMZ separation of web-hosted resources from sensitive corporate assets and main network infrastructure.
Ankura is happy to help support any needs related to these or other cybersecurity threats by emailing us at incident@ankura.com.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
