A report from Ukraine’s cybersecurity service reveals insight into what the country has been facing from belligerent attackers and holds a lesson for CISOs. In a recent report issued by the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) titled “Russia’s Cyber Tactics: Lessons Learned in 2022 — SSSCIP analytical report on the year of Russia’s full-scale cyberwar against Ukraine” readers obtained a 10,000-foot overview of what a hot cyberwar entails from the Ukrainian perspective.The SSSCIP report highlights the major targets, the coordination between government-advanced persistent threat groups and “hacktivists”, espionage operations and influence operations, and the Ukrainian analysis and discoveries.SSSCIP Deputy Chairman Victor Zhora highlights in his introduction that Ukraine has been both the active testing ground and the target of choice for Russia’s cyber efforts since 2014. He takes an interesting tack by noting that each attacker is a person being directed to achieve a given result and that the SSSCIP report attempts to include the human context in observed tactics, techniques, and procedures (TTP). Zhora notes that Russia has had some success but has not been successful overall due to the resilience of the Ukrainian defensive methodologies and the assistance of the many partners in defending Ukraine’s cyber landscape. CISOs should take note of potential spillover from the warTwo of those partners, who have invested heavily both monetarily and technologically, are Microsoft and Google. Both entities have also recently published pieces providing optics into the Russian cyberwar against Ukraine. When reading these the CISO (and staff) should be looking to better understand the ramifications of any cyber spillover from the conflict between Russia and Ukraine. The report notes that the Russian cyberwar is proceeding in lockstep with kinetic efforts directed against the Ukrainian energy sector, a shift that occurred in October 2022. The report also mentions that the purposes of Russian hackers have changed as well from a large number of attacks aimed at disruption to more precisely targeted spying and data theft. Of every 10 attacks, two or three are focused on the destruction of information and capability, while the remaining are focused on the acquisition of information using spear-phishing as the tool of choice to gain the requisite footholds.The Gamaredon group of the Russian security service FSB is noted as being particularly active and successful in conducting operational forays into Ukrainian entities and exfiltrating a good deal of information, all of which falls under the “espionage” umbrella. Similarly, the GRU group Unit-74455 has been actively engaged in “wiper” attacks destroying data and capability. Interestingly, detection is happening predominately at the endpoint level (EDR) as compared to network or email servers. Russia’s attacks focused heavily on infrastructureThe “most heavily attacked sector in terms of cyberespionage and aggressive operations from adversaries remains Ukraine’s civilian infrastructure, including government institutions and critical infrastructure (energy companies, commercial organizations, logistics companies)” and various government ministries. In addition, the defense organizations — both uniformed and civilian — are also targeted. The focus was “credential-harvesting to gain impersonated and legitimate access through email or VPN without 2FA for collecting data.”Throughout the second half of 2022, Russia was targeting Security Service of Ukraine (SBU) personnel, “to compromise the Signal messenger accounts and leak data and impersonate users.” Similarly, the “Shliakh” system used by Ukrainian border guards was attacked. This system allows the border guards to check the identify of persons entering Ukraine.The common goals of the Russian activities, even when not acting in a coordinated manner, “were mostly penetrating the energy segment and pursuing intelligence collection and data exfiltration.” Turning off the ability for Ukrainians, both civilian and government, to communicate and foster “disorganization, and panic across the civilian population” is Russia’s goal in targeting the telecom sector. Without the capability to communicate or gain access to the internet, “civilians, as well as military personnel and intelligence officers, can’t coordinate to take action or call for help.”Refugees are another Russian targetMicrosoft in its posting pointed out that Russian influence operations were targeting Ukrainian refugees and that “Moscow’s propaganda machine has recently taken aim at Ukrainian refugee populations across Europe, trying to convince them that they could be deported and conscripted into the Ukrainian military.”While Google noted that attacks on NATO countries “increased over 300% … Russian government-backed attackers targeted users in Ukraine more than any other country. While we see these attackers focus heavily on Ukrainian government and military entities, the campaigns we disrupted also show a strong focus on critical infrastructure, utilities, and public services, and the media and information space.”Inspiration for CISOs to review their own securityThe SSSCIP provides us with some recommendations based on its experiences to help thwart and survive the cyberwar experience: Minimize credential theft — protect the identities of users. Multifactor authentication should be “everywhere”, and organizations should undertake “Active Directory hardening or migrate domain controllers to Azure AD).”Institute least-privileged access. “Secure access to the most sensitive and privileged accounts and systems.”Isolate legacy systems so they may not be used as a point of entry. For remote access, multifactor authentication is a must. “Remove or restrict outbound access wherever possible to mitigate egress-based kill chains…. Secure internet-facing systems and remote access solutions.”Trained and capable individuals coupled with defense-in-depth security solutions “can empower your organization to identify, detect, and prevent intrusions impacting your business. Enabling native cloud workloads protection allows the identification and mitigation of known and novel threats to your network at scale.”Cyberwar is no longer hypothetical — we are watching one play out as Ukraine defends itself against Russia and Russian-backed organizations. The lessons learned and shared by the Ukrainian SSSCIP are inspiration for CISOs to review their own security protocols and tactics. A thorough read of the SSCIP report, coupled with those from Google and Microsoft, will provide a plethora of opportunities to go to school off the “lessons learned” by Ukraine. Related content news F5 patches BIG-IP Next Central Manager flaws that could lead to device takeover Two high-risk vulnerabilities could allow attackers to gain full administrative control on devices via leaked password hashes. By Lucian Constantin May 08, 2024 5 mins Threat and Vulnerability Management Cloud Security Vulnerabilities news Suspected Chinese hack of Britain’s Ministry of Defence linked to contractor, minister confirms The UK’s defence minister would not confirm that the attack was conducted by an element of the Chinese state, rather blaming the “potential failings” of a partner. By John Dunn May 08, 2024 4 mins Aerospace and Defense Industry Data Breach Government news analysis Massive security hole in VPNs shows their shortcomings as a defensive measure Researchers found a deep, unpatchable flaw in virtual private networks dubbed Tunnelvision can allow attackers to siphon off data without any indication that they are there. By Evan Schuman May 08, 2024 8 mins Threat and Vulnerability Management Data and Information Security Network Security news DocGo says hackers stole patient data in a recent cyberattack The attack compromised some healthcare data with no material or financial losses, the company said. By Shweta Sharma May 08, 2024 3 mins Data Breach Hacking PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe