Recent cyber attacks against Western entities operating in Ukraine aim to disrupt or conduct espionage. CISOs should be wary of such attacks expanding beyond the Ukrainian border. Credit: LPETTET / Getty Images While acknowledging there are “not currently any specific credible threats to the U.S.,” Anne Neuberger, deputy national security advisor for cyber, continued how “we’ve been working with the private sector, engaging, sharing specific information, requesting that they act to reduce the cybersecurity risk of their organization, and providing very focused advice on how to do so.”Neuberger was briefing the global media when she made this observation on February 2 as she spoke to the continued presence of Russian cyber threats to Ukraine and beyond. In her briefing, Neuberger, was unambiguous: “We’ve been warning for weeks and months, both publicly and privately, that cyberattacks could be part of a broad-based Russian effort to destabilize and further invade Ukraine. The Russians have used cyber as a key component of their force projection over the last decade, including previously in Ukraine, in the 2015 timeframe.”A sense of urgency to tighten cybersecurity postureWhile one may posit Neuberger was sending a message from the Administration that, “We see you, Russia,” via the media, she was also hoping to instill a sense of urgency to CISOs to tighten up their cybersecurity posture. In other words, batten down the hatches. As if on cue, the threat researchers at Unit 42 of Palo Alto Networks published information that they had uncovered targeting of a western government entity (not further identified) in Ukraine by “Gamaredon” (a.k.a. Armageddon, Primitive Bear, Shuckworm, and ACTINIUM). By way of background, Gamaredon was identified in November 2021, by the Security Service of Ukraine (SSU), as being led by five Russian Russian Federal Security Service (FSB) officers, operating under the auspices of the FSB Center for Information Security from their offices located in Russia-occupied Crimea. In November, the SSU highlighted how the 5,000 attacks by Gamaredon were initated with the goals of:Garnering control over critical infrastructure facilities (power plants, heat and water supply systems)Acquiring data to include theft and collection of intelligence, including information with restricted access (related to security and defense sector, government agencies)Gaining informational and psychological influenceBlocking information systemsThe SSU’s “technical report” on Gamaredon details the creation of the group as well as its ascendancy from obscurity to a viable threat to national infrastructure and credible threat in the cyberintelligence offensive actions. The Unit 42 report highlights the efforts by the Gamaredon group to leverage an outstanding personnel requirement within Ukraine by a Western government entity. The group uploaded an applicant’s resume in Word format. Gamaredon’s gamble was the payload-loaded resume coming in via an “applicant” would not receive the same level of scrutiny that the group’s targeted phishing emails were receiving. The report also references Estonian CERT report of January 27, 2021, about Gamaredon, which notes that since 2020 the Gamaredon group has been targeting European Union countries using spear-phishing techniques.Meanwhile, Symantec’s Threat Hunter Team published its own research on January 31, 2022, which notes Shuckworm specializes in “cyber-espionage,” a finding consistent with the SSU’s in November 2021. The Threat Hunter Team’s report provides an interesting case study of the Gamaredon’s attack chain which began with a malicious document. The timeframe of the case study is July 14 through August 18, 2021.This was followed shortly thereafter by Microsoft’s Threat Intelligence Center and Digital Security Unit on February 4, which shared information on the threat posed by the ACTINIUM group targeting of Ukraine for the past ten years. Their report highlights how this group targets government, military, non-governmental organizations, judiciary, law enforcement, and non-profits. The Microsoft findings mirror those of others, highlighting the group’s efforts are focused on exfiltrating sensitive information, gaining a foothold for sustained access.Neuberger concluded how the United States is collaborating with the EU and NATO to “enhance national and alliance resilience in cyberspace.” She emphasized that her efforts and those of the United States are to ensure cyber-related contingency plans are in place to “coordinate and support Ukraine and each other in the event that such incidents occur…. We’ve been working with the private sector, engaging, sharing specific information, requesting that they act to reduce the cybersecurity risk of their organization, and providing very focused advice on how to do so.”On the heels of the above, and as tensions in Ukraine continue to rise, a joint advisory was issued on February 9 by the cybersecurity authorities in the United States, Australia, and the United Kingdom regarding the increased globalized threat of ransomware (Alert (AA22-040A)). The alert highlights the marked increase of ransomware incidents against 14 of 16 U.S. critical infrastructure sectors.David Klein, cyber evangelist at Cymulate commented, “This alert from the various cyber commands should be taken on board by CISOs as a realization that the U.S. offensive and disruptive activity against ransomware criminals has caused some criminal organizations to drift focus away from ‘big game’ targets and to go to easier mid-sized targets.” In the current climate, it is clear, size is not a determinant to being targeted. Related content news Google launches Google Threat Intelligence at RSA Conference The new addition to Google Cloud Security is designed to give security teams information to inform approaches to protecting against external threats, managing attack surfaces, and mitigating digital risks. By Sascha Brodsky May 06, 2024 4 mins Google Cloud Functions Cloud Security Security Software brandpost Sponsored by Elastic Search + RAG: The 1-2 punch transforming the modern SOC with AI-driven security analytics AI is modernizing how SOCs function, triaging countless alerts down to a handful of attacks that matter most. By Mike Nichols, Product for Security at Elastic May 06, 2024 3 mins Artificial Intelligence how-to Download the Zero Trust network access (ZTNA) enterprise buyer’s guide From the editors of our sister publication Network World, this enterprise buyer’s guide helps network and security IT staff understand what ZTNA can do for their organizations and how to choose the right solution. By Josh Fruhlinger and steve_zurier May 06, 2024 1 min Zero Trust Access Control Network Security news Germany blames Russian hackers for months-long cyber espionage The attacks by Russia-backed Fancy Bear used an Outlook exploit to compromise several German officials’ accounts. By Shweta Sharma May 06, 2024 4 mins Advanced Persistent Threats Hacker Groups PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe