Russian Cyber
Attack Escalation
in Ukraine
2
Agenda
 Welcome and Overview – Rob Lee
 Russia’s Cyber Capabilities – Kevin Holvoet
 Current Russian Cyber Capabilities – Jake Williams
 Critical Infrastructure in Conflict – Tim Conway
 Q&A – Rob Lee and Panel
Russia’s Cyber
Capabilities –
Kevin Holvoet
Resources: sansurl.com/ukrainecybercrisis
APTs mapped on Russia’s Security & Intelligence Services
Image: https://xorl.wordpress.com/
4
Resources: sansurl.com/ukrainecybercrisis
APTs mapped on Russia’s Security & Intelligence Services
•
Large amount of Advanced activity
groups
•
Attributed to difference departments
and sections of Russian security &
intelligence services
•
GRU/FSB uses cyber criminal and
hacktivist groups
•
Sharing of information, tools,
guidelines, how-to’s between
departments
=> Partners or Competitors?
Image: https://xorl.wordpress.com/
5
Resources: sansurl.com/ukrainecybercrisis
What have we seen so far?
Important activity groups to track
•
Sandworm (GRU): Destructive attacks since at
least 2009
•
APT28 (GRU): Espionage since 2004
•
APT29 (SVR): Espionage since 2008
•
DEV-0586
•
Gamaredon: Targets Ukrainian government
officials and organizations, aligned with Russian
interests.
•
•
•
15 Jan 2022: Destructive attack with
WhisperGate Wiper
Operates out of Crimea?
Buhtrap
6
Resources: sansurl.com/ukrainecybercrisis
What have we seen so far?
Cyber Attacks
•
DDoS on Government, Military, Financial, Telco
•
Destructive wipers: WhisperGate (13 Jan 2022),
HermeticWiper (22 Feb 2022)
•
Espionage: Ukraine, also internationally
•
CISA Alert (AA22-047A)
Defacement of websites
•
•
Supply chain attacks (Kitsoft)
•
Influence operations / Disinformation using
SMS message, social media, and other media
•
BEWARE of False Flag operations!!
7
Resources: sansurl.com/ukrainecybercrisis
MITRE ATT&CK® - Overlap matrix for important APT groups
8
Resources: sansurl.com/ukrainecybercrisis
Resources to follow the situation
•
CERT-UA: https://cert.gov.ua/articles
•
National CERT website, e.g.: CISA
→
→
Alerts: https://www.cisa.gov/uscert/ncas/alerts
Known exploited vulnerabilities catalog:
https://www.cisa.gov/known-exploitedvulnerabilities-catalog
•
SANS Internet Storm Center:
https://isc.sans.edu/
•
Public media outlets – Follow geopolitical
situation
•
MITRE ATT&CK® – Find info on groups,
malware, TTPs and possible defences
•
CIS Controls:
https://www.cisecurity.org/controls/ciscontrols-list
9
Resources: sansurl.com/ukrainecybercrisis
Conclusion
•
Russia is a powerful cyber actor
•
Not afraid to combine different
coordinated attacks in cyber space and
physically to meet its strategic
objectives
•
Long-term experience and building
offensive cyber capabilities since at
least 1996 (Moonlight Maze)
•
Uses many different TTPs in their attacks
•
Most attacks on Ukraine, but collateral
damage threat is real (NotPetya)
•
We have to prepare our defenses and
share information with the community!!!
10
Current Russian Cyber
Activity – Jake Williams
Resources: sansurl.com/ukrainecybercrisis
"Hacktivists" (or Cybercriminals)
•
"Free Civilian" has been busy
→
→
•
Their dark web site is claiming data of
Ukrainian citizens for sale
The claim to have sold some data is
interesting (though unconfirmed)
These are large dumps
→
→
But the data is unconfirmed
Expect to see more claims of data
dumps
– Makes Ukraine appear weak
– Distracts from other ongoing attacks
– Demonstrates "private actors" are responsible
for attacks on Ukrainian infrastructure
12
Resources: sansurl.com/ukrainecybercrisis
Wiper Malware Operationalizes Signed Device Drivers
•
Russia has operationalized signed device drivers for wiper malware now on
multiple occasions
→
→
2015 Ukraine attack on power industry used KillDisk device driver
This week's HermeticWiper used drivers from EaseUS Partition Master
•
The first observed HermeticWiper sample was compiled on December 28, 2021
and used a stolen digital certificate (now revoked) from Hermetica Digital Ltd
•
Another observed sample (61b25d11392172e587d8da3045812a66c3385451) was
compiled February 23rd, 2022
→
•
Russian threat actors are quickly retooling
If your tooling supports it and you consider yourself high risk for wiper
operations, consider preventing the loading of unknown device drivers
13
Resources: sansurl.com/ukrainecybercrisis
Domains Used
•
•
Multiple domains have been
operationalized already
Most are recent registrations
Domain
Registration Date
kfctm[.]online
2022-01-28
my.cloud-file[.]online
2021-11-23
my.mondeychamp[.]xyz
2021-06-25
files-download.infousa[.]xyz
2021-05-14
download.logins[.]online
2018-02-08 (created)
2022-02-07 (updated)
surname192.temp.swtest[.]ru
2013-12-13 (created)
2022-02-23 (updated)
deer.dentist.coagula[.]online
declaration.deed.coagula[.]online
2021-02-15
14
Resources: sansurl.com/ukrainecybercrisis
Scans/Attacks Against Ukrainian IP Space
•
GreyNoise is providing a free feed of IP
addresses that are only observed targeting
their sensors in Ukrainian IP space
→
•
These IP addresses may be reused in later
operations
The data is separated by IPs that may be
spoofed and those that competed a TCP
handshake (not spoofed)
→
Both CSVs and enriched feeds are available
api[.]greynoise[.]io/datashots/ukraine/manifest.json
15
<Course Code> | <Course Name>
"Don't Get Maersk'ed"
•
Collateral damage from the 2017 NotPetya attacks
demonstrated the extent to which unfiltered B2B VPNs
connect infrastructure around the world
→
Sadly, the situation has not improved much today
Protocol
TCP Port
SSH
22
MSRPC
135
SMB
139/445
•
Any mass-spillover event will rely on automated propagation
LDAP
389
1433
•
Action items:
MSSQL
RDP
3389
WinRM
5985/5986
→
Inventory your B2B VPNs
→
Block high risk protocols on all B2B VPNs
→
→
→
If specific business requirements demand them, limit traffic
destinations for high-risk protocols
Implement netflow monitoring at all egress points
Have contingency plans in place to disconnect B2B VPNs,
particularly those that are high risk
16
Resources: sansurl.com/ukrainecybercrisis
Russian Targeting of US/EU Industry
•
Evaluate threats as the intersection of Intent,
Opportunity, and Capability
→
→
→
Capability: Russian government threat actors have
capabilities, but not an infinite supply - every impact burns
another capability, they must be used where impact matters
Opportunity: we control this, but assume realistic
opportunities for impact exist
Intent: Russian government operators are REALLY busy
right now with important government targets. Hacktivists on
the other hand have time to kill
•
Use time today to bolster defenses and visibility
•
Pro-Russian hacktivists are more likely to target US
and EU organizations in the next ~week (maybe more)
Intent
Opportunity
Capability
17
Resources: sansurl.com/ukrainecybercrisis
Russian Targeting of US/EU Industry - Likely Targets
•
If retaliatory cyberattacks are performed on US/EU
industry by the Russian government, they will need to
balance the following:
1.
2.
3.
4.
5.
•
Targets that cause disruption, undermining public support
for actions against Russia
Will not be seen as an act of war by the victim
Does not burn capabilities that cannot be easily replaced
Will not limit future intelligence collection against the target
Is not a target Russia will want to impact if US/EU escalates
The intersection of these points leaves a fairly narrow
set of targets to impact
→
While attacks on utilities and hospitals in the US are certainly
possible, these both likely violate #2 (and #5 for utilities)
18
More Likely
Financial Services
Educational Institutions
Retail
State & Local Government
Smaller Federal Agencies
Less Likely
Utilities
Healthcare
Defense Contractors
Transportation
Critical Infrastructure
in Conflict – Tim Conway
20
IT – Information Technology and OT Operational Technology
Data at rest, data in motion, and
data in use
Data that does something in the
physical world – kinetic component
Events Analysis Lessons Learned
Estonia
Election
Ukraine
Confidence
Georgia
Crimea
UKR2015
UKR2016
TRISIS
Chlorine
Not Petya
Solarwinds
VPNfilter
Capabilities
Control
2015 Ukraine Attack Summary
3
Utilities Attacked
225 K
3.5 hr
100’s
10’s
Customer Outages
Server and Workstation
Damage
Outage Duration.
Field Device
Damage
135 MW
Load impact
50
Substations Impacted
Highly Coordinated and Orchestrated Attack
IT Preparation
• Target selection
• Unobservable target
mapping
• Malware development
and testing
Sequence Pre Work
Hunting and Gathering
• Lateral Movement and
Discovery
• Credential Theft and VPN
access
• Control system network and
host mapping
• Establish Remote
connections to operator
HMI’s at target locations
• Prepare TDoS dialers
Hrs.
Attack Position
Event
• Unobservable malicious
firmware development
• Unobservable DMS
environment research
and familiarization
• Unobservable attack
testing and tuning
• Issue breaker open
commands
• Modify field device
firmware
• Perform TDoS
• Scheduled UPS and
KillDisk
min
ICS Preparation
hrs.
• Delivery of phishing
email
• Malware launch from
infected office
documents
• Establish foothold
• Upload additional attack
modules - KillDisk
• Schedule KillDisk wipe
• Schedule UPS load
outage
6 mo
9 mo
12 mo
Spear phishing
Attack Launch
Target Response
• Connection sever
• Manual mode / control inhibit
• Cyber asset restoration
• Electric system restoration
• Constrained operations
• Forensics
• Information sharing
• System hardening and prep
2016 Ukraine Attack Summary
1
Trans Co. Attacked
TBD
1.25 hr
TBD
TBD
Customer Outages
Server and Workstation
Damage
Outage Duration.
Field Device
Damage
200 MW
Load impact
1
Substation(s) Impacted
Malware Discovery Associated with Electric Outages
Malware Role
2015
2016
Malware Role
Highly Targeted
Highly Coordinated
Electric System Impacts
Significance
Ukraine
Electric System
Cyber Events
Substations
Customers
2015
50+
225K
MW Impact
135 MW
2016
1
Portion of
Capitol region
200 MW
Modular and Customizable
Significance
Past, Present, and Future
• Ongoing coordinated cyber &
• Positioning, capability validation,
effects-based attacks
physical attacks
• Targeted service outages and
• Critical Infrastructure impacts
equipment damaging attacks
enabling invasion and entrenchment
Prepare for ICS damage at scale
Disruption, operations impacts, equipment overwrites and bricking of
embedded systems
Remote
Access
Controllers
Industrial
Protocols
Actuators
HMIs
Instruments
Networks
ICS
Files
IO
Fieldbus
Industrial
Wireless
Converters
Meters
Operational Response
System operators are continuously trained to ensure system reliability and how to respond in
emergencies to recover from outages. The cyber operators who support the underlying technologies
need to be trained in this way as well and integrate operations into all phases of the response plan.
Preparation Identification Containment Eradication
Practice IR
through
exercises
Train the
team
Evidence
acquisition
and analysis
Information
sharing
internal and
external
 Determine
where an
adversary
would need to
be to achieve
the effect
 isolate the
system or
isolate control
Verify the
root cause
or initial
infection
point that
impacted
operations
was
identified
Recovery
 Regain
integrity of
control
system
 Determine
when to
restore
system
control
capabilities
Lessons
Learned
 What actions
were taken to
prevent
similar attack
 Was
information
shared
effectively
SANS ICS | sans.org/ics
Wrap Up – Tim Conway
Resources: sansurl.com/ukrainecybercrisis
What about the Human Side?
•
Continue to focus on the fundamentals. While the sense of urgency has
changed, how people are targeted has not. Focus your security training and
communications on
→
→
→
Phishing
Passwords
Updating
•
Let your workforce know that these three steps will go a long way in protecting
themselves both at work and at home
•
People are scared - keep your communications calm, simple and actionable
32
Resources: sansurl.com/ukrainecybercrisis
Additional Resources
•
Resources:
sansurl.com/ukrainecybercrisis
•
Ongoing & Updated Resources
SANS is authoring and distributing
for the community during the
ongoing crisis
33
Q&A
Resources:
sansurl.com/ukrainecybercrisis