Home / About / Threat Intelligence / Security Guidance: Ukraine Russia 2022

Latest Security Guidance: Ukraine-Russia

Thursday 24th February 2022 17:00 (UK Time)

We will update this page with new information as it becomes available from our Security Operations and Threat Intel Teams.

Quorum Cyber are continually monitoring the latest intelligence being presented by the NCSC and CISA regarding potential exploitation vectors which may be utilised by Russian State-Sponsored Threat Actors.

The Threat Actors which are likely to be involved in any offensive cyber operations are:

 – APT28 
 – APT29

In terms of checks which could be undertaken by yourselves, we would recommend that all conditional access policies within your Office365 environment are as tight as they can be, and that legacy authentication has been disabled where possible. There are a number of operational security practices which we recommend are explored:

  • Firstly, the designation of a seemingly random operation name for all activity surrounding this situation. For example, a colour and an animal. All correspondence in relation to the situation should reference the code word, as to prevent any information leakage should communications be intercepted.
  • Secondly, the setup of a trusted and secure 2nd fall back communications method which should be separate from any corporate logins. This would allow you and your teams to continue to communicate should an account become compromised.
  • Thirdly, we would recommend the establishment of a challenge/response phrase or passphrase. This should only be known by the internal team and utilised in all communication to verify the identity of the recipient before any information is divulged.
  • If, for any reason, you find yourself questioning the authenticity/identity of the recipient of a communication, fall back to the secondary communication channel and invoke the challenge/response phrase before initiating further communication.

As dis-information/confusion may be a tactic utilised by threat actors within this situation, ensuring the establishment of a secondary separate communication path will assist in providing assurances only authorised personnel are receiving all communications.

Users within the organisation will understandably be interested with events unfolding within Ukraine. Attackers are likely to leverage user curiosity as a vector for phishing campaigns. Quorum Cyber recommends that organisations remind users to only access news from the official websites of reputable news outlets and exercise caution when receiving emails with documents or links purporting to contain information relevant to the organisation and the Ukraine.

When investigating alerts, it would be prudent to ensure all obscure geographically located IP addresses, and not just ones presenting as Russian. The likelihood is that threat actors will utilise different methods of obfuscating their actual location so that it does not present as Russian in origin.

Quorum Cyber strongly recommends that technical teams ensure that all available software updates have been applied to applications/hardware/operating systems where possible. Threat actors will almost always attempt to exploit the ‘low hanging fruit’ when attempting to gain access to an environment instead of utilising any potential ‘zero-day’ exploits they may be harbouring. Verification that any operational technology (OT) or IoT devices are either restricted from accessing the internet or reside within networks with adequate segmentation to prevent communication to the corporate data VLANs.

From the latest intelligence received it is expected that attacks will likely take the form of DDoS and ‘crypto-locker’; this slightly differs from ransomware as no payment is sought to release the files. It is recommended that offline copies of all sensitive and high priority backups are taken following the 3-2-1 guidance provided by the NCSC (Offline backups in an online world – NCSC.GOV.UK).

Any specific incident response plans (IRP) you hold should also be printed by all identified members of the CSIRT team. This is to ensure your IRPs remain accessible should you be impacted by a crypto-locker or (D)DoS attack.

Quorum Cyber would recommend that fully credentialled network vulnerability scanning is undertaken which includes all internet facing network equipment. This is to ensure that any known vulnerabilities which have been commonly exploited by Russian backed actors are captured and remediated (Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure | CISA).

References

https://www.mandiant.com/resources/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452

https://www.ncsc.gov.uk/news/organisations-urged-to-bolster-defences

https://www.ncsc.gov.uk/guidance/actions-to-take-when-the-cyber-threat-is-heightened

https://www.ncsc.gov.uk/news/uk-organisations-encouraged-to-take-action-around-ukraine-situation