In January, the Microsoft Threat Intelligence Center (MSTIC) discovered wiper malware in more than a dozen networks in Ukraine. Designed to look like ransomware but lacking a ransom recovery mechanism, we believe this malware was intended to be destructive and designed to render targeted devices inoperable rather than obtain a ransom. We alerted the Ukrainian government and published our findings.
Since then, we have continued working closely with Ukrainian government officials and cybersecurity staff at government organizations and private enterprises to identify and address threat activity against Ukrainian networks. This focused engagement, in combination with our unique view into affected systems, has offered insight into ongoing Russian cyber targets, tactics, and procedures. In the process, we have also discovered new strategies on how to approach network defense in the midst of military conflict.
Based on our observations of Russia’s cyber assault on Ukraine, we’ve developed top strategic recommendations for global organizations.
A brief overview of Russia’s destructive attacks on Ukraine
Microsoft has observed known and suspected Russian nation-state actors use multiple techniques to compromise Ukrainian targets, including phishing campaigns, exploiting unpatched vulnerabilities in on-premises Exchange servers, and compromising upstream IT service providers.
Threat groups with known or suspected ties to the GRU, Russia’s military intelligence service, have also developed and used destructive wiper malware or similarly destructive tools on Ukrainian networks. From February 23 to April 8, 2022, Microsoft saw evidence of nearly 40 discrete destructive attacks that permanently destroyed files in hundreds of systems across dozens of organizations in Ukraine.
More than 40% of the attacks were aimed at organizations in critical infrastructure sectors, and 32% of destructive incidents affected Ukrainian government organizations at the national, regional, and city levels. After each wave of attacks, threat actors modified the malware to better avoid detection. While we cannot observe all ongoing activity in Ukraine, we estimate that there have been at least eight destructive malware families deployed on Ukrainian networks to date — including one tailored to industrial control systems (ICS).
Common Russian intrusion techniques
Throughout our engagement in Ukraine, we’ve observed several common tactics, techniques, and procedures by Russia-aligned cyber operations. These include:
- Exploiting public-facing applications or spear-phishing with attachments/links for initial access.
- Stealing credentials and leveraging valid accounts throughout the attack lifecycle, including within Active Directory Domain Services and through virtual private networks (VPNs) or other remote access solutions. This has made “identities” a key intrusion vector.
- Using valid administration protocols, tools, and methods for lateral movement, relying on compromised administrative identities in particular.
- Utilizing known publicly available offensive capabilities, sometimes disguising them with actor-specific methods to defeat static signatures.
- “Living off the land” during system and network discovery, often utilizing native utilities or commands that are non-standard for the environments.
- Leveraging destructive capabilities that access raw file systems for overwrites or deletions.
In an attempt to proactively counter these attacks, Ukrainian organizations enabled controlled folder access in Microsoft Defender and were able to meaningfully mitigate some of the damage done by destructive wiper malware. Additionally, because our Ukrainian partners were using Microsoft Defender for Endpoint, we were able to observe how endpoint detection and response (EDR) solutions can respond to alerts and remediate intrusions before destructive attacks were launched.
6 ways to safeguard your operations
Based on our observations in Ukraine so far, we recommend taking the following steps to safeguard your organization:
- Minimize credential theft and account abuse: Protecting user identities is a critical component of network security. We recommend enabling multi-factor authentication (MFA) and identity detection tools, applying least-privilege access, and securing the most sensitive and privileged accounts and systems.
- Secure internet-facing systems and remote access solutions: Ensure your internet-facing systems are updated to the most secure levels, regularly evaluated for vulnerability, and audited for changes to system integrity. Anti-malware solutions and endpoint protection can detect and prevent attackers, while legacy systems should be isolated to prevent them from becoming an entry point for persistent threat actors. Additionally, remote access solutions should require two-factor authentication and be patched to the most secure configuration.
- Leverage anti-malware, endpoint detection, and identity protection solutions: Defense-in-depth security solutions combined with trained, capable personnel can empower organizations to identify, detect, and prevent intrusions impacting their business. You can also enable cloud-protections to identify and mitigate known and novel network threats at scale.
- Enable investigations and recovery: Auditing of key resources can help enable investigations once a threat is detected. You can also prevent delays and decrease dwell time for destructive threat actors by creating and enacting an incident response plan. Ensure your business has a backup strategy that accounts for the risk of destructive actions and is prepared to exercise recovery plans.
- Defend against destructive attacks: Leverage features within Microsoft Defender such as Attack Surface Reduction (ASR) and Controlled Folder Access (CFA) to help safeguard your organization against destructive attacks. Based on our observations, these features have been successful in defeating destructive attacks in Ukraine and elsewhere.
- Review and implement “best practices” for defense in depth: Whether your environment is cloud-only, or a hybrid enterprise spanning cloud(s) and on-premises data centers, we have developed extensive resources and actionable guidance to help improve your security posture and reduce risk. Microsoft’s security best practices covers governance, risk, compliance, security operations, identity and access management, network security and containment, information protection and storage, applications, and services.
What this means for the global cybersecurity landscape
As the war in Ukraine progresses, threat actors with a vested interest in the conflict will be increasingly pushed to fill critical intelligence gaps and achieve their tactical objectives. We expect to discover new vulnerabilities and attack chains as a result of the ongoing conflict, forcing already well-resourced threat actors to reverse patches and carry out “N-day attacks” tailored to underlying vulnerabilities. These new discoveries will likely expand across multiple categories of threat actors.
Additionally, as the conflict persists and countries provide assistance to Ukraine, Russian nation state threat actors may retaliate. Russia-aligned actors active in Ukraine have shown interest in and conducted operations against organizations in the Baltics and Turkey — all member states on NATO’s eastern flank that are actively providing political, humanitarian, or military support to Ukraine. We encourage all organizations that are directly or indirectly associated with the conflict in Ukraine to proactively protect themselves from the threats we’ve observed so far and actively monitor for similar actions in their environment.
Microsoft respects and acknowledges the ongoing efforts of Ukrainian defenders and the unwavering support provided by the national Computer Emergency Response Team of Ukraine (CERT-UA) to protect their networks and maintain service during this challenging time.
For a more detailed timeline of Russia’s cyber assault on Ukraine, explore the full report.