In a recent report issued by the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) titled \u201cRussia\u2019s Cyber Tactics: Lessons Learned in 2022 \u2014 SSSCIP analytical report on the year of Russia\u2019s full-scale cyberwar against Ukraine\u201d readers obtained a 10,000-foot overview of what a hot cyberwar entails from the Ukrainian perspective.The SSSCIP report highlights the major targets, the coordination between government-advanced persistent threat groups and \u201chacktivists\u201d, espionage operations and influence operations, and the Ukrainian analysis and discoveries.SSSCIP Deputy Chairman Victor Zhora highlights in his introduction that Ukraine has been both the active testing ground and the target of choice for Russia\u2019s cyber efforts since 2014. He takes an interesting tack by noting that each attacker is a person being directed to achieve a given result and that the SSSCIP report attempts to include the human context in observed tactics, techniques, and procedures (TTP). Zhora notes that Russia has had some success but has not been successful overall due to the resilience of the Ukrainian defensive methodologies and the assistance of the many partners in defending Ukraine\u2019s cyber landscape.CISOs should take note of potential spillover from the warTwo of those partners, who have invested heavily both monetarily and technologically, are Microsoft and Google. Both entities have also recently published pieces providing optics into the Russian cyberwar against Ukraine. When reading these the CISO (and staff) should be looking to better understand the ramifications of any cyber spillover from the conflict between Russia and Ukraine.The report notes that the Russian cyberwar is proceeding in lockstep with kinetic efforts directed against the Ukrainian energy sector, a shift that occurred in October 2022. The report also mentions that the purposes of Russian hackers have changed as well from a large number of attacks aimed at disruption to more precisely targeted spying and data theft. Of every 10 attacks, two or three are focused on the destruction of information and capability, while the remaining are focused on the acquisition of information using spear-phishing as the tool of choice to gain the requisite footholds.The Gamaredon group of the Russian security service FSB is noted as being particularly active and successful in conducting operational forays into Ukrainian entities and exfiltrating a good deal of information, all of which falls under the \u201cespionage\u201d umbrella. Similarly, the GRU group Unit-74455 has been actively engaged in \u201cwiper\u201d attacks destroying data and capability. Interestingly, detection is happening predominately at the endpoint level (EDR) as compared to network or email servers.Russia\u2019s attacks focused heavily on infrastructureThe \u201cmost heavily attacked sector in terms of cyberespionage and aggressive operations from adversaries remains Ukraine\u2019s civilian infrastructure, including government institutions and critical infrastructure (energy companies, commercial organizations, logistics companies)\u201d and various government ministries. In addition, the defense organizations \u2014 both uniformed and civilian \u2014 are also targeted. The focus was \u201ccredential-harvesting to gain impersonated and legitimate access through email or VPN without 2FA for collecting data.\u201dThroughout the second half of 2022, Russia was targeting Security Service of Ukraine (SBU) personnel, \u201cto compromise the Signal messenger accounts and leak data and impersonate users.\u201d Similarly, the \u201cShliakh\u201d system used by Ukrainian border guards was attacked. This system allows the border guards to check the identify of persons entering Ukraine.The common goals of the Russian activities, even when not acting in a coordinated manner, \u201cwere mostly penetrating the energy segment and pursuing intelligence collection and data exfiltration.\u201d Turning off the ability for Ukrainians, both civilian and government, to communicate and foster \u201cdisorganization, and panic across the civilian population\u201d is Russia\u2019s goal in targeting the telecom sector. Without the capability to communicate or gain access to the internet, \u201ccivilians, as well as military personnel and intelligence officers, can\u2019t coordinate to take action or call for help.\u201dRefugees are another Russian targetMicrosoft in its posting pointed out that Russian influence operations were targeting Ukrainian refugees and that \u201cMoscow\u2019s propaganda machine has recently taken aim at Ukrainian refugee populations across Europe, trying to convince them that they could be deported and conscripted into the Ukrainian military.\u201dWhile Google noted that attacks on NATO countries \u201cincreased over 300% \u2026 Russian government-backed attackers targeted users in Ukraine more than any other country. While we see these attackers focus heavily on Ukrainian government and military entities, the campaigns we disrupted also show a strong focus on critical infrastructure, utilities, and public services, and the media and information space.\u201dInspiration for CISOs to review their own securityThe SSSCIP provides us with some recommendations based on its experiences to help thwart and survive the cyberwar experience:Minimize credential theft \u2014 protect the identities of users. Multifactor authentication should be \u201ceverywhere\u201d, and organizations should undertake \u201cActive Directory hardening or migrate domain controllers to Azure AD).\u201dInstitute least-privileged access. \u201cSecure access to the most sensitive and privileged accounts and systems.\u201dIsolate legacy systems so they may not be used as a point of entry. For remote access, multifactor authentication is a must. \u201cRemove or restrict outbound access wherever possible to mitigate egress-based kill chains\u2026. Secure internet-facing systems and remote access solutions.\u201dTrained and capable individuals coupled with defense-in-depth security solutions \u201ccan empower your organization to identify, detect, and prevent intrusions impacting your business. Enabling native cloud workloads protection allows the identification and mitigation of known and novel threats to your network at scale.\u201dCyberwar is no longer hypothetical \u2014 we are watching one play out as Ukraine defends itself against Russia and Russian-backed organizations. The lessons learned and shared by the Ukrainian SSSCIP are inspiration for CISOs to review their own security protocols and tactics. A thorough read of the SSCIP report, coupled with those from Google and Microsoft, will provide a plethora of opportunities to go to school off the \u201clessons learned\u201d by Ukraine.