Mitigating, Detecting, and Responding to Russian Cyberactivity

February 23, 2022
Luke Richards
Threat Intelligence Lead
Mitigating, Detecting, and Responding to Russian Cyberactivity

Vectra customers should be aware that current global events related to Russian recognition of separatist regions of the Ukraine carry with them the risk of increased cyber activity conducted by Russian state level actors.  This includes evidence that the FSB, the main Intelligence Organization in Russia, is responsible for the DDoS against Ukrainian systems in February 2022. [1] Credible concern exists that target selection may expand past regional targets to include, for example, politically or economically useful targets in NATO countries.

This advisory has been generated to proactively communicate to customers that operate in industries or regions under increased risk and highlight the protective capabilities Vectra is providing to manage these risks.

While this advisory is informational in nature, any customers which believe they may be under attack are invited to immediately contact us – we are here to help.

Vectra Protection against Russian APTs

Many APT groups, no matter their origin, follow a similar pattern for attacks.  Therefore, based on previous activity from state level actors, to include Russian state level actors, Vectra customers can expect the following general types of activity if targeted:

  • Compromise Target
  • Reconnaissance of network
  • Establish foothold / persistence
  • Exfiltrate data

To this end, in addition to applicable threat intelligence, Vectra would expect to notify users of the following detections:

Compromise Target

  • Hidden HTTP(S) Tunnel
  • Hidden DNS Tunnel
  • External Remote Access - These detections are linked to known activities of advanced threat actors using known implants such as Cobalt Strike, and also custom implants.

Reconnaissance of Network

  • RPC recon / RPC Targeted Recon
  • Port Scan
  • Internal Darknet scan - Detections like this, paired with the previous category, indicates a host which is surveying the network. RPC reconnaissance, and targeted reconnaissance indicate that a threat actor could be mapping high value targets with a tool such as Bloodhound.

Establish Foothold / persistence

  • Suspicious Remote Execution (Schtask / WMI / RPC calls)
  • Privilege Anomaly - As an attacker attempts to use accounts stolen during the initial phase of the attack, they will likely try and use services the account has never used before. This will trigger a privilege anomaly detection showing where the account, host or service falls outside of learned behaviour. Attackers will also use existing methods and channels of communication to spread the implant to other hosts. This may not be the same initial implant, some threat actors have been known to drop WebShells on hosts for access years later.

Exfiltrate Data

  • Data Smuggler
  • Hidden DNS Tunnel - This final step is usually very difficult to spot. Russian high level threat actors such as Turla will sit on the edge of a network and almost passively steal data. This is also common for email threadjacking activity, where an attacker inserts themselves into an email chain to get targets to click on links, open documents, or interact in malicious activity in one way or another.

Microsoft365 and cloud environments

Previous attacks from Russian state actors have utilised the target's online environment. This can take the form of account takeovers through brute forcing, password spraying (using VPNs to ensure default protections do not lock them out), MFA bypass, or phishing, to gain initial access, and once a foothold is established there are many paths for an attacker to take in order to steal information and maintain a foothold.

In May 2021, Russian state actors known as Nobelium, compromised cloud environments in Microsoft in order to compromise supply chains. These attacks followed patterns that have also been observed in other compromises by state actors in cloud environments, that follow patterns similar to the following:

  • Abuse of privileged roles
  • Abuse of existing applications
  • Gain Persistence
  • Exfiltrate data

To this end Vectra would expect to notify users of the following detections:

Abuse of privileged roles

  • Azure AD Brute-Force Attempt
  • Azure AD Suspicious Sign On
  • Azure AD MFA-Failed Suspicious Sign On
  • O365 Suspicious Sign-On Activity - This step of the attack can sometimes be the noisiest, however with a remote workforce, detecting this activity becomes something simple log searching is not sufficient. Detect for Cloud will produce detections as listed above to help analysts find the activity.

Abuse of existing applications

  • Azure AD Change to Trusted IP Configuration
  • Azure AD Suspicious Operation
  • O365 Suspicious Teams Application - Applications and service principals that possess valuable access rights are modified with additional secrets, essentially creating a "backdoor" that attackers use to perform privileged actions on behalf of those applications.

Gain persistence

  • Azure AD Newly Created AdminAccount
  • Azure AD Redundant Access Creation
  • Azure AD Suspicious Operation
  • Azure AD Unusual Scripting EngineUsage
  • O365 Internal Spearphishing
  • O365 Suspicious Exchange TransportRule
  • O365 Suspicious Mail Forwarding
  • O365 Suspicious MailboxManipulation - There are many ways to gain persistence in a cloud environment. Many detections in Detect for Cloud are built to find activity, ranging from accounts being created in Azure AD, to installation of transport rules, which can redirect email, or in previous attacks have been used as a command and control implant[1].

Exfiltrate data

  • O365 Risky Exchange Operation
  • O365 Suspicious Download Activity
  • O365 Suspicious Mail Forwarding
  • O365 Suspicious Mailbox Manipulation
  • O365 Suspicious Sharing Activity - During this stage, along with opening up of sharing rights to non local destinations, target mailbox permissions are modified to give another user (controlled by attacker) read access to target's e-mail, followed by periodic e-mail exfiltration.

This list is not complete list of all attacks expected in a cloud attack, attackers use a diverse range of tactics in the target rich environment of the cloud. Future blogs from Vectra Security Research will outline more of the expected behaviours, these above are obtained through observations of Russian state level actors during active compromise.

What History Tells us

Russian threat actors operate across all levels of complexity and strategy against organisations, for example not only do DDoS attacks pose a threat from groups such as the FSB and other, but also groups such as Turla (Snake, Venomous Bear, Uroburous) operate on the fringes of a network, with novel and highly advanced techniques and malware.

Tangible examples of recent Russian State Actor activities include the SolarFlare / SUNBURST attacks of 2020, where Russian state operators Nobelium (Cozy Bear, APT29) compromised SolarWinds infrastructure and code deployment mechanisms. Additionally, this group compromised o365 infrastructure with very low to the ground stealth approaches to compromise large amounts of customer data with stolen o365 credentials to move laterally and remain hidden whilst stealing data, performing reconnaissance, and preparing for their next stages of attack.

However, not only Russia will be involved in global cyber-attacks. For example, after the 2014 annexation of the Crimea many threat actors used the event as a pretext to include lures inside malicious documents and emails to compromise organizations for ends entirely unrelated to Russian state-level objectives.

The Bottom Line

Vectra protects against all levels of threat, ranging from Network attacks and Command and Control traffic, right up to account takeovers and malicious Microsoft Office 365 activity. Customers of Vectra’s Managed Detection and Response services (Sidekick) are further protected by Spot Priority meaning Vectra Analysts will immediately be notified of hosts showing activity related to Russian APT threat actors.

Additionally, Vectra has Threat Intelligence built in, meaning for any host with detections, if there is behaviour to attacker infrastructure, then a detection outlining the activity will be added to the host’s container.

While heightened risks from specific threat actors are important to acknowledge, Vectra looks for behaviours common to all threat actors, meaning no matter which attacker targets your organisation, Vectra will help you rapidly identify and expel them before damage has been done.

--

[1] https://www.gov.uk/government/news/uk-assess-russian-involvement-in-cyber-attacks-on-ukraine

[2] https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf

[3] https://www.fireeye.com/content/dam/collateral/en/wp-m-unc2452.pdf - source not available anymore

[4] https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/

[5] https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/

[6] https://www.mandiant.com/resources/insights-into-office-365-attacks-and-how-managed-defense-investigates