Vectra customers should be aware that current global events related to Russian recognition of separatist regions of the Ukraine carry with them the risk of increased cyber activity conducted by Russian state level actors. This includes evidence that the FSB, the main Intelligence Organization in Russia, is responsible for the DDoS against Ukrainian systems in February 2022.  Credible concern exists that target selection may expand past regional targets to include, for example, politically or economically useful targets in NATO countries.
This advisory has been generated to proactively communicate to customers that operate in industries or regions under increased risk and highlight the protective capabilities Vectra is providing to manage these risks.
While this advisory is informational in nature, any customers which believe they may be under attack are invited to immediately contact us – we are here to help.
Many APT groups, no matter their origin, follow a similar pattern for attacks. Therefore, based on previous activity from state level actors, to include Russian state level actors, Vectra customers can expect the following general types of activity if targeted:
To this end, in addition to applicable threat intelligence, Vectra would expect to notify users of the following detections:
Reconnaissance of Network
Establish Foothold / persistence
Previous attacks from Russian state actors have utilised the target's online environment. This can take the form of account takeovers through brute forcing, password spraying (using VPNs to ensure default protections do not lock them out), MFA bypass, or phishing, to gain initial access, and once a foothold is established there are many paths for an attacker to take in order to steal information and maintain a foothold.
In May 2021, Russian state actors known as Nobelium, compromised cloud environments in Microsoft in order to compromise supply chains. These attacks followed patterns that have also been observed in other compromises by state actors in cloud environments, that follow patterns similar to the following:
To this end Vectra would expect to notify users of the following detections:
Abuse of privileged roles
Abuse of existing applications
This list is not complete list of all attacks expected in a cloud attack, attackers use a diverse range of tactics in the target rich environment of the cloud. Future blogs from Vectra Security Research will outline more of the expected behaviours, these above are obtained through observations of Russian state level actors during active compromise.
Russian threat actors operate across all levels of complexity and strategy against organisations, for example not only do DDoS attacks pose a threat from groups such as the FSB and other, but also groups such as Turla (Snake, Venomous Bear, Uroburous) operate on the fringes of a network, with novel and highly advanced techniques and malware.
Tangible examples of recent Russian State Actor activities include the SolarFlare / SUNBURST attacks of 2020, where Russian state operators Nobelium (Cozy Bear, APT29) compromised SolarWinds infrastructure and code deployment mechanisms. Additionally, this group compromised o365 infrastructure with very low to the ground stealth approaches to compromise large amounts of customer data with stolen o365 credentials to move laterally and remain hidden whilst stealing data, performing reconnaissance, and preparing for their next stages of attack.
However, not only Russia will be involved in global cyber-attacks. For example, after the 2014 annexation of the Crimea many threat actors used the event as a pretext to include lures inside malicious documents and emails to compromise organizations for ends entirely unrelated to Russian state-level objectives.
Vectra protects against all levels of threat, ranging from Network attacks and Command and Control traffic, right up to account takeovers and malicious Microsoft Office 365 activity. Customers of Vectra’s Managed Detection and Response services (Sidekick) are further protected by Spot Priority meaning Vectra Analysts will immediately be notified of hosts showing activity related to Russian APT threat actors.
Additionally, Vectra has Threat Intelligence built in, meaning for any host with detections, if there is behaviour to attacker infrastructure, then a detection outlining the activity will be added to the host’s container.
While heightened risks from specific threat actors are important to acknowledge, Vectra looks for behaviours common to all threat actors, meaning no matter which attacker targets your organisation, Vectra will help you rapidly identify and expel them before damage has been done.