The Ankura Cyber Threat Investigations & Expert Services (CTIX) team conducted a technical analysis of historical and ongoing adversarial activity associated with the current Ukrainian/Russian conflict. In doing so, the CTIX team leveraged proprietary sources of threat intelligence which were then enhanced with additional data points collected from various open and closed sources. This report showcases identifiable cybersecurity risks at the center of the Ukraine-Russia conflict and corresponding actionable threat intelligence.
Several of the most pertinent findings include:
- It is evident that Russia has been employing cyberattacks as a key strategy in the invasion of Ukraine, including destructive malware, Distributed Denial-of-Service (DDoS) attacks, and misinformation tactics
- There are key threat actor groups actively involved in executing cyberattacks on behalf of Russia - or at the very least sympathize with Russian endeavors - including Conti, The Sandworm Team, Ghostwriter, Energetic Bear, and Primitive Bear
- Techniques that will likely be used by Russian threat actors in the future include ransomware, DDoS, wiper malware, phishing, and cyber-espionage
- Malware that has been deployed and will likely be leveraged by Russian threat actors in the future includes WhisperGate, HermeticaWiper, Pterodo, Cyclops Blink, and SaintBot
- The widespread Log4j vulnerabilities exploited to wreak havoc on organizations across 2021 have likely been exploited by Russian threat actors before the start of the invasion, and the foothold gained will likely be used as an advantage in retaliatory attacks against Ukraine and its allies in the future
- It is difficult to predict how Russian attacks in the future might ensue; however, ransomware attacks will likely increase with a high possibility of cyberattacks targeting critical infrastructure of Russian adversaries
The report below includes a more comprehensive review of all medium/high confidence intelligence collected and analyzed by CTIX analysts. It is important to keep in mind that this conflict is extremely dynamic, and new developments are being identified in real-time. The Ankura CTIX team will continue to monitor this crisis and all of the actors involved to provide as much perspective as possible.
Recommended Hardening Techniques
Below, CTIX analysts have documented actionable steps that organizations around the world should implement to harden their cyber resilience in the face of a heightened and ever-evolving cyber threat landscape.
For our full analysis of the cyber activity involved in the Russia-Ukraine conflict, please click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.