Microsoft’s research team has been monitoring cyber-attack behavior between Russa and Ukraine during the Russian invasion. In a article posted by dark reading, Microsoft’s team highlights the intrusion techniques seen by Russia’s cyber military. Those are the following:
Common Russian Intrusion Techniques
Russia-aligned cyber operations have deployed several common tactics, techniques, and procedures. These include:
- Exploiting public-facing applications or spear-phishing with attachments/links for initial access.
- Stealing credentials and leveraging valid accounts throughout the attack life cycle, including within Active Directory Domain Services and through virtual private networks (VPNs) or other remote access solutions. This has made identities a key intrusion vector.
- Using valid administration protocols, tools, and methods for lateral movement, relying on compromised administrative identities in particular.
- Utilizing known, publicly available offensive capabilities, sometimes disguising them with actor-specific methods to defeat static signatures.
- “Living off the land” during system and network discovery, often using native utilities or commands that are nonstandard for the environments.
- Leveraging destructive capabilities that access raw file systems for overwrites or deletions.
The article also provides a list of things your organization should consider implementing as defenses against the techniques seen by Russia. Most are expected recommendations such as implementing multifactor authentication and ensuring a strong web defense capability exists for all assets.
You can find the article HERE or at What Every Enterprise Can Learn From Russia’s Cyber Assault on Ukraine (darkreading.com). Check it out.
