Explaining Russian Cyberattacks on Ukraine

Introduction

Malicious actors from Russia’s military have been on a campaign aimed at Western technology companies since 2022. These malicious actors target companies involved in providing foreign assistance to Ukraine. Any NATO nation is their primary target.

These actors will use any means necessary, such as password sprays, spear-phishing, exploiting VPN vulnerabilities, and exploiting Microsoft Exchange mailbox configurations, to cause damage or gather intelligence.

Analysis

Russia attacks NATO nations providing Ukraine with aid. Any aid given to Ukraine, ranging from air traffic management to just general IT services, can make you a target of Russia. They are even going as far as targeting cameras located at the Ukrainian border to track how many supplies are going into Ukraine.

They gain a foothold within these networks through various methods. These methods include fake login pages resembling government agencies and cloud email providers. Most likely, an enticing or seemingly urgent phishing email is sent, prompting users to input their credentials into the fake landing page.

These phishing campaigns also deliver malware via interaction with the phishing email received. Other techniques of exploitation include the exploitation of Outlook vulnerabilities and even VPN vulnerabilities. As you can see, there are plenty of attack vectors one can utilize, but there are also numerous ways to protect oneself.

Reconnaissance and Prevention

Russia is also performing reconnaissance to scour the web for potential Microsoft 365 users to perform brute force attacks against. Reconnaissance from malicious actors can include harvesting emails and phone numbers from your organization to attempt to gain access to your environment.

Once email addresses and phone numbers pertaining to your organization are identified, your attack surface increases, and bad actors may take advantage of it. Any information you have online may be used against your organization by foreign actors to inflict whatever damage they can manage on your organization.

TraceSecurity does offer public information gathering as a part of our External Penetration Testing service to help identify usernames or phone numbers that are currently online and available to malicious actors. TraceSecurity also offers phishing and vishing services to simulate what a bad actor can do with obtained email addresses or phone numbers.

These phishing and vishing actors can also be utilized as active training exercises and help users develop the discipline of not falling for phishing emails or complying with a bad actor's request over the phone. Even custom phishing or vishing templates can be used to better fit your organization’s environment. TraceSecurity also offers configuration reviews for Microsoft 365 and VPNs to help ensure you are following the best security practices.

Conclusion

While Russia’s primary targets for these attacks are NATO nations, it is important to recognize that other bad actors also use these real-world methods to compromise organizations across the globe. Having trained personnel to identify whenever a phishing or vishing attack is occurring can stop an attacker in their tracks.

Having the proper configurations on Microsoft 365 and your VPN can also help harden your environment. It’s crucial to stay apprised of current threats and vulnerabilities of this ever-changing cybersecurity landscape before they are weaponized against your organization.

Thomas Chustz, Information Security Analyst

Thomas started at TraceSecurity as a part of the Atlas team of associate information security analysts, performing remote social engineering and penetration tests. Now, as a full-time ISA, he has started performing some of our risk assessment and IT security audit services. Thomas earned a Bachelor of Science in Psychology from Louisiana State University and is currently working toward his Security+ certification.