top of page

First lessons learnt related to Cyber Offensive actions led by Russia against Ukraine – How sh


Known recent cyberattacks originating from Russia include the following. Despite the fact that there is no magic way to increase in a very short period of time the level of Cyber Protection of a company, here are my (non-exhaustive) thoughts related to how you should protect against these threats or at least strengthen your cyber-posture.

  1. Distributed Denial Of Service (DDoS) attacks,

  2. Mainly observed against military, gov, media and banking critical services by Russia

  3. To prevent or mitigate such threats, you should consider:

  4. shutting down any server/service that is not necessary

  5. implementing network anti DDoS systems (eg: Arbor DDoS Protection Solutions (NETSCOUT), KONA Site Defender) for your critical services (that must be identified)

  6. contacting your telco operator to prepare an adhoc reaction procedure to a DDoS attack

  7. Website defacements

  8. Mainly against gov sites

  9. Probably coming from APT (Advanced Persistant Threat) UNC1151, with similar weapons than APT29 Russian state-sponsored group

  10. To prevent or mitigate such threats, you should consider:

  11. Ensuring that you have a full inventory of your websites (eg: Cycognito, Uncovery, Palo Alto Cortex Xpanse)

  12. Checking that they don’t have any [critical] vulnerability (eg: using a vulnerability scanner such as Rapid7 Insight VM)

  13. Filtering traffic at network level using regular or application firewalls – WAF (eg: Checkpoint, Palo Alto)

  14. Fixing all such vulnerabilities or deactivating related services temporarily, otherwise consider virtual patch management solutions for limited periods of time (eg: TrendMicro)

  15. Activating 2 (or multi) factor (2FA/MFA) authentication to prevent unauthorized accesses to your systems from Internet

  16. Activating mechanisms to automatically ban sources that have failed to authenticate several times

  17. Fraudulent messaging

  18. SMS phishing (Smishing), typically pretending that there was a bank issue to trap target users

  19. To prevent or mitigate such threats, you should consider:

  20. Increasing the awareness programs of your users (eg: KnowBe4 service). Inform them in particular about attempts to steal their credentials using phishing websites or alike

  21. Implementing or reviewing the configuration of your Anti SPAM systems (eg: CISCO IronPort, Barracuda Networks)

  22. Malware attacks

  23. Known code names are WhisperGate & Hermetic Wiper. Both aim at destroying files/filesystems, as opposed to ransomwares for which data access recovery is possible

  24. Mainly against gov, communications, non profit organizations, e-services for citizens, IT organizations

  25. To prevent or mitigate such threats, you should consider:

  26. Implementing robust cloud proxy (in particular isolation techniques, such as Menlo Security) and Cloud Application Security Broker – CASB solutions (eg: NetSkope CASB, Microsoft CASB, etc.)

  27. Implementing best in class Endpoint Detection & Response – EDR (eg: Cybereason, Mandiant) in a Managed Service mode (unless you’re lucky to have the proper internal ressources to manage it)

  28. Making sure that such Managed Detection and Response – MDR or EDR and other CyberSecurity solutions are fed with all necessary Indices of Compromise (IoCs), that you either get from free (open) or commercial sources (eg: Recorded Future). To manage these IoCs, you may consider using a Threat Intelligence Platform (eg: Threat Quotient, Anomali), but I also strongly encourage you to contact us at CIX-A, to join our European Alliance of CISOs again hackers and other threats!

  29. Contracting with a Rapid Reaction Force supplier to react to any major cyber-attack (eg: Cybereason Incident Response)

  30. Generating off-line backups of your most critical systems and data and ensuring that you have properly documented how to restore them (or even already performed successful drills)

  31. And of course updating your systems (cyber-hygiene) as often as possible, don’t forget to reboot them immediately when necessary

In addition to all of the above, you’ll need to :

  1. closely collect, consolidate and monitor your logs (eg: Elastic Cloud, Rapid7 Insight IDR)

  2. request your partners and suppliers to inform you immediately in case of detection of a proven cyber incident on their assets

  3. and be ready to react to detected incidents, be them suspicious or proven.

  4. To do so, numerous companies offer a Security Operation Center (SOC) service or Incident Response ressources that are worth considering. If you already contracted such service, consider increasing its level of vigilance on your known critical assets

  5. You may also prepare to segment your network, to confine any detected attack. To do so, you’ll need a proper inventory of your business critical assets

  6. Again, here, I also encourage you to join CIX-A, as we share technical critical and actionable information (including various cheat sheets, and IoCs) to respond to cyber-attacks!

Here are some interesting / relevant URLs that are worth mentioning:

  1. European CERT

  2. UK NCSC

  3. US CISA

  4. Specific advisory

  5. Palo Alto’s Unit42 page on Gamaredon Group (aka Primitive Bear), one of the most active existing Advanced Persistent Threats (APT) group targeting Ukraine

Bình luận


bottom of page