Why are Russian hackers targeting critical infrastructure?
Russian hackers have a long history of participating in political and military conflicts in Eastern Europe and consistently carry out espionage operations around the world in support of Russian interests. [3] These attacks represent a growing category of hacks intended to sabotage critical infrastructure.
How do I locate possible ransomware activity?
To locate possible ransomware activity, run the following queries. Use this query to look for processes executing in PerfLogs— a common path used to place the ransomware payloads.
How does the Blackcat ransomware attack work?
The malware can also identify whether a user has domain admin privileges, thus increasing its capability of ransoming more devices. BlackCat discovers all servers that are connected to a network. The process first broadcasts NetBIOS Name Service (NBNC) messages to check for these additional devices.
How do nation-states conduct cyberattacks?
Nation-states have the resources and the intelligence available to conduct multilayered and well-orchestrated attacks over long periods of time. The evolving security threats from cyberattacks led by nation-states range from espionage to cyberattacks on critical infrastructure.
What framework is used to break attacks?
How does complexity affect cybersecurity?
Why is it important to monitor cloud and on-premises?
What is Operation Cloud Hopper?
Does Operation Cloud Hopper target insiders?
Can Internet Accessible Management APIs be compromised?
Did APT10 create on demand services?
See 2 more
About this website
What framework is used to break attacks?
In examining these attacks against our recommendations, I used MITRE's ATT&CK Framework, which breaks different attacks into techniques that could be mapped to our previous recommendations.
How does complexity affect cybersecurity?
Increase Complexity Strains IT Staff, and Insufficient Due Diligence Increases Cybersecurity Risk. Although it is hard to point to the specifics in Operation Cloud Hopper, it seems clear that cybersecurity risk was high because of both increased complexity and a lack of diligence from some customers who were targeted. Rather than assigning blame, the takeaway is that the complexity of a hybrid environment involving a CSP and on-premise systems makes it hard to adequately address problems, such as stolen credentials or lateral movement from a customer to the CSP and then to a second customer. The lack of diligence by one cloud customer can increase risk even to another customer who is diligent.
Why is it important to monitor cloud and on-premises?
Monitoring cloud-deployed resources by the customer is essential to increase the ability to detect lateral movement from the CSP to the customer or vice versa. Coordinating with the CSP--as well as CSP coordination with the customer--provides an effective combination of information that can increase the likelihood of detecting the post-compromise activities.
What is Operation Cloud Hopper?
In December, a grand jury indicted members of the APT10 group for a tactical campaign known as Operation Cloud Hopper, a global series of sustained attacks against managed service providers and, subsequently, their clients. These attacks aimed to gain access to sensitive intellectual and customer data. US-CERT noted that a defining characteristic of Operation Cloud Hopper was that upon gaining access to a cloud service provider (CSP) the attackers used the cloud infrastructure to hop from one target to another, gaining access to sensitive data in a wide range of government and industrial entities in healthcare, manufacturing, finance, and biotech in at least a dozen countries . In this blog post, part of an ongoing series of posts on cloud security, I explore the tactics used in Operation Cloud Hopper and whether the attacks could have been prevented by applying the best practices that we outlined for helping organizations keep their data and applications secure in the cloud.
Does Operation Cloud Hopper target insiders?
Insiders Abuse Authorized Access. Reports on Operation Cloud Hopper do not reference insider threat, but some mitigations for insiders abuse of authorized access also apply to mitigating stolen credentials. Many recommendations from the SEI's Common Sense Guide to Mitigating Insider Threats could be applied to also reduce the impact of attackers using stolen credentials, including but not limited to
Can Internet Accessible Management APIs be compromised?
Internet-Accessible Management APIs can be Compromised
Did APT10 create on demand services?
According to publicly available reports, APT10 did not create on-demand public services, which could have made the attacks and their implications more serious. On-demand services could have provided alternate means to the PlugX, RedLeave s, and Quasar malware for remote access and other attacker functions. There were also no reports of separation between tenants failing because of exploits of vulnerabilities in software or systems in the CSP infrastructure, likely because this type of advanced attack would be of much more value and wasted when there were more basic avenues to leverage, namely credential theft.
Which country was attacked by cyberattacks in 2007?
While the strategy represented in cyberattacks on Estonia in 2007 and Georgia in 2008 confused citizens of both countries, Moscow enjoyed the plausible deniability for its actions that often originates from hybrid warfare cyber operations. [58] The attacks on Ukraine follow the action in Estonia and Georgia.
What are Russian hackers?
Russian hackers have a long history of participating in political and military conflicts in Eastern Europe and consistently carry out espionage operations around the world in support of Russian interests. [3] These attacks represent a growing category of hacks intended to sabotage critical infrastructure.
How does Russia manipulate Ukraine?
[88] Frequent cyberattacks on Ukraine’s critical infrastructure impose damages and economic loses to the country, and submerge Ukraine’s entire territory into a state of hybrid warfare and social instability. Additionally, in the larger context of growing reliance on cyber weapons by world powers, Ukraine appears to have become a test ground for new cyber-offensive technology Russia can use elsewhere. [89]
Why did the Ukrainian grid hacks happen?
First, they are a component of a destabilization campaign aimed at Ukraine as it reduces its dependence on Russia and leans west toward the European Union (EU) and NATO economically, politically, and militarily. Second, the attacks were meant to demonstrate the offensive capabilities of Russian hackers and allowed Russian to prove its effectiveness on a country that cannot retaliate in kind.
What is Russia's goal in cyber warfare?
Since the late 2010s, Russia has attempted to combine conventional and cyber tactics to achieve its national strategic goals – particularly its national goal to bring Russia back to prominence in the international arena. [34] To do this, Russia has combined cyber warfare tactics with traditional strategy to create a new type of hybrid warfare that relies on proxies and surrogates to prevent attribution and intent, and to maximize confusion and uncertainty using both simple and sophisticated technologies in innovative ways. [35]
Who is behind the grid hack?
Ukrainian and U.S. government officials have attributed the grid hacks to Russia and cybersecurity firms have linked the malware present in the effected systems to Russian cyber-criminal groups. [8] In March 2016, Ukrainian investigators stated the attackers were Russian speaking and one claimed that the Russian group known as APT28 (Advanced Persistent Threat 28 or “Fancy Bear”) may have been involved. APT28 is thought to have ties to the Russian government and has a history of high profile hacks with targets that include the Pakistani military, Ukrainian Election Commission, and the U.S. Democratic National Committee. [9]
Can espionage be monetized?
Espionage and sabotage operations cannot be monetized on black markets in the same way as credit card or bank account numbers can be, making them more difficult to track and attribute. In the case of espionage and sabotage, the primary beneficiaries are governments.
What framework is used to break attacks?
In examining these attacks against our recommendations, I used MITRE's ATT&CK Framework, which breaks different attacks into techniques that could be mapped to our previous recommendations.
How does complexity affect cybersecurity?
Increase Complexity Strains IT Staff, and Insufficient Due Diligence Increases Cybersecurity Risk. Although it is hard to point to the specifics in Operation Cloud Hopper, it seems clear that cybersecurity risk was high because of both increased complexity and a lack of diligence from some customers who were targeted. Rather than assigning blame, the takeaway is that the complexity of a hybrid environment involving a CSP and on-premise systems makes it hard to adequately address problems, such as stolen credentials or lateral movement from a customer to the CSP and then to a second customer. The lack of diligence by one cloud customer can increase risk even to another customer who is diligent.
Why is it important to monitor cloud and on-premises?
Monitoring cloud-deployed resources by the customer is essential to increase the ability to detect lateral movement from the CSP to the customer or vice versa. Coordinating with the CSP--as well as CSP coordination with the customer--provides an effective combination of information that can increase the likelihood of detecting the post-compromise activities.
What is Operation Cloud Hopper?
In December, a grand jury indicted members of the APT10 group for a tactical campaign known as Operation Cloud Hopper, a global series of sustained attacks against managed service providers and, subsequently, their clients. These attacks aimed to gain access to sensitive intellectual and customer data. US-CERT noted that a defining characteristic of Operation Cloud Hopper was that upon gaining access to a cloud service provider (CSP) the attackers used the cloud infrastructure to hop from one target to another, gaining access to sensitive data in a wide range of government and industrial entities in healthcare, manufacturing, finance, and biotech in at least a dozen countries . In this blog post, part of an ongoing series of posts on cloud security, I explore the tactics used in Operation Cloud Hopper and whether the attacks could have been prevented by applying the best practices that we outlined for helping organizations keep their data and applications secure in the cloud.
Does Operation Cloud Hopper target insiders?
Insiders Abuse Authorized Access. Reports on Operation Cloud Hopper do not reference insider threat, but some mitigations for insiders abuse of authorized access also apply to mitigating stolen credentials. Many recommendations from the SEI's Common Sense Guide to Mitigating Insider Threats could be applied to also reduce the impact of attackers using stolen credentials, including but not limited to
Can Internet Accessible Management APIs be compromised?
Internet-Accessible Management APIs can be Compromised
Did APT10 create on demand services?
According to publicly available reports, APT10 did not create on-demand public services, which could have made the attacks and their implications more serious. On-demand services could have provided alternate means to the PlugX, RedLeave s, and Quasar malware for remote access and other attacker functions. There were also no reports of separation between tenants failing because of exploits of vulnerabilities in software or systems in the CSP infrastructure, likely because this type of advanced attack would be of much more value and wasted when there were more basic avenues to leverage, namely credential theft.