The current state of international affairs across the globe has significantly increased the threat posed by state actors carrying out powerful cyber attacks, which would also include targeting European customers. There are a number of offensive cyber operations linked to these state actors, which this advisory will address. We will list some of the common attack techniques shared between operations, and how organisations can defend against these attacks. .
- Disruption and destruction will be the primary objective of these cyber attacks.
- State actors also have a vested interest in information gathering activities, particularly in the area of technology intellectual property.
State actors use a wide range of formidable tools and methods to conduct their attacks. However, there is a lot of crossover between the actor groups. Some of the more common methods are listed below.
- Brute force
This state actor has the means to conduct brute force activities at the network level; any password protected web-facing asset can be targeted.
- Phishing and Spear Phishing
This popular technique is used, even by state actors, due to its high success rate.
- Covert data collection and exfiltration
Some of these threat actors use Powershell, .vbe scripts to perform exfiltration, and use sophisticated, bespoke network monitoring and intelligence gathering tools.
- Social media poisoning / Drive-by Compromise
Threat actors create fake social media presences to drawn in targets and trick them into providing information and performing activities on their behalf.
- User activity monitoring
Keystroke monitoring, browser MITM monitoring, Screen capturing have all been used by these threat actors.
- Data exfiltration, encryption and deletion
These threat actors are all capable of exfiltrating data, encrypting data in lieu of ransomware-style extortion, and causing malicious damage through data deletion. Exfiltration is often done on uncommon network ports.
- Activity concealment
Most actors are capable of concealing their activities from forensic investigation through file and log deletion.
We recommend the following actions be taken:
- Disable unnecessary ports and protocols
A review of your network security device logs should help you determine which ports and protocols are exposed but not needed. For those that are, monitor these for suspicious, ‘command & control’-like activity. Special emphasis on externally facing ports is recommended.
- Backup now, and test your recovery process for business continuity
It is easy to let backup policies slide or fail against other business priorities. It is highly recommended that you are able to prove that you can restore in practice, so this activity should be prioritised. Also, ensure you have redundant backups, ideally using a combination of hot, warm and/or cold sites.
- Step up monitoring of network and email traffic
Given the advanced and persistent nature of these state actors, malicious activity will be hard to detect. The most common vectors for intruders are unprotected devices on your network and targeted phishing emails. Follow best practices for restricting attachments via email and other mechanisms and review network signatures. If you have an IDS (Intrusion Detection System), now would be a good time for a ground up review of effectiveness.
- Patch externally facing equipment
Attackers actively scan for and will exploit vulnerabilities, particularly those that allow for remote code execution or denial of service attacks.
- Strengthen and enforce password policy
Brute force is an element of some of these attacks, so reviewing passwords to ensure all system default passwords are replaced. OWA is a known target, so using 14 character passwords is also recommended.
- Log and limit the use of PowerShell
If a user or account does not need PowerShell, disable it via the Group Policy Editor. For those that do, enable code signing of PowerShell scripts, log all PowerShell commands and turn on ‘Script Block Logging’.
by Euan Ramsay, Sr. Advisor Data Protection & Cyber Security, LEANmade AG