Threat Intelligence published by Microsoft[1] shows an increase in Russia-based nation-state threat actors launching attacks against countries outside Ukraine. The United Kingdom was the second most targeted country, behind the United States. Of all targeted countries, those operating within the Information Technology, Transportation and Education industries were subject to the greatest volume of attacks.
Data from Sapphire’s SOC Team also aligns with the rise of Russia-based threats. Five (or 100%) of ‘major’ incidents (i.e., Priority 1 or Priority 2 Cases) impacting Sapphire customers
have involved Russia-affiliated threat actors in industries closely aligning with those cited by
Microsoft.These involved Hive, Vice Society and Russian-based cryptocurrency mining infrastructure.
Microsoft’s intelligence states that Russian threat actors continue to utilise Phishing campaigns to gain initial access to a victim’s network. Over the last 60 days (8/1/23 – 8/3/23) Sapphire’s SOC Team have observed a consistent volume of Phishing-based Alerts, as shown below, reinforcing the need for effective Initial Access prevention technology.
Additionally, Microsoft encouraged ensuring systems are fully patched, which first requires having visibility of all assets within an organisation. This is where a Vulnerability Management program can assist. Using vulnerability data from Sapphire’s SOC Team, we observe an upward trend in the overall volume of vulnerabilities presents within a customer within one of the at-risk industries targeted by Russia.This highlights the need for effective asset management and potentially the growing attack surface presented through BYOD and expanding infrastructure.
Recorded Future’s 2022 Adversary Infrastructure Report[2] highlights Cobalt Strike being the most observed Command and Control post-exploitation framework observed over the last three years, as shown below. Data from Sapphire’s SOC Team is also in alignment with this trend. For example, 50% of Sapphire’s customer P1 incidents involved the usage of CobaltStrike.
References
- Microsoft Digital Defence Report 2022 (https://go.microsoft.com/fwlink/?linkid=2213817&clcid=0x409&culture=en-us&country=us)
- Recorded Future’s Insikt Group 2022 Adversary Infrastructure Report (https://www.recordedfuture.com/2022-adversary-infrastructure-report)