Start your day with intelligence. Get The OODA Daily Pulse.

The Computer Emergency Response Team of Ukraine (CERT-UA) and State Service of Special Communications and Information Protection of Ukraine (SSSCIP) have just released a report analyzing the evolution of cyber tactics, objectives, and capacities of the Russian government and government-controlled threat groups in the first half of 2023. The report and details here. 

How Russian Government-controlled Hacking Groups Shift Their Tactics, Objectives, and Capacities

From the SSSCIP website announcing the availibiity of the report: 

“The SSSCIP has prepared an analytical report  – Russia’s Cyber Tactics H1 2023 – in which they “analyzed and explored cyber threats by Russian hacking groups in 2022 and the first half of 2023 as well as shifts in the cybercriminals’ behavior.  The report contains information that may be helpful to Ukrainian cybersecurity specialists as well as to…international partners.

Specifically, it will be useful for:

  • Understanding Russian hackers’ motives, capabilities to carry out cyber operations as well as their choice of targets;
  • Anticipating the extent of cyber capacities that may be employed by the enemy in the current and future geopolitical conflicts; and 
  • Seeking new tools and methods to counter hostile cyberattacks, etc.

The new trends of 2023 include: 

  • Increased focus of the enemy hackers on Ukrainian law enforcement. 
  • Intelligence operations aimed at accessing the data…evidence of Russia’s war crimes, collected and submitted materials for trials and prosecution, arrest warrants for suspected agents, etc.
  • Energy and media sectors remain among the major targets of the enemy hackers.

SSSCIP specialists have [also] revealed [a]…trend of recurring attacks. Hackers revisit their prior targets that own and operate critical data, required by the Russian military. This approach enables the perpetrators to strategically plan their future operations and forecast…responses. Early knowledge of the target entity’s network infrastructure, protection measures, key personnel and communication modalities offers the attackers a substantial advantage when it comes to exploiting the earlier compromised organizations.”

Key Insights from the Report 

2x Growth in the Number of Incidents where CERT UA was involved in Investigations and Forensics:  Despite all improvements implemented by Ukrainian authorities (from utilizing the most modern protection stack to many other enhancements), the number of incidents doubled in the last 6 months: from an average of 1.9 incidents per day (57 per month) in H2’22 to 4-5 per day (128 per month) in H1’23. Russian state-controlled adversaries brace for the long stand against the West and add more people to increase the capacity and speed of the attacks.

The Civic and Law Enforcement Sector is Dominating Across Espionage Targets:  In the first half of 2023, we observed a sustained interest in the civic sector and law enforcement organizations. During this period, we encountered espionage operations conducted by military APTs aimed at gaining access to and extracting data from various law enforcement units in Ukraine. Their primary objectives were to identify which evidence of Russian war crimes and exercise control over potential ground-deployed spies have our law enforcement teams. 

Once a Victim – Aways a Victim:  We’ve uncovered a notable trend where return attempts take precedence. State-sponsored hackers are revisiting known victims who handle and maintain the critical data needed by the Russian military. This approach grants attackers the ability to  strategize future actions and anticipate our responses. Having prior knowledge of a victim organization’s network infrastructure, defensive measures, key personnel, and communication patterns provides returning attackers with a substantial advantage when it comes to exploiting organizations that have been compromised in the past.

Focus on Immediate Data Exfiltration:  CERT-UA and our partners have optimized the collection of Threat Intelligence (TI) and reduced the Mean Time to Detect and Respond (MTTD/MTTR). Consequently, Russian threat actors now have limited time for lateral movement, prompting them to place even greater emphasis on a particular tactic: dumping documents, sometimes as many as 21,000 office documents in certain cases, along with browser credentials.  We’ve observed a shift in tactics that involve infecting systems, prioritizing victims, and gaining access to more valuable assets by replacing compromised Command and Control servers (C2s). The primary payloads still consist of office documents and HTML/ JS-based malware packaged in archives, which remain the most prevalent and favored formats.

The Media Sector is Under Constant Attack During the First Six Months of 2023:  Throughout the first six months of 2023, the media sector has been subjected to persistent attacks. We’ve been closely monitoring these attacks, which have been primarily focused on individuals and journalists. The goal behind these attacks is to gain control over media resources and accounts, intending to employ them for disinformation campaigns and influence operations. Notably, many of these attacks have been attributed to the Sandworm group, which is linked to Russia’s GRU and is a key player in the broader context of Russia’s hybrid warfare efforts. https://cert.gov.ua/article/4818341

Growing on Usage “Living off the Land”:  Intruders employ either built-in system functionalities or external tools to carry out malicious actions on the system. Malicious actors often utilize established, legitimate Windows based software, such as WinRar (which is popular in the region), sdelete, and various other Windows utilities. This approach serves to conceal their abnormal activities, making it more challenging to detect their actions by antivirus and endpoint detection and response (AV/EDR) systems. Consequently, they can conduct destructive operations without triggering anomalies in AV/EDR monitoring. https://cert.gov.ua/article/4501891.

Hacking and Exploiting Open Source Mail Systems:  We observe a trend from H2’2022 that threat actors actively develop and distribute exploits against open-source mail systems for known CVEs. Examples: Zimbra and Roundcube

The Energy Sector Continues to be Under Attack:  The key problem that leads to successful penetration is the lack of proper isolation between Operational technology (OT) and corporate networks. Amount of attacks in 2023 dropped after the end of the drone and missile attacks on the civilian energy infrastructure. Still, terrorist-style pressure on the international community over the Zaporizhzhya nuclear plant continued, and key Russian APT groups were tasked to collect information about Ukrainian plans to protect the station and preparedness for the worst-case scenario.

For the full report, go to:  the Russia’s Cyber Tactics H1 2023 analytical report.

For a better understanding of the changes in the objectives faced by russian government-controlled hacking groups and other teams directly engaged in the attack campaigns against Ukraine, — see the previous  Russia’s Cyber Tactics: Lessons Learned 2022.

Additional Resources

Russian Invasion of Ukraine: Russia’s aggression against Ukraine prompts global repercussions on supply chains and cybersecurity. This act highlights potential threats from nations like China and could shift defense postures, especially in countries like Japan. See: Russia Threat Brief

Geopolitical-Cyber Risk Nexus: The interconnectivity brought by the Internet has made regional issues affect global cyberspace. Now, every significant event has cyber implications, making it imperative for leaders to recognize and act upon the symbiosis between geopolitical and cyber risks. See The Cyber Threat

Challenges in Cyber “Net Assessment”: While leaders have long tried to gauge both cyber risk and security, actionable metrics remain elusive. Current metrics mainly determine if a system can be compromised, without guaranteeing its invulnerability. It’s imperative not just to develop action plans against risks but to contextualize the state of cybersecurity concerning cyber threats. Despite its importance, achieving a reliable net assessment is increasingly challenging due to the pervasive nature of modern technology. See: Cyber Threat

Daniel Pereira

About the Author

Daniel Pereira

Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.