The US Cybersecurity and Infrastructure Security Agency (CISA) has just put out a bulletin numbered AA22-074A, with the dramatic title Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability.
To sidestep rumours based on the title alone (which some readers might interpret as an attack that is going on right now), and instead to reinforce the lessons that CISA hopes this incident can teach us, here’s what you need to know. Fortunately, the overall story is simply and quickly told. The attack dates back to May 2021, and the victim was an non-government organization, or NGO, un-named by CISA.
As far as we can tell, and briefly summarised, the attackers:
- Got an initial foothold due to a poorly-chosen password.
- Found an account that had been left inactive for ages, instead of being removed.
- Re-enrolled the account into the 2FA system, as though the original user were reactivating it.
- Logged in as this user, sailing past the 2FA part thanks to re-enrolling the account with their own device.
- Exploited the PrintNightmare vulnerability to get Domain Administrator access.
- Deliberately broke the 2FA system by messing with its configuration, so it no longer demanded 2FA responses from anyone.
At this point, as you can imagine, the attackers were able to add new accounts without worrying about 2FA; wander around the network; riffle through organizational data stored in the cloud; and snoop on email accounts. CISA didn’t give any information about how much data was accessed, how long the attackers stayed inside the network, or what, if anything, was exfiltrated. Those details would have been interesting to read about, to be sure, but they’re not critical to the story. What’s important is how the attackers got in, and how the infiltration could have been prevented. Click the link for more information.
Russian cyberconflict in 2022
In 2022, as political tensions escalated in advance of the war, numerous Ukrainian government websites were defaced, and systems were infected with malware disguised as a ransomware attack. Multiple components of these attacks echoed the past. The malware was not actually ransomware, it was simply a sophisticated wiper, as was seen in the NotPetya attacks. Additionally, there were many false flags left behind implying it might be the work of Ukrainian dissidents or Polish partisans.
As the conflict moved into February, it became clear that the standard Russian conflict playbook was in action: distract, confuse, deny, and attempt to divide. On Tuesday February 15, 2022, a series of debilitating DDoS attacks were unleashed against Ukrainian government and military websites, as well as against three of Ukraine’s largest banks. In an unprecedented move the White House has already declassified some intelligence and pinned the attacks on the Russian GRU. The war began on February 24, 2022. Sophos is maintaining a rolling summary of cyberattack developments as they unfold.
The Russian playbook for cyberwarfare
What now? Regardless of whether things continue to escalate, cyberoperations are sure to continue. Ukraine has been under a constant barrage of attacks with varying degrees of peaks and troughs since Viktor Yanukovych was deposed in 2014.
Russia’s official “The Military Doctrine of the Russian Federation” from 2010 states:
“the prior implementation of measures of information warfare in order to achieve political objectives without the utilization of military force and, subsequently, in the interest of shaping a favourable response from the world community to the utilization of military force.”
This suggests a continuance of previous behaviors before a conflict, and makes DDoS attacks a potential sign of an imminent kinetic response. Information warfare is how the Kremlin can try to control the rest of the world’s response to actions in Ukraine or any other target of attack. False flags, misattribution, disrupted communications, and social media manipulation are all key components of Russia’s information warfare playbook. They don’t need to create a permanent cover for activities on the ground and elsewhere, they simply need to cause enough delay, confusion and contradiction to enable other simultaneous operations to accomplish their objectives.
Prepare and protect
Interestingly, the United States and United Kingdom are trying to preempt some of the misinformation campaigns, and this could limit their effectiveness. However, we shouldn’t assume the attackers will stop trying, so we need to remain prepared and vigilant.
For example, organizations in countries surrounding Ukraine should be prepared to be drawn into any online mischief, even if they are not operating directly inside Ukraine. Previous attacks and misinformation have leaked over into Estonia, Poland, and other bordering states, even if only as collateral damage.
From a global perspective, we should expect a range of “patriotic” freelancers in Russia, by which I mean ransomware criminals, phish writers and botnet operators, to lash out with even more fervor than normal at targets perceived to be against the Motherland.
It is unlikely Russia would directly attack NATO members and risk invocation of Article V. However, its recent gestures toward reining in criminals operating from the Russian Federation and their Commonwealth of Independent States (CIS) partners will probably come to an end, and instead we will see the threats multiply.
While defense-in-depth security should be the normal thing to strive for at the best of times, it is especially important if we can expect an increase in the frequency and severity of attacks. The misinformation and propaganda will soon reach a fever pitch, but we must keep our nose to the ground, batten down the hatches and monitor for anything unusual on our networks as the conflict cycles ebb and flow and even when/if they end soon. Because as we all know, it could take months for evidence of digital intrusions due to this Russian-Ukrainian conflict to surface.
Reference: Collins, Rob (2021). “Russian Actors Bypassed 2FA – What Happened And How To Avoid It”. https://news.sophos.com/en-us/2021/08/02/hindsight-3-deploy-endpoint-security-everywhere/