What Every Enterprise Can Learn From Russia’s Cyber Assault on Ukraine

Throughout the ongoing war on Ukraine, known and suspected Russian nation-state actors have compromised Ukrainian targets. They’ve used a combination of techniques including phishing campaigns, exploiting unpatched vulnerabilities in on-premises servers, and compromising upstream IT service providers. These threat actors have also developed and used destructive wiper malware or similarly destructive tools on Ukrainian networks.
Between late February and early April 2022, Microsoft saw evidence of nearly 40 discrete destructive attacks that permanently destroyed files in hundreds of systems across dozens of organizations in Ukraine. After each wave of attacks, threat actors modified the malware to better avoid detection. Based on these observations, we’ve developed strategic recommendations to global organizations on how to approach network defense in the midst of military conflict.
Russia-aligned cyber operations have deployed several common tactics, techniques, and procedures. These include:
Based on our observations in Ukraine so far, we recommend taking the following steps to safeguard your organization.
1. Minimize credential theft and account abuse: Protecting user identities is a critical component of network security. We recommend enabling multifactor authentication (MFA) and identity detection tools, applying least-privilege access, and securing the most sensitive and privileged accounts and systems.
2. Secure Internet-facing systems and remote access solutions: Ensure your Internet-facing systems are updated to the most secure levels, regularly evaluated for vulnerabilities and audited for changes to system integrity. Anti-malware solutions and endpoint protection can detect and prevent attackers, while legacy systems should be isolated to prevent them from becoming an entry point for persistent threat actors. Additionally, remote access solutions should require two-factor authentication and be patched to the most secure configuration.
3. Leverage anti-malware, endpoint detection, and identity protection solutions: Defense-in-depth security solutions combined with trained, capable personnel can empower organizations to identify, detect, and prevent intrusions impacting their business. You can also enable cloud-protections to identify and mitigate known and novel network threats at scale.
4. Enable investigations and recovery: Auditing of key resources can help enable investigations once a threat is detected. You can also prevent delays and decrease dwell time for destructive threat actors by creating and enacting an incident response plan. Ensure your business has a backup strategy that accounts for the risk of destructive actions and is prepared to exercise recovery plans.
5. Review and implement best practices for defense in depth: Whether your environment is cloud-only or a hybrid enterprise spanning cloud(s) and on-premises data centers, we have developed extensive resources and actionable guidance to help improve your security posture and reduce risk. These security best practices cover topics like governance, risk, compliance, security operations, identity and access management, network security and containment, information protection and storage, applications, and services.
As the war in Ukraine progresses, we expect to discover new vulnerabilities and attack chains as a result of the ongoing conflict. This will force already well-resourced threat actors to reverse patches and carry out “N-day attacks” tailored to underlying vulnerabilities. All organizations associated with the conflict in Ukraine should proactively protect themselves and monitor for similar actions in their environments.
Microsoft respects and acknowledges the ongoing efforts of Ukrainian defenders and the unwavering support provided by the national Computer Emergency Response Team of Ukraine (CERT-UA) to protect their networks and maintain service during this challenging time. For a more detailed timeline of Russia’s cyber assault on Ukraine, explore the full report.
Read more Partner Perspectives from Microsoft.
Copyright © 2022 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.