- Attacking oil and gas pipeline companies in response to sanctions on the Nordstream2 pipeline;
- Retaliating against financial institutions in response to financial sanctions on Russia; and
- Targeting cyber attacks against U.S. government agencies to gain intelligence on U.S. response options.
IronNet's threat analysts are routinely monitor cybersecurity reporting to assess possible threats to enterprise networks. In particular, we are monitoring vulnerabilities known to be exploited by Russian state-sponsored threat actors to gain initial access include (as provided in the joint advisory [PDF] from CISA, the FBI, and the NSA):
- CVE-2018-13379 FortiGate VPNs
- CVE-2019-1653 Cisco router
- CVE-2019-2725 Oracle WebLogic Server
- CVE-2019-7609 Kibana
- CVE-2019-9670 Zimbra software
- CVE-2019-10149 Exim Simple Mail Transfer Protocol
- CVE-2019-11510 Pulse Secure
- CVE-2019-19781 Citrix
- CVE-2020-0688 Microsoft Exchange
Additional mitigations and recommendations
We recommend the following mitigations per Mandiant’s report "Proactive Preparation and Hardening to Protect Against Destructive Attacks."
Focus Area |
Description |
Hardening Recommendation |
Hardening External Facing Areas |
Protect against the risk of threat actors exploiting an externally facing vector or leveraging existing technology for unauthorized remote access. |
1. Identify, Enumerate, and Harden Externally Facing Assets 2. Enforce Multi-factor Authentication for Externally Facing Services |
Critical Asset Protections |
Protect specific high-value infrastructure and prepare for recovery from a destructive attack. |
1. Backup AD and other Critical Assets 2. Conduct Targeted Business Continuity Planning 3. Segment IT and OT Environments 4. Implement Egress Restrictions 5. Protect Virtualization Infrastructure |
On-Premises Lateral Movement Protections |
Protect against a threat actor with initial access into an environment from moving laterally to further expand their scope of access and persistence. |
1. Restrict Communication To/From Endpoints 2. Harden Remote Desktop Protocol (RDP) 3. Disable Administrative/Hidden Shares 4. Harden Windows Remote Management (WinRM) 5. Restrict Common Lateral Movement Tools and Methods 6. Implement Malware Protections on Endpoints |
Credential Exposure and Account Protection |
Protect against the exposure of privileged credentials to facilitate privilege escalation. |
1. Identify and Reduce the Scope of Privileged Accounts 2. Mitigate the Risk of Non-computer Accounts with SPNs 3. Limit the Logon Rights for Privileged Accounts 4. Limit the Logon Rights for Service Accounts 5. Use Group Managed Service Accounts (gMSAs) 6. Use Protected Users Group 7. Disable WDigest and Enforce GPO Reprocessing 8. Limit Credential Exposure Through Credential Guard 9. Use Restricted Admin Mode for RDP 10. Implement Windows Defender Remote Credential Guard 11. Harden Local Administrator Accounts |
For additional mitigations and recommendations on how to protect against destructive cyberattacks, please refer to Mandiant’s report "Proactive Preparation and Hardening to Protect Against Destructive Attacks."
Collective Defense: a cyber threat early warning system for all
IronNet is transforming cybersecurity through Collective Defense: a way to increase visibility of the threat landscape in real time, deliver actionable attack intelligence and triage insights, and break down cybersecurity silos. The IronNet Collective Defense platform builds secure communities of companies, supply chain entities, sectors, states, and/or governments to enable all to scale cyber defenses by working together with IronNet’s elite cyber analysts and industry peers.
I think Collective Defense is the transformative moment for us if we mean to do something about this [problem in cyber] … If you are a transgressor in this space, you have to beat all of us to beat one of us.” — Chris Inglis, National Cyber Director, November 2021ATIONAL CYBER DIRECTOR, NOVEMBER 2021
IronNet’s Collective Defense platform builds a real-time “cyber radar view” of the threat landscape across enterprise networks of companies and organizations that have joined a Collective Defense community. IronNet’s IronDome is the system that automates threat intelligence and enables secure, anonymous, real-time knowledge sharing and collaboration among the collective’s SOC teams. In this way, it serves as an early threat warning system for all.
To learn more about the historical context of the Russian cyber threat and APT groups, see the IronNet 2021 Annual Threat Report.