Russia’s war against Ukraine has entered a new phase. Based on cyber threat and malicious influence activity As Microsoft observed between March and October last year, Russian threat actors appear to be digging into and exploiting war fatigue by leveraging propaganda and cyber influence operations to diminish support for Ukraine and sow discord among its global allies.
Some of these threat actions include engaging in cyber espionage operations against the Ukrainian military and its foreign supply lines, as well as targeting Ukrainian allies in Europe and the United States. Microsoft has also seen widespread adoption influence operations designed to erode trust, increase polarization and threaten democratic processes.
As the conflict unfolds, it is important to stay abreast of these threat trends. Russian forces are relying more on conventional weapons to inflict damage in Ukraine, but cyber and influence operations remain an urgent threat to the security of computer networks and the civic life of Ukraine’s allies in the region, in NATO and around the world. By sharing this information across the broader security ecosystem, we can increase awareness of current threat vectors and improve collective cyber defenses.
Read on to learn more about three trends Microsoft has uncovered from its own threat intelligence and analysis.
Russia deploys a vast front of hacktivists to amplify the Kremlin’s actions
Last summer, Microsoft observed hacktivist characters in messages spread by Telegram attempting to justify military attacks on civilian infrastructure in Ukraine. These same individuals have also focused on distributed denial of service (DDoS) attacks against Ukraine’s allies abroad. These techniques align with additional reports Microsoft has released statements about other legitimate or pseudo-hacktivist groups with suspected links to Russian military intelligence (GRU), demonstrating how these groups worked to amplify Moscow’s displeasure with adversaries and exaggerate the number of pro-Russian cyber forces .
For example, Microsoft has identified three hacktivist groups – Solntsepek, InfoCentr, and Cyber Army of Russia – that regularly interact with Seashell Blizzard, a Russian state-sponsored threat actor affiliated with the GRU. Seashell Blizzard appears to have a short-term relationship with these hacktivist groups, based on the hacktivists’ temporary spikes in alleged cyber capacity coinciding with the Seashell Blizzard attacks. Periodically, Seashell Blizzard launches a destructive attack for which Telegram hacktivist groups publicly claim credit. Hacktivists then return to the less complex actions they usually conduct, such as DDoS attacks.
By tracking how Russian hacktivist groups intersect with nation-state actors, we can gain further insight into the operational tempo of both entities and how their activities complement each other’s objectives.
Kremlin-affiliated actors prefer a mix of techniques to camouflage themselves and evade detection
Russian threat actors are known to use a variety of techniques to gain initial access and establish persistence on targeted networks.
For example, Midnight storm infiltrates cloud environments using a combination of password spraying, credentials acquired from third parties, credible social engineering campaigns via Teams, and abuse of cloud services. The Aqua Blizzard threat actor successfully integrates HTML smuggling into initial login phishing campaigns to reduce the likelihood of detection by antivirus signatures and email security checks.
Seashell Blizzard, on the other hand, was observed exploiting edge server systems, such as Exchange and Tomcat servers, and simultaneously exploiting pirated Microsoft Office software hosting the DarkCrystalRAT backdoor to gain initial access. The backdoor allowed the threat actor to load a second-stage payload called Shadowlink, a software package masquerading as Microsoft Defender that installs the TOR service on a device and provides the threat actor with clandestine access via the TOR network. TOR stands for the Onion Routing project and is an open source privacy network that enables anonymous web browsing.
Russian influence actors will likely target key elections in 2024
Finally, Microsoft evaluates major political contests, such as upcoming ones American presidential electionswill likely be significant targets for Russian-affiliated influence actors entering 2024. We believe these actors could use video media and artificial intelligence (AI)-enabled content, among other tactics, to try to stave off the political tide by the elected. officials advocating support for Ukraine.
Microsoft is working on multiple fronts to protect our customers in Ukraine and around the world from these multi-faceted threats. Under ours Initiative for a safe future, we are integrating advances in AI-based cyber defense and secure software engineering with efforts to strengthen international norms to protect civilians from cyber threats. We are also deploying resources along a set of fundamental principles to safeguard voters, candidates, campaigns and election authorities around the world as more than 2 billion people prepare to engage in the democratic process over the next year.
As we work to support Ukrainian forces in their resistance against the Russian invasion, we believe that sharing this information is critical to encouraging continued vigilance against threats to the integrity of the global information space. By coming together as a global cyber community, we can better strengthen collective defenses and safeguard democratic norms.
– To know more Partner perspectives from Microsoft Security