Drawing on its tracking of Russia-backed disruptive operations against Ukraine since the country’s invasion of its neighbor in February 2022, Mandiant observed that multiple distinct Russian threat clusters have been persistently using the same, repeatable playbook throughout the war to pursue Russia’s information confrontation objectives.
The cybersecurity firm, now part of Google Cloud, presented its findings in a blog post published on July 12, 2023.
This playbook, crafted by the Russian military intelligence service (GRU), contains the following five operational phases:
- Living on the Edge: Leveraging hard-to-detect compromised edge infrastructure such as routers, VPNs, firewalls and email servers to gain and regain initial access into targets
- Living off the Land: Using built-in tools such as operating system components or pre-installed software for reconnaissance, lateral movement and information theft on target networks, likely aiming to limit their malware footprint and evade detection
- Going for the GPO: Creating persistent, privileged access from which wipers can be deployed via group policy objects (GPO) using a tried-and-true PowerShell script
- Disrupt and Deny: Deploying ‘pure’ wipers and other low-equity disruptive tools such as ransomware to fit a variety of contexts and scenarios
- Telegraphing ‘Success’: Amplifying the narrative of successful disruption via a series of hacktivist personas on Telegram, regardless of the actual impact of the operation
Tags:
No tags.
