Ukraine Cyberattacks

Monitoring the Situation in Ukraine

Spambrella and Proofpoint Threat Information Services (TIS) regularly provides updates to its customers on critical issues in the threat landscape. Given the nature of the current situation in Ukraine, Spambrella is providing the following statement to all customers. If you have additional questions, please contact your account manager.

Spambrella continues to monitor the situation in Ukraine and Eastern Europe closely. At this point, it appears that Russian cyberaggression remains regionally focused on Ukrainian government interests, critical infrastructure, and emergency response in the region. With the exception of recently identified activity by Actinium (aka, a threat actor believed to be linked to Russia’s Federal Security Service, or FSB), email does not appear to be a significant vector; even in the case of Actinium, malicious emails were highly targeted, limiting the current risk level for those without a presence in government and critical infrastructure in Ukraine.

At present, we have not observed nor seen reports of NotPetya-style wormable attacks with potential spillover outside intended targets. A recent analysis of spam subject lines – frequently indicative of future trends in social engineering – was remarkably quiet in the use of the terms “Ukraine” and “Russia.” It is, however, noteworthy that recent distributed denial of service (DDoS) attacks in Ukraine leveraged the Mirai botnet, reinforcing Russia’s likely willingness to utilize underground crimeware resources to achieve aims beyond the highly targeted, frequently network-based attacks more commonly associated with Russian state actors.

Proofpoint Threat Information Services recommends the following:

  • Remain focused on existing threat models. For most organizations, threats posed by crimeware and financially motivated phishing present the greatest risks to organizations.
  • Ensure that RDP and other internet-exposed network resources are carefully secured and critical and/or legacy systems are appropriately segmented.
  • Alert on Cobalt Strike traffic and potential signs of data exfiltration or C2 communications via network signatures such as those provided by Proofpoint Emerging Threats
  • Immediately remediate delivered threats, particularly those associated with known initial access brokers, many of whom likely operate in or near the region and have established footprints across Western organizations.
  • As always, if Spambrella and its data processing partners detects APT activity in your environment, we will make every effort to notify you.

Spambrella – Custom filter recommendation:

  • Geographic IP custom filters can be created to reduce your organizations global email threat vector. The below is an example of how this can be applied to your organization with ‘Do’ actions; Quarantine (if sender IP resides in these geographic locations), Hide log from non-admin users (End-user will not have visibility of any email from these locations including within quarantine digest reports) and – Require admin privileges to release. The final ‘Do’ action is to send reports/alert emails to a designated shared mailbox.

Geographic Email Filter

The above are recommendations only. Please contact us directly if you wish to discuss further or require assistance with the creation of custom filters.