On the Frontline of the Global Cyber War: Overview of Major russia-backed APT Groups Targeting Ukraine and Sigma Rules to Proactively Defend Against Their TTPs

The State Service of Special Communication and Information Protection of Ukraine (SSSCIP) recently issued an analytical report covering russiaā€™s cyber aggression against Ukraine in 2022 The report provides insights into the primary hacking collectives that have been in the limelight since the outbreak of the full-scale war in Ukraine, analyzes adversary TTPs to execute intrusions, and covers the major trends and attack vectors illustrating their malicious activity to help both Ukrainian and global organizations proactively defend against russian cyber attacks of any scale.Ā Ā 

On February 24, 2022, a little more than a year ago, the russian federation started an offensive invasion of Ukraine by land, air, and sea. The war escalated in cyberspace as well. As a result, we are now witnessing the first-ever full-fledged cyber war in human history, with russia acting as an offensive counterpart and Ukraine defending itself and its allies on the cyber frontline. Calling such attacks a cyber war doesnā€™t seem like a metaphor anymore.Ā 

However, while the ground offensive by russian troops and missiles has been unexpected, the cyber war against Ukraine has been going on for almost a decade, starting from a series of destructive attacks by the russia-affiliated Sandworm APT group using the infamous BlackEnergy malware in 2015-2016 and the notorious NotPetya malware in 2017 targeting the Ukrainian financial sector. What we can see nowadays on the russian cyber front is the outcome of their 30-year strategy. SSSCIP reports that the Moscow government has grown a broad network of trained offensive affiliates who can perform military commands, are equipped with zero-days and have extensive experience in launching autonomous campaigns at low cost, while cyber defense operations still remain rather costly.Ā 

According to the SSSCIP report and based on the CERT-UA estimations of investigated incidents, russia-affiliated threat actors deployed 2,194 destructive cyber attacks against Ukraine, with 52% of them (1,148) being the most critical and high-level, which were successfully investigated and mitigated by the collective effort of CERT-UA and their partners. Security experts from Googleā€™s Threat Research Group observe a 250% surge in attacks against Ukrainian assets during 2022 (as compared to 2021). The targeting, which coincided and has since persisted following the country’s military invasion of Ukraine in February 2022, focused heavily on the Ukrainian government and military entities, alongside critical infrastructure, utilities, public services, and media sectors. Mandiant said it observed, “more destructive cyber attacks in Ukraine during the first four months of 2022 than in the previous eight years, with attacks peaking around the start of the invasion.” With the escalation of russiaā€™s cyber offensive operations, cyber defenders realized that no individual organization can withstand the avalanche of russia-backed destructive attacks on their own, which stresses the need for global cybersecurity collaboration to thwart cyber aggression of such scale.Ā 

SOC Prime stands guard on the frontline of the global cyber war, helping Ukraine and its allies defend themselves from russian aggression. By cooperating with CERT-UA and SSSCIP, we research, develop, and test Sigma rules on the real battlefield delivering more than 400 pieces of new detection content a month to help thwart destructive russiaā€™s attacks.Ā 

SOC Primeā€™s platform for collective cyber defense curates more than 10,000 behavior-based Sigma rules aligned with the MITRE ATT&CK framework v12 and easily shared across 27+ SIEM, EDR, and XDR solutions. SOC Prime publicly shares all metadata associated with over 260,000 detection algorithms since information sharing enables anyone to both benefit from and contribute to Sigma rules as they describe adversary behavior that can be used in any cyber attack. Timely information exchange, including TTPs and adversary behavior patterns, allows cyber defenders to gain a strategic advantage in the ongoing cyber war.

Here you can find a list of curated detection algorithms to proactively defend against the malicious activity of russian nation-backed APT groups mentioned in the SSSCIP investigation as threat actors actively deploying destructive cyber attacks against multiple industry sectors in Ukraine over the course of 2022.Ā 

All Sigma rules are aligned with the MITRE ATT&CK framework v12 and are compatible with the industry-leading SIEM, EDR, and XDR technologies. Cyber defenders can instantly delve into relevant cyber threat context for relevant ATT&CK and CTI links, mitigations, and operational metadata to accelerate their threat investigation.

Detecting Gamaredon APT (UAC-0010) Adversary Activity

According to the SSSCIP report analyzing the activity of state-sponsored hacking collectives throughout 2022, Gamaredon APT can be considered the most active and the most persistent group based on the incidents registered in the 2nd half of 2022. Over the course of this period, threat actors mainly targeted their offensive operations at the Ukrainian military, security, and defense sector, as well as government institutions.Ā 

This nation-backed russia-affiliated group is tracked under a variety of monikers, including Armageddon APT aka UAC-0010, Trident Ursa, Shuckworm, and Primitive Bear. According to the Security Service of Ukraine, the groupā€™s activity is attributed to russiaā€™s Federal Security Service targeting intelligence and subversive operations against Ukraine and NATO allies on the cyber frontline. Follow the link below to reach the entire Sigma rule set to detect the related malicious activity:

Sigma rules to detect TTPS used in cyber attacks linked to UAC-0010

Detecting Sandworm APT (UAC-0082) Malicious Campaigns

Another hacking collective that was in the spotlight throughout 2022 is the notorious GRU-affiliated Unit 74455 known as Sandworm APT, which is also tracked as UAC-0082 by CERT-UA. Over the observed period, the group primarily set eyes on Ukrainian organizations in the logistics and transportation, media, and energy sectors.Ā 

In mid-April, 2022, CERT-UA, in collaboration with Microsoft and ESET, issued an alert covering the second power outage attack in human history attributed to UAC-0082. In this attack, russian hackers leveraged Industroyer2, a novel version of the nefarious Industroyer malware family, in conjunction with data-wiping malware dubbed CaddyWiper. The latter came into the cyber threat arena hard on the heels of cyber attacks deploying HermeticWiper and WhisperGate malware, illustrating the wiping trend in the Ukrainian threat landscape for the 2nd half of 2022. Below you can find the comprehensive list of Sigma rules to detect the malicious activity of UAC-0082 aka Sandworm Group.

Sigma rules to detect the adversary activity of UAC-0082 group

Detecting the Malicious Activity of the UAC-0056 Group

Threat actors identified as UAC-0056 have also been actively targeting Ukrainian organizations since russiaā€™s full-fledged invasion of Ukraine, primarily focusing their malicious campaigns on the government and banking sectors. This hacking collective was behind massive phishing attacks in the spring of 2022, leveraging Cobalt Strike Beacon, GrimPlant, and GraphSteel malware. To proactively defend your organization’s infrastructure against intrusions linked to the UAC-0056 group, SOC Primeā€™s Detection as Code platform curates a set of dedicated Sigma rules available via a link below:

Sigma rules to detect TTPs related to the malicious activity of UAC-0056 hackers

Detecting the Adversary Activity Attributed to the UAC-0020 Group

Vermin, also tracked as UAC-0020, is another hacking collective that has been causing a stir in the Ukrainian cyber threat arena since 2022 linked to russia-backed offensive operations. Similarly to the Sandworm APT group, Vermin malicious actors were targeting the military, security, and defense sectors during 2022.Ā 

Cybersecurity researchers attribute this group to the so-called Luhansk Peopleā€™s Republic (LPR), an unrecognized self-proclaimed state in the Donbas region of eastern Ukraine. According to the investigation, Vermin is a state-backed group acting as an operational unit of the russian cyber warfare on the frontline of the global cyber war. Cyber defenders can instantly reach the entire collection of Sigma rules to timely detect current and emerging threats attributed to the UAC-0020 russia-linked cybercriminals by following the link below:

Sigma rules to detect malicious operations linked to the UAC-0020 actors

Detecting Cyber Attacks Against Ukraine Linked to the UAC-0142 Actors

Yet another hacking group targeting the military, security, and defense sectors is tracked as UAC-0142, which has been mainly exploiting the phishing attack vector in cyber attacks during 2022. At the end of 2022, malicious actors aimed to hack the state-based situational awareness system known as DELTA, which is used to facilitate the coordination of military forces on the battlefield. To timely identify the malicious intrusions linked to the UAC-0142 threat actors, SOC Prime Platform offers a full collection of relevant Sigma rules available via a link below:

Sigma rules to proactively defend against cyber attacks by the UAC-0142 group

Security experts can take advantage of the comprehensive collection of Sigma rules against russian nation-backed APTs along with 50 unique detection algorithms of their choice. Gain from the Sigma2SaveLives charity subscription with 100% of revenue donated to provide focused aid for the Ukrainian people and always stay ahead of russia-affliated threat actors.

Ā 

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts