Microsoft Ukraine Report Warns of Coming Zero-Day Exploits
Microsoft on Wednesday announced a report chronicling cyberattacks on the Ukraine associated with Russia's invasion, and suggested that such attacks soon could spread worldwide.
More zero-day software flaws likely will surface as a consequence of Russia's cyberwarfare attacks on the Ukraine. Organizations outside the Ukraine, especially NATO-aligned ones, likely will become targets as well, the report suggested.
"Highly reserved capabilities such as zero-days, critical infrastructure attacks, supply-chain attacks, and other novel techniques will almost-certainly be showcased in the medium-term," the report indicated in a segment called "Implications of wartime operations for global cybersecurity."
Microsoft security teams used information from Microsoft Defender and analysis using its recently acquired RiskIQ segment to compile its attack information, and worked with the Ukrainian officials. The report included a timeline of supposed Russian cyberattack activities, which were tracked from February through early April.
Microsoft Security Recommendations
The report advised organizations to implement several security hardening steps to prepare for the aftermath of the cybersecurity attacks on the Ukraine. The tips, listed near the end of the report, included:
- Minimalize credential theft via multifactor authentication. Use tools to detect identity attacks. A least-privilege access approach should be adopted to protect sensitive accounts.
- Use antimalware and endpoint protection solutions to protect Internet-facing systems. Isolate the "legacy" (or old) systems. Patch remote access solutions and require the use of two-factor authentication with them.
- Train personnel to use defense-in-depth security solutions to detect intrusions.
- Have an auditing capability and an incident response plan. Backup systems need to account for "the risk of destructive actions."
- Review and implement security "best practices."
The attackers used phishing and e-mail attachments to gain initial access. They stole credentials, tapping Active Directory and virtual private networks. They used "valid administration protocols, tools, and methods for lateral movement" in networks. The attackers overwrote files, and even used the Microsoft Sysinternals Secure Delete (SDelete) tool to prevent data recovery.
Wiper attacks were predominantly launched against the Ukraine. The supposed Russian attackers mostly targeted Ukrainian government agencies, followed by "other" groups, IT services, energy, media, communications, and nuclear and defense organizations.
The cyberattacks escalated at the time when negotiations broke down, before Russia's Feb. 24 invasion, and then they continued thereafter.
Microsoft's 20-page "Special Report: Ukraine" on the cyberattacks was put together by the Microsoft Digital Security Unit, using analysis from the Microsoft Threat Intelligence Center and Microsoft's AI for Good Research Lab.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.