Attack Graph Response to US-CERT AA22-011A & AA22-047A: Preparing for Russian State-Sponsored Cyberthreats

In anticipation of escalating cyberattacks by the Russian government against U.S. and allied interests, AttackIQ has developed a new attack graph to help organizations test and validate their cyberdefenses against known Russian adversarial tactics, techniques, and procedures (TTPs). Read More

In anticipation of escalating cyberattacks by the Russian government against U.S. and allied interests, AttackIQ has developed a new attack graph to help organizations test and validate their cyberdefenses against known Russian adversarial tactics, techniques, and procedures (TTPs). Organizations can use this attack graph and other Russian threat actor-focused attack graphs in the AttackIQ Security Optimization Platform to exercise their people, processes, and technologies against known behaviors to ensure that their cyberdefenses perform as intended and to elevate their total security program performance. 

This attack graph follows an alert from the U.S. Computer Emergency Response Team (US-CERT) about ongoing Russian government activities in cyberspace. On February 16, 2022, US-CERT released a joint Cybersecurity Advisory (CSA) reporting the continued targeting of U.S. cleared defense contractors between January 2020 and February 2022 by Russian threat actors. The CSA is a follow-up on an earlier advisory released in January that provided an overview of the top observed TTPs employed by an aggregate of numerous Russia-based advanced persistent threat actors covered in previous CISA/US-CERT and ICS-CERT advisories, alerts, malware analysis reports and joint advisories.

According to the published information, state-sponsored Russian cyberthreat actors have targeted a variety of critical infrastructure organizations internationally, including those in the defense industrial base as well as the healthcare, public health, energy, telecommunications, and government facilities Sectors. Microsoft has observed that approximately 58 percent of all cyberattacks have their origins in threat actors based in Russia. These adversaries are often categorized as innovators due to their ability to create and exploit zero-day vulnerabilities, as well as their ability to perform supply chain compromises. Russian state-sponsored threat actors employ a wide variety of techniques focused on accessing credentials to compromise their targets and gain privileged access, from exploiting vulnerabilities in public-facing applications to gain initial access to using well-known techniques such as phishing and password spraying.

AttackIQ has developed an attack graph in response to this recent US-CERT advisory. This attack graph is a roll-up of common hard-hitting Russia-based and Russian state-sponsored threat actor TTPs into a single attack graph. This single, efficient attack graph gives organizations the opportunity to elevate their security program performance and break the kill-chains of multiple advanced attackers.

By using the AttackIQ Security Optimization Platform and emulating Russian activity, this attack graph will help security teams to:

1) Evaluate security control performance against the common credential access methods employed by Russian threat actors.

2) Assess your security posture against the adversary’s attempts to move laterally across the network.

3) Validate detection capabilities continuously against a realistic multi-stage attack from an actor that responds to security control preventions.

This attack graph emulates a realistic attack. Starting at system discovery, the attack graph captures the adversary intent of complete Active Directory domain control. Specifically, the attack graph takes the following steps:

  1. System Information (T1082) and Process Discovery (T1057): One of the first steps an actor will take once initial access has been achieved is to gain intelligence about the compromised asset. The attack graph emulates this behavior by executing native operating system commands like ‘systeminfo’ and ‘tasklist’.
  2. OS Credential Dumping (T1003): The attack graph continues by using a PowerShell version of Mimikatz to dump all available credentials that could be used by the actor to move from their initial foothold to the rest of the target environment.
  3. Lateral Movement using WMI (T1047): Using Windows Management Instrumentation (WMI) the attack graph attempts to move onto other hosts it can find in the local network.
  4. Password Brute-Force (T1110): If the credentials don’t allow for remote access using WMI, the attack graph pivots and attempts to brute-force login to a targeted system.
  5. Domain Trust Discovery (T1482): To expand the actor’s knowledge of the target’s Active Directory configuration, the graph uses PowerShell to gather information on domain trust relationships that would allow an actor to access additional resources with credentials from their current domain. Additionally, BloodHound is executed to reveal hidden relationships within the targeted Active Directory environment.
  6. Exploitation of Remote Services (T1210): Gaining access to the domain controller is one of the primary goals of Russian threat groups. The attack graph attempts to exploit the Zerologon vulnerability to gain domain administrator privileges.

In addition to what’s already covered in the attack graph, there are two advanced techniques employed by these Russian threat actors that are also part of the AttackIQ platform. Security teams can easily extend this Attack Graph with a simple clone operation and the insertion of these behaviors, or they can create assessments for these scenarios if their environments meet the scenario requirements:

  1. Kerberoasting (T1558.003): The threat actors utilize Kerberoasting attacks to increase their permissions by discovering Service Principal Names (SPNs) assigned to user accounts and requesting their Ticket Granting Service (TGS) tickets that allow for login access to privileged assets. For accurate results this scenario requires either existing credentials pre-configured in the assessment or an asset that already has cached Kerberos credentials, like a system that has recently authenticated a user against a domain controller.
  2. Dump Active Directory Databases (T1003.003): One of the many end goals of the threat actor is to obtain a copy of the Active Directory database so that it may be attacked offline. Russian actors have been observed dumping the NTDS.dit database from a domain controller once administrative access has been achieved. This scenario needs to be executed on a Domain Controller asset.

In summary, this attack graph will evaluate security and incident response processes and support the improvement of your security control posture against a range of Russia-based threat actors. With data generated from continuous testing and use of this attack graph, you can focus your teams on achieving key security outcomes, adjust your security controls, and work elevate your total security program effectiveness against a known and dangerous threat.

AttackIQ stands at the ready to help security teams implement this attack graph and other aspects of the AttackIQ Security Optimization Platform, including through our co-managed security service, AttackIQ Vanguard.