ITP Techblog

Russian aligned cybercrime groups are moving into top gear to support their government as the war in Ukraine rages, according to the Five Eyes intelligence and security alliance.

A join cybersecurity advisory from the Five Eyes Nations' cybersecurity agencies, including New Zealand's National Cyber Security Centre, warns "evolving intelligence indicates that the Russian government is exploring options for potential cyber-attacks."

A number of Russian hacking groups had publicly pledged support for Russia's government, while others had been identified as loyal to Putin's administration and having the potential to carry out attacks on its behalf.

Those groups aligning themselves with Russia's Government include The CoomingProject, Killnet, Mummy Spider, Salty Spider, Scully Spider, Smokey Spider, Wizard Spider, and the Xaknet Team, according to Five Eyes. 

Primitive Bear and Venomous Bear are Russia-aligned but their actions haven't been attributed to the Russian Government yet. 

The Five Eyes advisory warns organisations to harden cyber infrastructure

"These Russian-aligned cybercrime groups have threatened to conduct cyber operations in retaliation for perceived cyber offensives against the Russian government or the Russian people," the joint advisory read.

"Some groups have also threatened to conduct cyber operations against countries and organisations providing materiel support to Ukraine," it added. 

The Five Eyes advisory also points the finger directly at Russian government agencies for launching "malicious cyber operations" against other countries' cyber infrastructure. These include the Russian Federal Security Service (FSB), including FSB's Center 16 and Center 18, the Russian Foreign Intelligence Service, Russian General Staff Main Intelligence Directorate, GRU's Main Center of Special Technologies, Russian Ministry of Defense, and the Central Scientific Institute of Chemistry and Mechanics.

New Zealand's military aid to Ukraine would potentially make it a target for retaliation, though the immediate activity of Russia-aligned groups both in the run-up to the invasion and in the weeks following it has been against Ukrainian websites and digital infrastructure as part of measures to thwart the country's efforts to defend itself.

Nevertheless, Five Eyes is warning all organisations to harden cyber security infrastructure against attacks involving destructive malware, ransomware, DDoS attacks, and cyber espionage.

Mitigating efforts

Mitigating efforts Five Eyes recommends include updating software, operating systems and firmware on IT assets and enforcing multi-factor authentication. It also urges organisations using RDP (remote desktop protocol) to connect computers together over a network, to secure them and monitor them closely.

"RDP exploitation is one of the top initial infection vectors for ransomware, and risky services, including RDP, can allow unauthorized access to your session using an on-path attacker," the Five Eyes advise. 

To prepare for recovering from cyber attacks, Five Eyes advises having a cyber incident response and continuity of operations plan, maintaining offline backups of encrypted data and developing recovery documentation "that includes configuration settings for common devices and critical equipment".