Blog

Russian Cyber Activity Draws New Attention

Why do we keep talking about Russia? Global rivalries and military actions fuel increased cyber activity as it regards Russia. Russia says it sees the US and UK as responsible for recent attacks on its soil.

Steve Benton
May 21, 2024
Table of contents

Why do we keep talking about Russia?

Global rivalries and military actions fuel increased cyber activity as it regards Russia. Russia says it sees the US and UK as responsible for recent attacks on its soil. On May 17, 2024, Russia’s ambassador to Britain described the UK government as a de facto participant in the Ukraine war. Earlier this month, several US federal agencies (CISA, DOE, EPA, FBI,  FDA, MS-ISAC, NSA, and USDA), together with Canadian Centre for Cyber Security (CCCS), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) issued an advisory on the continued malicious cyber activity conducted by pro-Russia hacktivists against operational technology (OT) devices in North America and Europe.

While most kinetic military actions are limited to Ukraine and Russia, direct cyber actions involve more countries. In these actions, we see traditional government-sponsored advanced persistent threat (APT) actors, but we also see a significant involvement of hacktivists and financially motivated actors contributing to espionage, destruction, informational warfare, or mere financially motivated attacks contributing to the ongoing attrition.

Should we worry about increased cyber activity related to Russia and the war in Eastern Europe?

The significant variety of cyber actors involved and the nature of their objectives make it inevitable that targeting extends well beyond Ukraine and affects many countries and industries.

Russia-based actors are often among the most sophisticated, spanning state-sponsored cyber operations, espionage and information gathering, disruptive and destructive attacks, and geopolitical motivations with social media influence operations. For anyone working in cyber security, the Russian threat actor names are all too familiar—both government-sponsored groups (such as Fancy Bear (APT28), Cozy Bear (APT29), and Sandworm Team, to name but a few) and financially motivated groups (such as Pinchy Spider and Wizard Spider).

Despite the best efforts to isolate Russia with different sanctions, the country remains integrated with the global economy. Russia continues to procure civilian, double-purpose, and even defense-related goods from neutral countries and even from countries supporting Ukraine. For this and other reasons, we felt it important to monitor cyber activity targeting Russia separately from cyber activity originating from Russia.

What is Anomali doing for customers?

Anomali has released the “Russian Cyber Activity, 2024 Edition” dashboard to help customers with this monitoring. This dashboard features multiple interactive widgets with unique filters explained below:

  • "Observables Attributed to Russia-Based Threat Groups by Source" displays the aggregate number of indicators attributed to particular Russia-based threat groups - grouped by the source. It allows analysts to see volumes of recent related indicators by source (feeds/intelligence provider). Currently, feeds by CrowdStrike and Anomali Adversary Intelligence dominate in this category.
  • "Observables Attributed to Russia by Source" displays the aggregate number of indicators attributed to Russia grouped by source. It allows analysts to see the volumes of recent related indicators by source (feeds/intelligence provider). 
  • "Total Observables Attributed to Russian Threat Groups"  displays the aggregate number of indicators attributed to particular Russia-based threat groups.
  • "Observables Attributed to Russia" displays the aggregate number of indicators attributed to Russia.
  • "Copilot Advisories related to Russia" displays technical cybersecurity advisories related to Russia that are pre-processed with Anomali Copilot.
  • "Copilot Research related to Russia" displays cybersecurity research publications related to Russia and pre-processed with Anomali Copilot.
  • "Observables Originating from Russia by iType" displays the aggregate number of indicators attributed to Russia grouped by type. It allows analysts to see volumes of different indicator types. For example, as attributed to Russia, the top three on the Anomali Platform are currently anonymous VPN IPs, scanning IPs, and malware file hashes.
  • "Observables Attributed to Russia by Hosting Country" displays the aggregate number of indicators attributed to Russia grouped by the hosting country. It allows analysts to see the volumes of recent network indicators attributed to Russia by the hosting country. Currently, the top three hosting countries in this category are Russia, the US, and Portugal.
  • "Copilot News related to Russia" displays cybersecurity news articles related to Russia that are pre-processed with Anomali Copilot.
  • "News & Research Articles related to Russia" displays the full spectrum of recent reports related to Russian cyber activity.
  • "Russian Cyber Activity: Related Actors" displays recent actor profiles that are likely Russia-based or otherwise related to Russia.
  • "Malware and Tools Related to Cyber Activity Involving Russia" displays recent malware and tool profiles that are likely Russia-based or otherwise related to Russia.
  • "Observables Targeting Russia by Source" displays the aggregate number of indicators involved in targeting Russia - grouped by the source. It allows analysts to see volumes of recent related indicators by source (feeds/intelligence provider). Currently various feeds by Kaspersky and Anomali Adversary Intelligence dominate in this category.
  • "Observables Targeting Russia by Hosting Country" displays the aggregate number of indicators involved in targeting Russia, grouped by the hosting country. It allows analysts to see the volumes of recent network indicators involved in targeting Russia by the hosting country. Currently, the top five hosting countries in this category are the US, Netherlands, Switzerland, Russia, and Germany.
  • "Total Observables Targeting Russia" displays the aggregate number of indicators involved in targeting Russia.
  • "Observables Targeting Russia by iType" displays the aggregate number of indicators involved in targeting Russia  - grouped by the iType. It allows us to see volumes of different indicator types. For example, as involved in targeting Russia, the top three on the Anomali Platform are currently malware file hashes, phishing domains, and phishing URLs.
  • "Actors Targeting Russia" displays recent actor profiles that are likely involved in targeting Russia.
  • "Malware and Tools Targeting Russia" displays recent malware and tool profiles that are likely involved in targeting Russia.

For users of the new Anomali Platform UI, this dashboard could be added at the following path:

Anomali Platform -> THREATSTREAM -> DASHBOARD -> Classic Dashboard;
click Action- > Manage Dashboard -> Custom; search for “Russian Cyber Activity, 2024 Edition” and add it to your list of dashboards.

Coupled with Anomali’s Copilot AI suite, the Anomali Security Operations platform establishes the critical bonding of the latest relevant threat intelligence with an enterprise's security ecosystem of tooling, allowing security operations to maintain a strong defense and resilience.

Steve Benton

Steve Benton is the former Vice President of Threat Research at Anomali and is a highly experienced executive level security expert. Steve is a CISSP, a Fellow of the Chartered Institute of Information Security, and a member of the Cyber Defenders Council.

Propel your mission with amplified visibility, analytics, and AI.

Learn how Anomali can help you cost-effectively improve your security posture.

May 21, 2024
-
Steve Benton
,

Russian Cyber Activity Draws New Attention

Why do we keep talking about Russia?

Global rivalries and military actions fuel increased cyber activity as it regards Russia. Russia says it sees the US and UK as responsible for recent attacks on its soil. On May 17, 2024, Russia’s ambassador to Britain described the UK government as a de facto participant in the Ukraine war. Earlier this month, several US federal agencies (CISA, DOE, EPA, FBI,  FDA, MS-ISAC, NSA, and USDA), together with Canadian Centre for Cyber Security (CCCS), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) issued an advisory on the continued malicious cyber activity conducted by pro-Russia hacktivists against operational technology (OT) devices in North America and Europe.

While most kinetic military actions are limited to Ukraine and Russia, direct cyber actions involve more countries. In these actions, we see traditional government-sponsored advanced persistent threat (APT) actors, but we also see a significant involvement of hacktivists and financially motivated actors contributing to espionage, destruction, informational warfare, or mere financially motivated attacks contributing to the ongoing attrition.

Should we worry about increased cyber activity related to Russia and the war in Eastern Europe?

The significant variety of cyber actors involved and the nature of their objectives make it inevitable that targeting extends well beyond Ukraine and affects many countries and industries.

Russia-based actors are often among the most sophisticated, spanning state-sponsored cyber operations, espionage and information gathering, disruptive and destructive attacks, and geopolitical motivations with social media influence operations. For anyone working in cyber security, the Russian threat actor names are all too familiar—both government-sponsored groups (such as Fancy Bear (APT28), Cozy Bear (APT29), and Sandworm Team, to name but a few) and financially motivated groups (such as Pinchy Spider and Wizard Spider).

Despite the best efforts to isolate Russia with different sanctions, the country remains integrated with the global economy. Russia continues to procure civilian, double-purpose, and even defense-related goods from neutral countries and even from countries supporting Ukraine. For this and other reasons, we felt it important to monitor cyber activity targeting Russia separately from cyber activity originating from Russia.

What is Anomali doing for customers?

Anomali has released the “Russian Cyber Activity, 2024 Edition” dashboard to help customers with this monitoring. This dashboard features multiple interactive widgets with unique filters explained below:

  • "Observables Attributed to Russia-Based Threat Groups by Source" displays the aggregate number of indicators attributed to particular Russia-based threat groups - grouped by the source. It allows analysts to see volumes of recent related indicators by source (feeds/intelligence provider). Currently, feeds by CrowdStrike and Anomali Adversary Intelligence dominate in this category.
  • "Observables Attributed to Russia by Source" displays the aggregate number of indicators attributed to Russia grouped by source. It allows analysts to see the volumes of recent related indicators by source (feeds/intelligence provider). 
  • "Total Observables Attributed to Russian Threat Groups"  displays the aggregate number of indicators attributed to particular Russia-based threat groups.
  • "Observables Attributed to Russia" displays the aggregate number of indicators attributed to Russia.
  • "Copilot Advisories related to Russia" displays technical cybersecurity advisories related to Russia that are pre-processed with Anomali Copilot.
  • "Copilot Research related to Russia" displays cybersecurity research publications related to Russia and pre-processed with Anomali Copilot.
  • "Observables Originating from Russia by iType" displays the aggregate number of indicators attributed to Russia grouped by type. It allows analysts to see volumes of different indicator types. For example, as attributed to Russia, the top three on the Anomali Platform are currently anonymous VPN IPs, scanning IPs, and malware file hashes.
  • "Observables Attributed to Russia by Hosting Country" displays the aggregate number of indicators attributed to Russia grouped by the hosting country. It allows analysts to see the volumes of recent network indicators attributed to Russia by the hosting country. Currently, the top three hosting countries in this category are Russia, the US, and Portugal.
  • "Copilot News related to Russia" displays cybersecurity news articles related to Russia that are pre-processed with Anomali Copilot.
  • "News & Research Articles related to Russia" displays the full spectrum of recent reports related to Russian cyber activity.
  • "Russian Cyber Activity: Related Actors" displays recent actor profiles that are likely Russia-based or otherwise related to Russia.
  • "Malware and Tools Related to Cyber Activity Involving Russia" displays recent malware and tool profiles that are likely Russia-based or otherwise related to Russia.
  • "Observables Targeting Russia by Source" displays the aggregate number of indicators involved in targeting Russia - grouped by the source. It allows analysts to see volumes of recent related indicators by source (feeds/intelligence provider). Currently various feeds by Kaspersky and Anomali Adversary Intelligence dominate in this category.
  • "Observables Targeting Russia by Hosting Country" displays the aggregate number of indicators involved in targeting Russia, grouped by the hosting country. It allows analysts to see the volumes of recent network indicators involved in targeting Russia by the hosting country. Currently, the top five hosting countries in this category are the US, Netherlands, Switzerland, Russia, and Germany.
  • "Total Observables Targeting Russia" displays the aggregate number of indicators involved in targeting Russia.
  • "Observables Targeting Russia by iType" displays the aggregate number of indicators involved in targeting Russia  - grouped by the iType. It allows us to see volumes of different indicator types. For example, as involved in targeting Russia, the top three on the Anomali Platform are currently malware file hashes, phishing domains, and phishing URLs.
  • "Actors Targeting Russia" displays recent actor profiles that are likely involved in targeting Russia.
  • "Malware and Tools Targeting Russia" displays recent malware and tool profiles that are likely involved in targeting Russia.

For users of the new Anomali Platform UI, this dashboard could be added at the following path:

Anomali Platform -> THREATSTREAM -> DASHBOARD -> Classic Dashboard;
click Action- > Manage Dashboard -> Custom; search for “Russian Cyber Activity, 2024 Edition” and add it to your list of dashboards.

Coupled with Anomali’s Copilot AI suite, the Anomali Security Operations platform establishes the critical bonding of the latest relevant threat intelligence with an enterprise's security ecosystem of tooling, allowing security operations to maintain a strong defense and resilience.

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.