Research | Our Q3 report details what's new in the world of ransomware.
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Find cyber threats that have evaded your defenses.
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Brands of the world trust ReliaQuest to achieve their security goals.
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
The latest threat research report from ReliaQuest Threat Research research team.
The latest white papers focused on security operations strategy, technology & insight.
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
November 30, 2023
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
Russia and Ukraine have had a particularly tense relationship since Russia’s annexation of Crimea in 2014. In the past weeks, we’ve observed Ukraine being at the centre of escalating rhetoric and military activity between Russia and Western powers. Currently, more than 100,000 Russian troops are reportedly amassed along the Ukrainian border and are prompting concerns of a potential invasion in the short-term.
Several bilateral and multilateral meetings have been held in the past weeks to avert any military escalation, with little lasting progress. Political leaders on both sides are lamenting the difficulties in reaching a peaceful agreement with the opposite parties, causing this tense situation to remain stalled for the moment.
Beyond military pressure, Ukraine also stands vulnerable to the constant risk of cyber attacks threatening to paralyze its critical national infrastructure and delegitimize its current government. For this reason, this blog will dive into this complex geopolitical scenario and the potential cyber threats to organizations.
Cyber operations are often used by state-sponsored threat actors in the initial phases of a conflict to achieve a series of short- and medium-term gains over their adversaries. In the context of hybrid warfare, states have developed an impressive toolkit of operations in the digital sphere that can severely endanger their opponent’s security. These operations can range from disinformation campaigns aimed at sowing discord and unrest, to destructive malware attacks aimed at causing significant damages to a country’s supply chain.
Since the beginning of 2022, Ukraine has been impacted by several high-profile cyber attacks. Although no firm attribution has been provided yet on these attacks, we assess that the attacker’s goal was to destabilize Ukraine and make its government look fragile. Here’s a brief recap of what’s happened in the past weeks:
Russia has denied any involvement in the WhisperGate campaign, but the Ukrainian Digital Transformation Ministry and independent security researchers have stated that all evidence points to an attack likely linked to or backed by the Russian government. Either way, it is undoubted that these campaigns affected Ukraine way beyond the cybersphere. Additionally, it is essential to consider the potential impact of such operations against third party entities via collateral damage.
So, who should be concerned by these attacks? The short answer is: check your threat model. If Russian advanced persistent threats (APTs) are in your threat model and you operate in the field of critical national infrastructure, you may be at high risk of cyber attacks if the Russia-Ukraine situation escalates. For this reason, the next section will cover the tactics, techniques, and procedures (TTPs) typically used by Russian state-linked threat actors.
Monitoring Russia-associated threat actors is a daunting task for every security team. Russia is one of few countries with proven offensive cyber capabilities whose state-linked APT groups are technically sophisticated and well-resourced. These groups typically act at the direction of the Russian state, focusing on strategic intellectual property that may be advantageous to Russia, and have conducted several high-profile attacks in the past, including the DNC hack, and the supply-chain attack leveraging SolarWinds’ Orion platform.
Politically-motivated threat groups linked to the Russian Federation have demonstrated sophisticated technical skills and intrusion capabilities over the years. Possible activity may include the offensive deployment of information-stealers and destructive malware.
Targets of Russia-linked APT groups vary and often depend on the strategic interests of Russia, but tend to include organizations that possess highly profitable proprietary data and sensitive economic information. Governments are a common target, but private-sector organizations that maintain valuable data are equally vulnerable. In the context of this tense situation with Ukraine, Western organizations operating in the critical infrastructure sectors may realistically be targeted as well in order to thwart Ukrainian allies’ efforts.
Russia-linked threat actors are likely to conduct cyber operations in the early stages of a conflict in two main ways: by deploying destructive malware and using psychological warfare techniques to control narratives. Notable examples of the first approach include the 2015 cyberattack on Ukraine’s power grid attributed to the Russia-backed APT group “Sandworm” and the 2017 deployment of the “NotPetya” malware. Additionally, Russia’s playbook includes proven disinformation strategies to spread inflammatory, false, and misleading narratives both domestically and internationally. As such, it is likely that Russia would use both these techniques in conjunction with preliminary military offenses as part of its hybrid warfare capabilities.
Although it seems likely that Ukraine would feel the brunt of Russia’s cyberattacks, activity could potentially spill out globally – affecting Europe, the US, and NATO countries – as the NotPetya campaign did in 2017, causing a total of USD 10 billion in damage. The NotPetya attack serves as a reminder that a widespread cyber attack can inflict damage on multiple business sectors globally, disrupting economic activity and interconnected supply chains.
Russia’s regular use of cyber-warfare in its military and political planning indicates that Ukraine’s allies operating in any sector related to critical national infrastructure are subjected to higher levels of risk from Russian-backed threat actors.
To gain a more comprehensive picture of how cybercriminals are reacting to the possibility of a conflict in Ukraine, we have been monitoring Russian-language cybercriminal forums for chatter on this topic. Interestingly enough, forum users seemingly avoid talking about the current situation as much as possible.
This happens for two main reasons. First, most people in these forums live in areas directly or indirectly linked to this potential conflict and are treating the potential invasion as a sort of elephant in the room. It’s important to remember in this instance that since the Russian annexation of Crimea in 2014, this situation has been ever present in these two countries and never far from the headlines. Secondly, most users on the forum are currently more concerned about what’s happened with REvil and the risk of being targeted by Russian law enforcement authorities. As we’ve seen with the latest takedown of credit card theft forum, SKY-FRAUD, Russia-based cyber criminals may not feel comfortable anymore and are increasingly afraid of further seizures in their market.
Finally, it will be interesting to see how Russia-based cyber criminals react to a potential war with Ukraine. With both countries’ focus directed on the conflict, cybercriminals may have less eyes on them and could feel freer to operate undisturbed. Additionally, targeting Ukraine by Russian-language cybercriminals is currently not allowed on forums. Would the situation change in the event of a potential invasion? No firm answer can be given yet and, hopefully, we will never be in the situation to find out.
In situations like this one, raising the alert for cyber attacks can support organizations in prioritizing staffing and proactive defensive measures, thus increasing the chances to prevent an attack or recover quickly from it. Ultimately, any organization needs to make a thorough assessment of the current risk, the cost of implementing a comprehensive defensive strategy, and the potential costs stemming from a successful intrusion by an adversary.
Organizations can rarely influence the contextual threat level and should thus focus on significantly reducing the attack surface available to their adversaries. Although sophisticated, state-sponsored threat actors often have an enormous toolkit to try to compromise a target, and they often recur to simple techniques to target the most vulnerable organizations. As such, companies should prioritize the following actionable strategies to prevent being compromised:
Given the current state of affairs, the FBI, CISA, and NSA have issued a joint advisory encouraging security professionals – in particular those working for critical infrastructure companies – to “adopt a heightened state of awareness and conduct proactive threat hunting”. Additionally, the NCSC renewed warning to UK businesses to monitor for Russian cyberattacks during the present period of heightened tension. Finally, Mandiant has provided actionable recommendations to protect organizations from adversaries’ movement along the cyber kill chain. The document discusses hardening external facing assets, protecting critical assets and on-premise lateral movement, and avoiding credential exposure. Implementing the measures recommended in these sources can greatly enhance the resilience of any organization concerned about the latest developments in this conflict.
Even if the situation between Russia and Ukraine doesn’t escalate in the coming weeks, applying the security measures described above can go a long way in preventing and quickly remediating cyber attacks stemming from a variety of threat actors with varying motivations and capabilities.
Threat intelligence isn’t always about IOCs and attributing attacks to a specific actor. Understanding geopolitical developments goes a long way in contextualizing the activities occurring in the digital space. Here at Digital Shadows (now ReliaQuest), the Photon Research Team assesses the risks and cyber threats that come with high-profile global events and looks at the wider cyber-security concerns. This includes understanding the operational risks associated with a country and better dealing with or mitigating some of these exposure. Take a customized demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) with us, and let us show you how to better equip yourselves against cyber threats out there.
If you are a Digital Shadows (now ReliaQuest) client with access to ShadowSearch, we’ve prepared a list of queries that you can use to stay on top of details as they emerge: