Ukraine Crisis Resource Center
Mandiant believes the Russian invasion of Ukraine has increased the cyber threat to our customers and community. Mandiant has created a task force and initiated a Global Event to track this situation and provide updated insights and guidance to our customers.
Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape
One year since Russia invaded Ukraine, we continue to see cyber operations play a prominent role in the war. To provide more insights into the role of cyber, we released a special report based on analysis from Google’s Threat Analysis Group (TAG), Mandiant, now part of Google Cloud, and Google Trust & Safety. The report encompasses new findings, and retrospective insights, across government-backed attackers, information operations (IO) and cybercriminal ecosystem threat actors. It also includes threat actor deep dives focused on specific campaigns from 2022.
Anticipating and Preparing for Russian Cyber Activity
Alongside the continued tensions between Russia and Ukraine is the potential for increased cyber threat activity. Given historical Russian campaigns against Ukrainian and western targets, what might such activity look like now? Understand how these threats might evolve in the near future and how organizations can harden their infrastructure against destructive attacks. In particular this briefing covers:
- An overview of the Russian cyber capability, including actors who are likely to be employed currently and in future operations.
- The targeting and TTPs to watch for from some of the notable threat clusters, such as Sandworm Team.
- A close look at aggressive cyberattack and information operations which are more likely in the event of conflict.
- Steps organizations can proactively take to harden their environment against destructive attacks.
Presenters: Join John Hultquist, Vice President – Mandiant Threat Intelligence and Matthew McWhirt, Managing Director – Mandiant Consulting
Linux Endpoint Hardening to Protect Against Malware and Destructive Attacks
Linux is becoming a prime target because it is used as the operating system for basic household items up to critical infrastructure. This paper provides recommendations to protect Linux endpoints from adversarial abuse.
Distributed Denial of Service (DDoS) Protection Recommendations
As the crisis escalates so does the potential of DDoS attacks. This guide outlines the different types of DDoS events and the protection recommendations.
Proactive Preparation and Hardening to Protect Against
Our latest paper includes hardening and detection guidance to protect against a destructive attack or other security incident within your environment.
How Mandiant Can Help
Mandiant provides numerous offerings to help address the potential threat activity associated with the Russian invasion of Ukraine.
Actions to take now:
Stay on top of the evolving situation and associated threats with a free Mandiant Advantage Threat Intelligence subscription.
Identify evidence of past or ongoing attack activity with a compromise assessment. The threat hunt will provide insight into attacker attribution and motivation so organizations know if they are being targeted.
Stop emerging threats before they impact your IT or OT environments with monitoring, proactive threat hunting and response provided by Managed Defense experts specializing in IT-OT security.
Mandiant Advantage Threat Intelligence Reports
UNC2589 Targets Ukrainian Energy Infrastructure and Government Agencies
UNC2589 likely targeted Ukrainian energy infrastructure and government agencies using police and medical related lure material.
GOOSECHASE, FINETIDE, and MARSSTEALER Leveraged Against Transportation and Government Industries in Europe; Possible Link to UNC2589
In mid-February 2022, Mandiant Threat Intelligence uncovered a new spear-phishing campaign targeting the government and civil aviation industries in Europe. In addition to using the publicly available GOOSECHASE downloader and FINETIDE payload, this campaign deployed MARSSTEALER, a commercially available credential stealer.
Responses to Russia's Invasion of Ukraine Likely to Spur Retaliation
Mandiant Threat Intelligence assesses with moderate confidence that Russia will conduct additional destructive or disruptive cyber attacks connected to the crisis in Ukraine. Russian cyber attacks almost certainly will focus first on Ukraine, with Western/NATO allies also being possible targets.
Ukraine's Exposure of Alleged TEMP.Armageddon Actors Unlikely to Significantly Alter Its Cyber Espionage Activity Against Ukraine
Summary of Mandiant reporting on TEMP.Armageddon, alongside SBU (Ukrainian) public indictment of Armageddon actors
Cyber Threat Actors Announce Threats and Attacks Against Critical Infrastructure in Response to Russia/Ukraine Conflict
In response to the Russia/Ukraine conflict, various cyber threat actor groups have been announcing sides and possible threats of action against various parties. Mandiant Threat Intelligence observed some activity with implications for critical infrastructure and operational technology (OT).
Threat Activity Alert: Suspected UNC1151 Activity Targeting Ukrainian Government Using MICROBACKDOOR and Bombardment Sheltering Guideline Lure
Mandiant Threat Intelligence discovered new activity targeting Ukrainian government entities using MICROBACKDOOR and a lure titled “What to do? During artillery shelling by volley fire systems.”
NEARMISS, New Master Boot Record Wiper Targets Ukraine, Defacements of Ukrainian Government Websites
On Feb. 23, a new wiper malware was deployed against multiple targets in Ukraine. Mandiant is tracking this malware as NEARMISS. The malware wipes the master boot record (MBR) of the computer it is executed on, rendering it inoperable.
TEMP.Armageddon Likely Targets Ukrainian Government Officials with Russia-Ukraine Conflict-Themed Lure Content Mandiant Threat Intelligence uncovered a TEMP.Armageddon campaign leveraging lure message content related to the ongoing Russian invasion of Ukraine against what are likely Ukrainian government officials.
Threat Activity Alert: Hacktivist Actor 'CyberPartisans' Claimed to Compromise the ODS Database of Belarus’ Ministry of Internal Affairs
Translated hacktivist group's message lists officials and their involvement.
Pro-Russian 'Secondary Infektion' Operations Promote Narratives Targeting Ukraine Amid Russian Military Escalation
Pro-Russian influence campaign targets Ukraine in an effort to undermine Ukrainian and Russian relations as well as negatively impact Ukrainian public opinion of Germany and Poland.
Cyber Operations Likely Part of Any Escalation Against Ukraine
Mandiant Threat Intelligence is monitoring the escalating tension between Ukraine and Russia and looking for reflections of increased cyber threat activity from Russian state-sponsored actors as a result.