Throughout the duration of COVID-19, there have been consistent rumors of increased nation-state espionage. In parallel, many recent ransomware strains have a COVID-19 tie-in.
Now the United Kingdom's National Cyber Security Centre (NCSC), published an advisory report that the threat group APT29 is targeting governmental, diplomatic, think-tank, healthcare and energy targets for intelligence gain which are involved in COVID-19 vaccines development and testing. APT29 is most likely attributed to the Russian intelligence service.
Phase 1: Is My Organization Impacted? Are We Affected?
As an organization within those sectors, you should make sure to establish real-time monitoring and appropriate alerting if you see any Indicator of Compromise (IoC) listed in the NCSC report.
- Within your network traffic data you should look if any IP Connection is going to be established to those published malicious IPs. This includes network traffic data from/to default gateways, network egress points such as VPNs, DMZs as well as in Cloud environments such as AWS VPCs
- Within your Endpoints, On-Prem Server Systems and Cloud Instances (EC2 etc.) you should validate if any process with the called out hashes are running. In addition, you should check with your endpoint protection solution if those hashes are on the blocklist already. In case they aren’t - add them.
- On your proxy servers you should establish monitoring to detect any internet surfing activity quickly against the IPs.
- At your public-facing business applications - on which your employees or your customers can log in - you should establish monitoring of any authentication attempts against the source IPs.
Phase 2: Have We Been Affected in the Past?
You should not just look into realtime information - but also look back and correlate the threat intelligence information available today with the data from yesterday and last week or maybe even months back. Even if the attack group cleaned up their trails today you are able to identify if they have been in your network and where potentially they still are in and are sleeping. Also, you can identify patient zero - the host or service that was compromised first to get initial access. Going forward that host might still be the weak point in your environment (at least as long as the cyber group hasn’t patched it which wouldn’t be uncommon ;-)).
Security teams should look into uplevelling their security monitoring strategy to not just correlate IoCs - as they are too easy to change for an attacker. They should really look into detecting the behavior and scoring it appropriately.
Phase 3: Mature from IoCs Checks to Detect Tactics, Techniques and Procedures
While you shouldn’t stop looking for IoCs, on the next level you should look into behavior which can be more generally adopted and is way harder for an espionage group to stay hidden.
For example, rather than relying on a list of hash values of malware files (IoCs) you can apply simple analytics such as newly seen or first seen executables based on hash values across your environment. Through this you not just detect brand new malware - you will also quickly detect unwanted programs or updates that went outside your routine process. Similar “new seen” concepts you can apply against data of privileged user logons to systems or applications they never logged on before. The Security Teams at Telia as well as Swisscom are disrupting the kill chain with this data-driven approach. From there you can further develop your prioritization strategy and determine what newly seen activity is worth investigating, or worth investigating first.
If Phase 1 and Phase 2 are happening regularly in your environment and are very time consuming - especially in large heterogeneous technology landscapes, you should think about utilizing SOAR Technology such as Splunk Phantom to automate those actions in a playbook across your cloud and on-prem environments.
Hope this helped you to bring this case to your attention and validate if your organization has been affected.