Prepare your Organization for Potential Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure

This UDTSecure Cyber Alert recommends what to look for and shares intelligence sources for more detailed information

UDT remains vigilant of the escalating hostilities between Russia and Ukraine and the growing concern of cyber-attacks attempting to disrupt critical infrastructure services in the United States. At this point, we highly recommend our clients take immediate and precautionary measures to ensure security controls are working as designed and indicators of compromise identified which historically have been tied to these nation state actors. This UDTSecure Cyber Alert recommends what to look for and shares intelligence sources for more detailed information.  

We remain on a high state of vigilance given the current environment and will continue to issue important alerts as we identify them.

If you believe you are seeing indicators of compromise (IOC) mentioned in this alert or suspicious activities in general, do not hesitate to contact us directly at 1800-882-9919



  • Review your incident response plan and confirm all team members have access to the latest and approved copy of the plan. We recommend performing an incident response tabletop exercise that plays out a scenario based on a ransomware and DDoS attack. This will identify weaknesses in the plan itself.
  • Validate your Cybersecurity Liability Insurance not just to make sure its active but to ensure it covers losses caused by a ransomware attack. Now is the time to understand the type of coverage and policy your organization has and what triggers a claim.
  • Review listing of Mission Critical Systems with respective system and business owners. Then perform the following review on those assets:
    1. Prioritize the systems by referencing the latest version of the Business Impact Analysis
    2. Review which users have access to those systems especially those with admin privileges. Remove those which have not logged on for more than 60 days.
    3. All users having access to these systems should have MFA enabled accounts along with the use of Complex Password Policies.
    4. Validate these systems have logging enabled and the latest AV/Malware versions installed
    5. Monitor these systems and ensure detection policies for any changes to files or user account privileges. Alerts should also trigger command line or PowerShell scripting executions
  • Disable storage of clear text passwords in LSASS memory
  • Conduct a user access review of all AD users. Remove those with no need to access the system.
  • Apply strong and complex password policies to all Service Accounts
  • Consider disabling LLMNR/NTBIOS services from the network. This is highly used to conduct LLMNR poisoning techniques in Brute Force and Password Harvesting. Test first by using a small sample set of systems before rolling out to the enterprise
  • Disable Microsoft’s Online Web Access (OWA) which allows users to access their emails. All users should be logging on to O365 applications directly with MFA. OWA has no authentication techniques available and is highly leveraged by attackers once they have stolen credentials
  • Verify the latest versions of backups. Spot those jobs which have a pattern of failing and verify what data is contained. More importantly, validate failed jobs are redone and completed successfully.
    1. Ensure you maintain three separate copies of backups and that at least one is maintained securely offline
    2. Confirm configuration settings for mission critical systems and network devices are included in the backups
  • Confirm firewall Inbound and Outbound traffic are updated by referencing OFAC Country Lists. The same should be applied for Microsoft Geo Detection Rules for email traffic
  • Consider removing Local Domain Admin Privileges from users that have no need for this.
  • Notify employees and staff to remain vigilant of suspicious emails due to the heighten state we’re currently in. We recommend you do this sooner rather than later.
  • Perform External Vulnerability Scans to identify Critical or High vulnerabilities on internet facing systems. Perform recommended mitigations or apply patches accordingly. Critical vulnerabilities should be remediated within 15 days and Highs within 30-day period. Prioritize mitigation activities to mission critical systems first.
  • Once the External Vulnerabilities have been completed, perform the Internal network vulnerability scans.
  • Filter emails containing executable files to prevent them from reaching end users


3rd Party Vendor Vigilance

Russian state-sponsored actors have compromised third-party infrastructure, third-party software, or developing and deploying custom malware. The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments including cloud environments by using legitimate credentials.

We recommend that you request a copy of your 3rd Party Vendor’s SSAE-16/18 SOX Attestation Report immediately to verify what compensating controls the 3rd party provider recommends you deploy in your environment to secure access between both parties.



Historically, Russian state-sponsored advanced persistent threat (APT) actors have used common but effective tactics including spear phishing, brute force, and exploiting known vulnerabilities against accounts and networks with weak security to gain initial access to target networks.

Top vulnerabilities known to be exploited by Russian state-sponsored APT actors for initial access include:

  • CVE-2018-13379 FortiGate VPNs
  • CVE-2019-1653 Cisco router
  • CVE-2019-2725 Oracle WebLogic Server
  • CVE-2019-7609 Kibana
  • CVE-2019-9670 Zimbra software
  • CVE-2019-10149 Exim Simple Mail Transfer Protocol
  • CVE-2019-11510 Pulse Secure
  • CVE-2019-19781 Citrix
  • CVE-2020-0688 Microsoft Exchange
  • CVE-2020-4006 VMWare (note: this was a zero-day at time.)
  • CVE-2020-5902 F5 Big-IP
  • CVE-2020-14882 Oracle WebLogic
  • CVE-2021-26855 Microsoft Exchange (Note: this vulnerability is frequently observed used in conjunction with CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065)



To detect password spray activity, review authentication logs for system and application login failures of valid accounts. Look for multiple, failed authentication attempts across multiple accounts.

To detect use of compromised credentials in combination with a VPS, follow the below steps:

  • “Impossible Logins” from users utilizing two IPs which originate from geographic locations that are significantly distant.
  • Review detection and alerting for program execution command line indicating credential dumping, especially attempts to access or copy the ntds.dit files from a domain controller
  • Alerting on suspicious privileged account use after resetting passwords
  • Identify Service Accounts with privilege access which they should not have. Especially those service accounts accessing multiple applications or services.
  • Alert on unusual activities originating from dormant accounts
  • Detection of a single IP used for multiple accounts



If you suspect potential APT activity in your IT networks, take the following steps:

  1. Immediately understand the perceived source of the attack. Isolate affected systems.
  2. Scan backup data with AV program to ensure its free of malware. Try and restore the backups in a test environment first
  3. Contact a 3rd party Incident Response Company with significant experience conducting incident response investigations
  4. Collect and store relevant logs, data and artifacts. Do not perform analysis on affected systems without first creating an image of the affected systems. Analysis must be done on the copy and not the affected system itself.

Accomplish More With UDT

Get your custom solution in cybersecurity, lifecycle management, digital transformation and managed IT services. Connect with our team today.

More to explore

Crafting a Futureproof 1:1 Device Strategy for School Districts

In the evolving landscape of Education Technology, crafting a futureproof 1:1 device strategy is crucial. This strategy should link every student, teacher, and administrator experience with specific device specifications. The integration of educational apps into the curriculum can significantly enhance the learning environment. These apps, tailored to the needs of students, can provide interactive content, fostering a dynamic learning experience.

Optimizing Your K12 Tech Investments: Funding 1:1 Device Programs

This blog will guide school districts grappling with the financial and resource demands of implementing a successful 1:1 device program amid ongoing challenges of budget constraints and competing priorities. Our guided workbook, created in partnership with Intel, provides further support with personalized roadmap on “Pathways to Innovation: Building a Sustainable Digital Learning Environment”.​

K12 Cybersecurity: How to Secure 1:1 Devices in Your School District

This blog post delves into the importance of security, cybersecurity, and data privacy in school districts implementing 1:1 device initiatives. It offers basic steps for evaluating, planning, and executing a security strategy. Our guided workbook, created in partnership with Intel, provides a personalized roadmap on “Pathways to Innovation: Building a Sustainable Digital Learning Environment”.

Lost & Stolen Devices are a Serious Data Security Threat—Here’s Why

Since the pandemic, remote and hybrid work has become the norm. While mobile devices and remote workstations have empowered great flexibility, it has also led to an increase in data security problems due to lost, misplaced, or stolen devices. Find out how remote and hybrid setups are contributing to this problem and how to protect yourself and your organization.​

Ransomware Gangs Adding Pressure with ‘Swatting’ Attacks—Here’s What You Need to Know

Ransomware gangs are implementing new extortion tactics to encourage victims to pay up. Swatting is becoming an increasingly popular tactic. It involves calling law enforcement to falsely report a serious, in-progress crime triggering an extreme response such as an armed raid from the SWAT team. Explore how cybercriminals are using this tactic and what you can do to prevent it from happening to you.​

Smishing Attacks are on the Rise—Here’s How To Keep Your Data Safe

Smishing attacks are on the rise, posing a significant threat to data security. Originating from a blend of SMS and Phishing, these attacks have seen a drastic increase since 2020. The widespread use of smishing attacks has persisted, with a lack of awareness being a major issue. Many view these as simple spam messages, unaware of the danger they pose. This blog aims to raise awareness about smishing and provide actionable insights to protect yourself and your organization.

Experiencing a security breach?

Get immediate assistance from our security operations center! Take the following recommended actions NOW while we get on the case:


  1. Determine which systems were impacted and immediately isolate them. Take the network offline at the switch level or physically unplug the systems from the wired or wireless network.
  2. Immediately take backups offline to preserve them. Scan backups with anti-virus and malware tools to ensure they’re not infected
  3. Initiate an immediate password reset on affected user accounts with new passwords that are no less than 14 characters in length. Do this for Senior Management accounts as well.

Just one more step

Please fill out the following form,