ThreatLabz Security Advisory: Cyberattacks Stemming from the Russia-Ukraine Conflict

ThreatLabz has observed a resurgence in targeted attack activity against Ukraine in the recent months. We’ve identified two targeted attack chains that were likely waged by the Gamaredon APT threat actor between January and February 2022, and expect to see similar attacks in the coming days and weeks.

On February 16th, 2022, CISA along with the FBI and NSA issued a joint cybersecurity advisory outlining the tools and tactics used by Russian threat actors in targeting government and defense contractors with an objective to steal sensitive information. This advisory outlined the use of tactics such as spear phishing emails, credential stuffing, brute forcing, privilege escalation, and persistence.

With the Russia-Ukraine conflict escalating into a war, the risk of cybersecurity threats targeting US & European organizations has also gone up significantly. The below industries are at particularly heightened risk—but it is important for all global organizations to prepare their defense and response to such attacks:

Figure 1: Industries Targeted (Credit: CISA)

How does Zscaler protect my organization against these attacks?

The Zscaler Zero Trust Exchange uses the principles of zero trust to protect your organization from cyber risks. Our protections closely map to trusted frameworks from organizations such as NIST and MITRE, and are continually updated by ThreatLabz experts and AI/ML models utilizing current data from the world’s largest security cloud, which processes over 200B transactions per day.

Zscaler uniquely protects against these attacks by:

Minimizing your attack surface and making apps invisible: Zscaler Private Access (ZPA) hides your internal apps behind our cloud proxy-based zero trust platform, making them invisible to the internet. When attackers cannot find your applications, they cannot attack them.
Preventing Compromise by detecting and blocking malicious activity: Zscaler Internet Access (ZIA) inspects all internet traffic—whether encrypted or unencrypted—for indicators of compromise. If a file is unknown, Zscaler quarantines and detonates it with our in-line sandbox, only allowing files to proceed once they’ve been analyzed and deemed safe.
Preventing lateral movement: ZPA connects users to resources only on a least-privilege basis, without granting network access – and Zscaler Workload Segmentation (ZWS) does the same for applications. Zscaler Deception populates your environment with decoys that can lure, detect, and contain sophisticated threat actors. Together, these capabilities provide defense-in-depth against lateral spread of an infection and limit the damage an attacker can cause.
Stopping data loss. ZIA inspects all outgoing traffic – again, whether encrypted or unencrypted – to prevent malicious post-compromise activity such as communication with command-and-control servers and data exfiltration. Zscaler also protects valuable assets in the public cloud and SaaS apps by identifying misconfigurations and other vulnerabilities that may lead to data loss.

Security recommendations

Zscaler recommends a robust zero trust strategy based on the principles outlined above. Additionally, security teams must ramp up other areas of security hygiene in preparation for potential incidents, including:

Patching. Ensure your enterprise applications are up-to-date with the latest security updates to minimize vulnerabilities.
Backup and recovery. Ensure that your system backups are regular and current, and that backups are protected from attackers who may compromise your production servers. 
SOC response playbooks & IR plans. Ensure that your security operations team has response plans in place, prioritizing the most likely attack types – such as DDoS, Bruteforcing, and Ransomware.
Monitoring. Engage in heightened monitoring of assets exposed to the conflict region.
Security awareness training. As with many attacks, the recently discovered Hermetic wiper attack utilized spear phishing for initial compromise. Educate and remind your end users to be on the lookout for phishing attempts, use good password hygiene, and care for the physical security of corporate assets.

How is Zscaler ThreatLabz helping our customers?

The ThreatLabz team is actively tracking several threat actor groups and related campaigns in the wild. Zscaler Cloud telemetry provides a unique visibility (200B+ transactions secured, 150M+ threats blocked, 400K+ new unique files detonated daily) for the team to get insights into new threat activity and ensure rapid detection coverage across the Zscaler security platform.

The following coverage was added for all the known indicators related to the recent attacks and we will continue to update as we uncover more details:

Advanced Threat Protection






Advanced Cloud Sandbox


Advanced Cloud Sandbox Report

Figure 2 below shows the sandbox detection report for Wiper malware.

Figure 2: Zscaler Cloud Sandbox Report - Hermetic Wiper

Figure 3 below shows the document template (from attack chain #1) detection in the Zscaler sandbox.

Figure 3: Zscaler Cloud Sandbox Report - Targeted Attack document template

Get more information

Please refer to our technical analysis blog to get more up-to-date information including IOC details.

If you are a Zscaler customer and need additional help planning for or remediating attacks associated with this conflict, please contact the ThreatLabz team through the support security channel. As your trusted security partner, we are here to help.

Article Link: ThreatLabz Security Advisory: Cyberattacks Stemming from the Russia-Ukraine Conflict | Zscaler