Mandiant Spoils Russia's Military Playbook on Ukraine

Category: Russia & Ukraine | Industries: Critical infrastructure, Government, Energy, Financial, Telecommunications, Transportation | Source: Mandiant

An analysis of Russia's activities since its invasion of Ukraine reveals a distinct six-phase cyber operation orchestrated by the Russian military intelligence (GRU) with the aim of instigating disruptive cyber activities. Mandiant researchers Dan Black and Gabby Roncone outline six phases initiated by the Russian GRU starting in 2019 as (1) strategic cyber espionage and pre-positioning, (2) initial destructive cyber operations linked with military invasion, (3) sustained targeting and attacks, (4) maintaining footholds for strategic advantage, (5) renewing campaigns of disruptive attacks, and finally, (6) a refocus on strategic cyber espionage and pre-positioning. This six-phase operation impacted Ukrainian organizations in government, telecommunications, financial services, energy, and transportation.

Diving into the GRU's playbook, Mandiant reports the GRU employs various techniques for successful cyber operations. This includes gaining initial access by compromising edge infrastructure (living on the edge), utilizing built-in tools for stealthy reconnaissance and lateral movement (living off the land), employing group policy objects to maintain persistence, and ravaging the network with the deployment of disruptive tools like wipers and ransomware. In the final operational phase, the threat actors promote their campaigns on social media channels like Telegram to feed and boast their narratives regardless of the campaign's effectiveness and outcome.

"Mandiant assesses with moderate confidence that this standard concept of operations highly likely represents a deliberate effort to increase the speed, scale, and intensity at which the GRU could conduct offensive cyber operations while minimizing the odds of detection. The benefits the playbook affords are notably suited for a fast-paced and highly contested operating environment, indicating that Russia’s wartime goals have likely guided the GRU’s chosen tactical courses of action." The playbook shared by Mandiant is emphasized to not be unique but it effectively summarizes the strategic and tactical approaches that Russia has employed in its campaign against Ukraine.