Counteracting Nation-State-Sponsored Cyberattack Groups

The Russia-Ukraine war has put the world on high alert not just to the threat of physical attacks but the potential for highly-funded, sophisticated nation-state cyberattacks, as well. The worry is not only permeating government agencies but also businesses around the globe, and are not without merit. In light of recent geopolitical shifts, U.S. intelligence recommended organizations, both large and small, become more vigilant in their cybersecurity practices.

Routine testing of your organization’s attack surface can thwart random cybercriminals. But is this approach enough to prevent you from becoming the target of an advanced and dynamic state-sponsored attacker? While it is difficult to discern whether your organization was targeted as part of a concentrated hacking campaign, businesses equipped with threat intelligence and chronicled attack patterns can narrow down the list of suspects in the event of a security incident. With meaningful insights, executives can lead with confidence and notify appropriate parties such as law enforcement or legal teams.

Health care, financial institutions, governments and high-profile individuals—particularly those with operations in Ukraine—can find themselves the target of politically motivated cyberattacks. Understanding the malicious groups behind these attacks and their arsenal of tools is the key to forming a comprehensive emergency response plan.

Several hacker groups, or advanced persistent threat (APT) groups, have been identified as being affiliated with the Russian government. These groups target specific vulnerabilities found within commonly used enterprise software such as those provided by Microsoft, Adobe and Apple.

The Actors and Their Tools

The cyberattacks launched by Russian hacker groups range from technically complex ransomware attacks to covert malware infections.

Ransomware locks an organization’s ability to control its network systems until a ransom is paid, like the incident in 2019 which seized Baltimore City systems. On the other hand, malware infects entire computer networks while remaining undetected to extract data over a long period.

Here are some of the APT groups that have been identified and their known cyberattack tactics.


Gamaredon is a Russian-based group whose activity has been documented in cyberattacks that targeted critical infrastructure and utility service providers within Ukraine. They operate under different aliases, including Primitive Bear and Armageddon.

This APT group has been known to breach networks and allow unrestricted access to other groups.


Today’s most dangerous cyberattack tactics can often be traced back to 2020 when Nobelium infiltrated SolarWinds and compromised hundreds of organizations in the U.S. Most recently, Nobelium continued to target U.S. resellers and cloud service providers to gain access to their downstream customers.

Microsoft released best practices and guidance for thwarting Nobelium attacks during the fall of 2021.

Wizard Spider

With origins in St. Petersburg, Russia, Wizard Spider is the leading operator of various hacking tools such as BazarLoader, TrickBot, Ryuk and, most notoriously, Conti. The Conti ransomware variant has proven incredibly successful, netting over $150 million dollars.

Multifactor authentication can prevent initial network penetration, and segmented networks can prevent hackers from restricting access to backup drives.

Ghostwriter (UNC1151)

Identified by cybersecurity firm Mandiant, Ghostwriter is most known for its disinformation campaigns spread using stolen identities of notable journalists and government officials. While its initial cyberattacks involved impersonating prominent figures, they soon graduated to DDoS attacks to knock Ukrainian government websites offline and send malware to Ukrainian civilians.


While it’s not as notable as other ransomware groups, Lockbit is quickly gaining notoriety and the number of cyberattacks is expected to increase with the release of a reworked 2.0 version. It has been known to avoid targeting systems local to Russia and is suspected to have worked with the government in the past. Like most ransomware software, Lockbit targets government organizations and enterprises.

WhisperGate, HermeticWiper and IsaacWiper

In contrast to ransomware, which aims to hold data hostage, WhisperGate, HermeticWiper and IsaacWiper are purpose-built to destroy data and leave systems inoperable. As cyberattacks continue to be waged against organizations in Ukraine, the risk of collateral damage to organizations outside the country has become a real possibility. Potential distribution methods of the malware include standard communication tools.

How to Protect Your Organization From Cyberattacks

As Congress considers legislation that would require organizations to report cyberattacks, organizations will have to increase their cybersecurity budgets. Continuous cybersecurity neglect could have adverse effects on a business’s revenue or decrease stakeholder and customer confidence. Below, we outline what your organization can do to protect itself in this new age of cyberwarfare.

Increase Vulnerability Management: The number-one attack vector for APT groups targets neglected network exposures and out-of-date software with known exploits. Increase your scanning frequency/coverage and prioritize based on the greatest risk.

Prioritize Remediation Using Intelligence: Zero-day vulnerabilities are becoming weaponized with increasing speed. Predictive vulnerability intelligence capabilities monitor when bad actors are actively focused on developing new exploits in the wild and notify you when the risk rating changes so you can take action.

Patch Known Vulnerabilities: Stay on top of CISA’s list of known exploited vulnerabilities (KEVs) and patch your affected products immediately. Leverage vulnerability intelligence to prioritize patching and focus on automating your application, container and cloud security capabilities.

Invest In Your People: Continually refresh how you train and engage your employees in all things security. Implement multifactor authentication system-wide or depending on the sensitivity of the person’s role in the organization. Ensure you have a strong spam filter to prevent malicious messages from reaching users. If you aren’t already, start focusing on implementing a zero-trust architecture.

Although the threats facing organizations grow in complexity and scale, they are an inevitable byproduct of an interconnected global network. These advances require organizations to step up their cybersecurity defenses and, through bold leadership and innovative solutions, governments and organizations can rise to the occasion and defend themselves against these attacks and hackers.

Avatar photo

Aaron Sandeen

Aaron Sandeen is the CEO and co-founder of Cyber Security Works (CSW), a DHS-sponsored company focused on helping leaders proactively increase their resilience against ever-evolving security threats on-prem and in the cloud. Aaron leads CSW in providing intelligent and actionable security insights at every layer of company operations.

aaron-sandeen has 2 posts and counting.See all posts by aaron-sandeen