Microsoft has been monitoring escalating cyber activity in Ukraine and has published analysis on observed activity in order to give organizations the latest intelligence to guide investigations into potential attacks and information to implement proactive protections against future attempts.
We’ve brought together all our analysis and guidance for customers who may be impacted by events in Ukraine into this single location for ease of consumption, all of which is linked below. In this blog, we’ve also included general security guidance for organizations to build cyber resilience. As the situation in the region develops, we will continue to publish new insights and add to this set of resources.
Microsoft has been notifying customers in Ukraine of activity, where possible, and closely coordinating with the government in Ukraine. This support is ongoing.
We have also summarized information about what we are doing around protecting organizations in Ukraine from cyberattacks; protecting against state-sponsored disinformation campaigns; supporting humanitarian assistance; and protecting our employees: Digital technology and the war in Ukraine.
Published Microsoft analysis of malicious activity in Ukraine
Phishing attacks on Ukrainian soldiers:
- February 25, 2022 | RiskIQ: UNC1151/GhostWriter Phishing Attacks Target Ukrainian Soldiers
Recent disk wiping attacks:
- February 24, 2022 | RiskIQ: HermeticWiper Compromised Server Used in Attack Chain
Advanced threat actor ACTINIUM which has consistently pursued access to organizations in Ukraine or entities related to Ukraine affairs:
- February 4, 2022 | Microsoft Security Blog: ACTINIUM targets Ukrainian organizations
- February 4, 2022 | RiskIQ threat intelligence article: ACTINIUM targets Ukrainian organizations
- February 4, 2022 | Microsoft Threat Analytics article (requires a license): Threat Insights: ACTINIUM targets Ukrainian organizations
Destructive malware operation and malware family known as WhisperGate targeting multiple organizations in Ukraine:
- January 15, 2022 | Microsoft on the Issues Blog: Malware attacks targeting Ukraine government
- January 15, 2022 | Microsoft Security Blog: Destructive malware targeting Ukrainian organizations
- January 15, 2022 | RiskIQ threat intelligence article: Destructive malware targeting Ukrainian organizations
OSINT (open source intelligence) articles around activity in Ukraine are published regularly into the RiskIQ Community. The full list is available here: RiskIQ Community articles on Ukraine activity.
Security guidelines and recommendations
We recommend that customers review their security posture and implement best practices to build resilience against today’s threats. Below are recommendations and links to resources:
- Cybersecurity hygiene: Organizations should harden all systems by following basic principles of cyber hygiene to proactively protect against potential threats. Microsoft recommends taking the following steps:
- Enable multifactor authentication
- Apply least privilege access and secure the most sensitive and privileged credentials
- Review all authentication activity for remote access infrastructure
- Secure and manage systems with up-to-date patching
- Use anti-malware and workload protection tools
- Isolate legacy systems
- Enable logging of key functions
- Validate your backups
- Verify your cyber incident response plans are up to date
- Microsoft Security Best Practices: Microsoft customers can follow best practices that provide clear actionable guidance for security related decisions. These are designed to improve your security posture and reduce risk whether your environment is cloud-only, or a hybrid enterprise spanning cloud(s) and on-premises data centers: Microsoft Security Best Practices
- Protect against ransomware and extortion: Human-operated ransomware attacks can be catastrophic to business operations and are difficult to clean up, requiring complete adversary eviction to protect against future attacks. Follow our ransomware specific technical guidance to help prepare for an attack, limit the scope of damage, and remove additional risks: Human-operated ransomware
We continue to monitor activity and will update this page with more information as the situation develops.