SafeBreach Labs has updated the Hacker's Playbook™ with simulations for new attacks described in US-CERT Alert (TA18-074A), attributed to Russian government actors.
Additionally, thanks to the depth of the Hacker's Playbook™, a portion of this multi-stage attack campaign has already been simulated, so customers were already able to validate security against parts of this attack. As always, SafeBreach Labs will continue to monitor the situation, and develop new simulations as necessary.
This extensive campaign has targeted both public United States Government entities as well as private energy, nuclear, commercial facilities, water, aviation, and critical manufacturing corporations. Unlike many recent attacks, which relied on ransomware or other disruptive malware to disrupt systems and businesses, this attack campaign is designed to infiltrate environments, steal administrative credentials, and establish multiple footholds within critical infrastructure for remote access and control.
SafeBreach recommends all industries and businesses simulate this attack to identify whether or not they are protecting against this campaign. To assess security control effectiveness against techniques involved in this attack, the SafeBreach Breach and Attack Simulation Platform specifically tests the following endpoint and network security controls:
Newly added playbook methods related to TA18-074A
Playbook #1496 - Transfer of attack tools
Playbook #1498 - Local installation of attack tools
Existing playbook methods already validating security related to TA18-074A
Playbook #242 - SMB communications
Playbook #1269 - Windows scheduled task creation
Playbook #1342 - PowerShell - get periodic screenshot and zip
Additional breach methods added recently include:
The Safebreach Hacker's Playbook™ of breach methods simulates these breach scenarios, and thousands more, without impacting users or infrastructure. Breach methods are constantly updated by SafeBreach Labs, our team of offensive security researchers, to help keep customers ahead of attacks.
March 22, 2019
March 18, 2019