A recent indictment revealed how the GRU (Russia’s Military Intelligence agency) used both influence operations and network intrusions to achieve its policy aims. More precisely, the GRU weaponized the use of the network intrusions in its influence operations. We have used the MITRE ATT&CK framework as our methodology to play back the findings of the indictment. In doing so, we aim to provide key lessons organizations can take away from this indictment.

1. 0. Reconnaissance
4. Privilege Escalation
9. Collection
10. Exfiltration
MITRE ATT&CK and the Mueller GRU Indictment
MITRE ATT&CK Stage GRU Tactics, Techniques and Procedures Mitigation Advice
• Inform employees that their social media profiles may be
of interest to adversaries. Provide advice on how to lock
down profiles if requested.
• Ensure that network services are patched and running
supported versions of software.
• Credentials, especially for admin accounts, should use
strong passwords and two factor authentication (2FA)
should be enabled wherever possible.
• Use of an email filtering system or service can help to
identify some spearphishing threats, particularly around
malicious attachments.
• Office365 users should consider Microsoft’s Advanced
Threat Protection (ATP), a cloud-based email filtering
service.
• 2FA is essential for email accounts, especially with a
security key where possible.
• Employees should be made aware that personal accounts
are regularly targeted by certain adversaries and to not
enter credentials online unless they are expecting to do so.
• 3rd parties, such as suppliers and partner organizations,
typically have privileged access via a trusted relationship
into certain environments.
• These relationships can be abused by attackers to subvert
security controls and gain unauthorized access into target
environments.
• Managing trusted relationships, like supply chains, is an
incredibly complex topic. The NCSC (National Cyber
Security Center) has an excellent overview of this
challenging topic.
• Maintaining presence in a target environment typically
requires the use of administrator privileges. Following the
advice in Stage #4, as well as monitoring for the
creation of new scheduled tasks, as an example, can limit
the adversary’s options.
• The NCSC Windows 10 End User Device (EUD) guidance
provides advice on how to securely configure Windows
devices. The website adsecurity.org has excellent advice
on how to securely administer a Windows network.
• Patching operating systems and applications to prevent
privilege escalation is important, as well as limiting who
has access to admin accounts. It is worth keeping in mind
that adversaries may not always need administrative
access in order to achieve their goals.
• Privileged Identity Management (PIM) and Privileged
Access Management solutions can provide added over-
sight to prevent accounts being misused and abused.
• Large amounts of storage being used up unexpectedly is
another signal that something potentially suspicious is
occurring.
• Monitoring of key servers to ensure that only specific
scripts, such as PowerShell scripts, are able to run and
that the appropriate logging is in place to monitor
PowerShell and other scripting activity is important.
• Audit logs for cloud services (e.g., Amazon Cloudtrail for
AWS) need to be periodically reviewed to ensure that
sensitive data is not subject to unauthorized access.
• Blocking egress traffic that is not necessary for the
organization’s requirements can assist with limiting an
attacker’s options in terms of communicating outside of
the organization.
• Web proxies can provide granular controls for restricting
egress traffic types and destinations.
• Change management and file integrity monitoring (FIM)
for websites and other external assets is an important
part of ensuring that no unauthorized changes are made.
• For users, ensuring that browsers are patched to the
latest version, vulnerable plugins are disabled and an
adblocker is used, are important steps to staying safe
while browsing.
• Up-to-date antivirus and other Endpoint Detection &
Response (EDR) systems can provide protection against
some malware variants.
• Protective monitoring can help detect unauthorized be-
havior both on the endpoint and on the network.
• Ensure that security teams have knowledge and under-
standing of all environments assists with rooting out
adversaries which are capable of operating on different
platforms.
• Access to RDP servers and other servers that provide
remote access should be limited.
• IP whitelisting where appropriate is an effective control.
• Ensure that RDP is only accessible via a VPN that supports
strong authentication.
Spearphishing attachment;
Spearphishing link
Fully comprehensive and detailed
reconnaissance operation
Valid Accounts
Drive-by Compromise
Trusted Relationship
1. Initial Access
2. Execution
3. Persistence
!
Exploitation for Client Execution
For the GRU’s mission, data
theft, privilege escalation was
not necessary in order to achieve
their goals
Bootkit, Login Item, Modify
Existing Service, Valid Accounts,
Launch Agent
Data from Local System/Network
Shared Drive, Email Collection,
Input Capture, Screen Capture,
Data Staged, Data from
Information Repositories
Data Compressed, Data Encrypted,
Exfiltration Over Other Network
Medium