Table of Contents
>
The following is based on the April 2022 joint Cybersecurity Advisory issued by CISA, the FBI, NSA, and allied cybersecurity authorities from Australia, Canada, New Zealand, and the UK. The advisory warned of increased threats from Russian state-sponsored APT groups and Russian-aligned criminal actors, and the TTPs it documented remain active. A 2024 follow-on advisory from the same agencies confirmed that GRU-affiliated actors have continued operations against organizations across NATO member countries through at least 2024.
When CISA, the FBI, and NSA issue a joint advisory co-signed by allied intelligence agencies across five countries, it's worth paying attention to, even if your business has nothing to do with Ukraine, defense contracts, or critical infrastructure.
The April 2022 advisory wasn't narrowly targeted at defense contractors or government agencies. It explicitly warned that Russian state-sponsored and criminal groups had demonstrated capability and intent to target organizations of all sizes. SMEs are attractive precisely because they're assumed to have weaker defenses, and in many cases, that assumption is correct.
A 2024 advisory from the same agencies confirmed that GRU Unit 29155, one of the specific groups named in 2022, has been conducting ongoing operations against global targets including NATO member organizations, running website defacements, infrastructure scanning, data exfiltration, and data leak operations. These aren't one-off incidents tied to a specific geopolitical moment. They're persistent, ongoing campaigns.
What the Advisory Actually Said
The April 2022 advisory documented the most common tactics used by Russian state-sponsored APT actors. These aren't exotic zero-days, most of them are techniques that target known weaknesses in how organizations manage credentials, apply patches, and configure cloud services.
Spearphishing was cited as the primary initial access method. Highly targeted emails impersonating trusted parties, vendors, partners, government agencies, designed to capture credentials or deliver malware. The advisory specifically noted the use of malicious links and attachments crafted for specific targets based on reconnaissance of the organization.
Brute force and password spraying against cloud environments, particularly Microsoft 365 and Azure Active Directory. The advisory cited a prior NSA/FBI advisory specifically on GRU brute force campaigns targeting enterprise and cloud environments. The goal: get valid credentials without triggering lockout policies, then use them to access email, SharePoint, and cloud-hosted applications. If your Microsoft 365 accounts don't have MFA enforced, not just available, enforced, this is a live exposure.
Exploitation of known, unpatched vulnerabilities. The advisory listed specific CVEs that Russian APT actors were actively exploiting at the time, including vulnerabilities in Fortinet SSL VPN, Microsoft Exchange (the ProxyLogon/ProxyShell family), VMware vSphere, and Pulse Secure VPN. None of these were new. They were all patched. The targets were businesses that hadn't applied patches.
Supply chain compromise. The SolarWinds attack, attributed to Russian SVR in earlier advisories, demonstrated that attacking a trusted software vendor can give actors access to hundreds of downstream organizations simultaneously, without those organizations doing anything wrong themselves. The advisory called out the need to evaluate vendor security posture, not just your own.
Living off the land. Once inside a network, these actors preferred to use legitimate tools already present, PowerShell, WMI, PsExec, scheduled tasks, rather than deploying custom malware that might trigger detection. This makes behavioral detection harder and signature-based antivirus largely useless for catching post-compromise activity.
Why SMEs Are Specifically at Risk
State-sponsored actors aren't always after your data directly. There are three scenarios where an SME becomes a target regardless of its size or profile.
First: supply chain access. If you provide services to a larger organization, a law firm serving a defense contractor, an accounting firm serving a healthcare system, an IT vendor with admin access to multiple clients, you represent a lateral path to a higher-value target. The 2022 advisory explicitly noted that Russian actors have used trusted third-party relationships as an entry vector.
Second: financial crime. Russian-aligned criminal groups (Sandworm, various ransomware operators) don't distinguish by sector. They're opportunistic. If your organization is reachable and under-defended, you're a target. Ransomware operators connected to Russian criminal infrastructure have hit dentists' offices, law firms, and municipal governments with equal indifference.
Third: data value. You may have more valuable data than you realize, client PII, financial records, health information, or intellectual property. Even if the data isn't state-intelligence valuable, it has resale value on criminal markets.
The Mitigations the Advisory Recommended
The advisory's recommended mitigations aren't theoretical. They're specific, implementable, and, critically, most of them don't require a large security budget. The ones most relevant to SMEs:
Enforce MFA on all accounts, particularly email and remote access. The advisory called this out as the single highest-impact mitigation for credential-based attacks. Microsoft Entra ID (formerly Azure AD) with Conditional Access policies lets you enforce MFA, block logins from unexpected geographies, and require compliant devices, none of which require enterprise licensing to implement at a basic level.
Patch known exploited vulnerabilities promptly. CISA maintains a Known Exploited Vulnerabilities catalog, a running list of CVEs that are actively being used in real attacks. If a CVE is on that list and you haven't patched it, you have a documented exposure. Patch management through an RMM platform like NinjaRMM or ConnectWise automates this at scale.
Implement centralized log collection and monitoring. The advisory was explicit: without log collection, you can't detect intrusion or investigate incidents after the fact. For Microsoft 365 environments, Microsoft Sentinel provides cloud-native SIEM capabilities. For broader environments, a managed SIEM with 24/7 monitoring is the practical equivalent, someone watching the logs when your team isn't.
Disable unnecessary services and close exposed ports. Many SMEs have RDP (port 3389) open to the internet, either intentionally for remote access or inadvertently through misconfiguration. The advisory flagged this specifically. If RDP is required, it should be behind a VPN or Zero Trust Network Access solution, not directly internet-facing.
Test your backups. The advisory recommended offline, tested backups as a ransomware mitigation. "Offline" matters, ransomware operators routinely look for and destroy backup systems before triggering encryption. Backups connected to the same network or accessible through the same credentials as your primary systems are not reliable recovery options.
Develop and exercise an incident response plan. Not just a document, an actual tested plan with defined roles, contact lists, and documented escalation procedures. The advisory noted that many organizations discover they have no IR plan at the moment they need one, which substantially increases recovery time and cost.
What This Means in Practice
The geopolitical context that prompted the 2022 advisory has evolved, but the threat hasn't diminished. The 2024 CISA advisory on GRU Unit 29155 documented more than 14,000 instances of domain scanning across NATO member organizations and confirmed ongoing data exfiltration and leak operations. The infrastructure and TTPs documented in 2022 are still being used.
For most SMEs, the gap between current state and the advisory's recommended mitigations isn't as large as it sounds. MFA, patching discipline, monitored logs, and tested backups address the majority of the documented attack vectors. The challenge is usually implementation consistency and ongoing management, not the controls themselves. For a practical walkthrough of implementing the specific controls that block most attacks, EDR, email filtering, DNS filtering, MFA, and incident response, that is covered in detail separately.
Reach out to Stratify IT to discuss where your organization stands against these specific recommendations, we can assess your current controls, identify gaps, and build a remediation plan that's scoped to your actual environment.
The advisory focuses on NATO member organizations, but the groups named, particularly GRU Unit 29155, have demonstrated reach well beyond that geography. If your business operates in supply chains, financial systems, or infrastructure that touches NATO-aligned entities, you're a potential path in. Opportunistic scanning doesn't stop at political borders, and criminal groups affiliated with these actors often operate globally regardless of geopolitical targeting priorities. Probably not without looking. Most SMEs don't have logging in place that would surface this. A firewall alone won't tell you much, you'd need centralized log collection from your perimeter, endpoints, and authentication systems, reviewed regularly. Tools like Microsoft Sentinel, Splunk, or even a well-configured SIEM on a tight budget can surface anomalous scanning patterns. If you haven't reviewed your logs in the past 30 days, you don't actually know. Yes, and this is one of the more underappreciated risks. The 2022 advisory specifically called out MSPs as targets precisely because compromising one gives attackers access to dozens or hundreds of downstream clients. Before assuming your MSP's security posture protects you, ask them directly: what's your MFA policy for admin access, how do you segment client environments, and have you had a third-party security assessment recently? Vague answers are a red flag. For a company that size, getting MFA deployed across Microsoft 365 or Google Workspace costs nothing beyond staff time. A password manager for the team runs $3-5 per user per month. Patching discipline is a process problem, not a budget problem. The genuine costs show up in endpoint detection, a decent EDR solution runs $5-15 per endpoint per month. Full implementation of the core advisory recommendations could realistically land between $500-1,500 per month, depending on what's already in place. The practical distinction matters more than the organizational one. State-sponsored APT groups tend to prioritize persistence and intelligence collection, they want to stay quiet. Criminal groups aligned with those actors are more likely to deploy ransomware or sell access. For an SME, the criminal-aligned groups are often the more immediate threat, because they're motivated by money and move faster. The same credential-based entry points get exploited either way, so the defensive controls overlap almost entirely. More likely, in some scenarios. Credentials from past breaches often circulate on criminal marketplaces for years. If employee email addresses or passwords from a prior incident ended up in those datasets, and you can check via Have I Been Pwned or a dark web monitoring service, attackers may already have a starting point. Prior breaches also sometimes indicate that your organization's defenses were weak enough to penetrate once, which makes you a candidate for repeat attempts or lateral movement if the initial access was never fully cleaned up.Frequently Asked Questions