Hackers Playbook Updated with Methods for US CERT Alert TA-18-074A

byItzik Kotler

US Cert Alerts

SafeBreach Labs has updated the Hacker's Playbook™ with simulations for new attacks described in US-CERT Alert (TA18-074A), attributed to Russian government actors.

Additionally, thanks to the depth of the Hacker's Playbook™, a portion of this multi-stage attack campaign has already been simulated, so customers were already able to validate security against parts of this attack. As always, SafeBreach Labs will continue to monitor the situation, and develop new simulations as necessary.

This extensive campaign has targeted both public United States Government entities as well as private energy, nuclear, commercial facilities, water, aviation, and critical manufacturing corporations. Unlike many recent attacks, which relied on ransomware or other disruptive malware to disrupt systems and businesses, this attack campaign is designed to infiltrate environments, steal administrative credentials, and establish multiple footholds within critical infrastructure for remote access and control.

SafeBreach recommends all industries and businesses simulate this attack to identify whether or not they are protecting against this campaign. To assess security control effectiveness against techniques involved in this attack, the SafeBreach Breach and Attack Simulation Platform specifically tests the following endpoint and network security controls:

Newly added playbook methods related to TA18-074A

Playbook #1496 - Transfer of attack tools

  • Network Controls - Are security controls in place to prevent the download and transfer of the infiltration, filedropper, and malicious network traffic interception tools used in this attack?

Playbook #1498 - Local installation of attack tools

  • Endpoint Controls - Are security controls in place to prevent the local deployment of the various tools and malware used in this attack?

Existing playbook methods already validating security related to TA18-074A

Playbook #242 - SMB communications

  • Network Controls - Are security controls in place to prevent credential theft over SMB?

Playbook #1269 - Windows scheduled task creation

  • Endpoint Controls - Is endpoint hardening sufficient to prevent remote scheduling of Windows tasks for malicious actions?

Playbook #1342 - PowerShell - get periodic screenshot and zip

  • Endpoint Controls - Is endpoint hardening sufficient to prevent remote PowerShell execution, as well as the ability to take and send screenshots?

The SafeBreach Hacker's Playbook™ of breach methods simulates these breach scenarios, and thousands more, without impacting users or infrastructure. Breach methods are constantly updated by SafeBreach Labs, our team of offensive security researchers, to help keep customers ahead of attacks.


  • 111 W Evelyn Ave
  • Sunnyvale, CA94086
  • USA
  • 408-743-5279

R&D Center

  • Yosef Karo St 18
  • Tel Aviv-Yafo,
  • Israel
  • +972-77-434-4506
© SafeBreach Inc. 2021