Analysis
CISA
Critical infrastructure
ICS Security Framework
Industrial Cyber Attacks
News
Risk & Compliance
Threat Landscape
Vulnerabilities

Russian state-sponsored, cyber-criminal hackers stage demonstrated threats, capabilities to critical infrastructure

April 21, 2022
Russian state-sponsored, cyber-criminal hackers stage demonstrated threats, capabilities to critical infrastructure

Global security agencies issued a joint Cybersecurity Advisory (CSA) warning organizations that the Russian invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity from Russian state-sponsored cyber hackers or Russian-aligned cybercrime groups. 

The Cybersecurity and Infrastructure Security Agency (CISA) authored ‘Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure’ in partnership with the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), National Cyber Security Centre New Zealand (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) and National Crime Agency (NCA), and with contributions from industry members of CISA’s Joint Cyber Defense Collaborative (JCDC).

The CSA provides technical details on malicious cyber operations by hackers from the Russian Federal Security Service (FSB), Russian Foreign Intelligence Service (SVR), Russian General Staff Main Intelligence Directorate (GRU), and Russian Ministry of Defense, Central Scientific Institute of Chemistry and Mechanics (TsNIIKhM). 

It also includes details on Russian-aligned cyber threat groups and cybercrime groups. Some of these cybercrime groups have recently publicly pledged support for the Russian government. They also have threatened to conduct cyber operations in retaliation for perceived cyber offensives against Russia or countries or organizations providing material support to Ukraine. Other cybercrime groups have recently conducted disruptive attacks against Ukrainian websites, likely supporting the Russian military offensive.

Evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks, the advisory said, referencing U.S. President Joe Biden’s call last month for these environments ‘to act to protect the critical services on which all Americans rely.’

“Recent Russian state-sponsored cyber operations have included distributed denial-of-service (DDoS) attacks, and older operations have included deployment of destructive malware against Ukrainian government and critical infrastructure organizations,” the joint CSA said on Wednesday. 

Russian state-sponsored cyber hackers have demonstrated capabilities to compromise IT networks, develop mechanisms to maintain long-term, persistent access to IT networks, exfiltrate sensitive data from IT and operational technology (OT) networks. They have also disrupted critical industrial control systems (ICS)/OT functions by deploying destructive malware, the advisory pointed out. “Historical operations have included deployment of destructive malware—including BlackEnergy and NotPetya—against the Ukrainian government and critical infrastructure organizations. Recent Russian state-sponsored cyber operations have included DDoS attacks against Ukrainian organizations,” it added.

The advisory identified that the FSB, the KGB’s successor agency, has conducted malicious cyber operations targeting the energy sector, including U.K. and U.S. energy companies, U.S. aviation organizations, U.S. government and military personnel, private organizations, cybersecurity companies, and journalists. In addition, FSB has been known to task criminal hackers for espionage-focused cyber activity, while the same hackers have separately been responsible for disruptive ransomware and phishing campaigns. 

The joint advisory said that the SVR hackers had operated an APT group since at least 2008 that has targeted multiple critical infrastructure organizations. SVR cyber threat hackers have used a range of initial exploitation techniques that vary in sophistication coupled with stealthy intrusion tradecraft within compromised networks. The cyber hackers’ novel tooling and techniques used by SVR include custom, sophisticated multi-platform malware targeting Windows and Linux systems. It also adopts lateral movement through the ‘credential hopping’ technique, which includes browser cookie theft to bypass multi factor authentication (MFA) on privileged cloud accounts, it added.

The advisory also warned about the GTsSS or Unit 26165, an APT group that has operated since at least 2004 and primarily targets government organizations, travel and hospitality entities, research institutions, and non-governmental organizations, in addition to other critical infrastructure organizations. 

The U.S. government assesses that GTsSS cyber hackers have deployed Drovorub malware against victim devices as part of their cyber espionage operations. In addition, the U.S. and U.K. agencies assess that GTsSS hackers used a Kubernetes cluster to conduct widespread, distributed, and anonymized brute force access attempts against hundreds of government and private sector targets worldwide.

The advisory also alerted the community to the GTsST or Unit 74455, an APT group that has operated since at least 2009 and has targeted various critical infrastructure organizations, including those in the energy, transportation systems, and financial services sectors. According to industry reporting, GTsST also has an extensive history of conducting cyber espionage, and destructive and disruptive operations against North Atlantic Treaty Organization (NATO) member states, Western government and military organizations, and critical infrastructure-related organizations, including the energy sector.  

The CSA also notified organizations that the TsNIIKhM hackers have developed destructive ICS malware and were sanctioned by the U.S. Department of the Treasury for connections to the destructive Triton malware (also called HatMan and TRISIS). Triton is a custom-built malware designed to manipulate safety instrumented systems within ICS controllers, disabling the safety alarms that prevent dangerous conditions.

TsNIIKhM has been sanctioned by the UK Foreign, Commonwealth, and Development Office (FCDO) for a 2017 incident that involved safety override controls (with Triton malware) in a foreign oil refinery. 

In addition to the APT groups, the CSA also flagged two intrusion sets – Primitive Bear and Venomous Bear – as state-sponsored APT groups, but the U.S., the U.K., Australian, Canadian, and New Zealand cyber authorities have not attributed these groups to the Russian government. 

Primitive Bear is reported to have targeted Ukrainian organizations since at least 2013, using high-volume spearphishing campaigns to deliver its custom malware. According to industry reporting, Primitive Bear conducted multiple cyber operations targeting Ukrainian organizations in the lead-up to Russia’s invasion.

Venomous Bear has historically targeted governments aligned with NATO, defense contractors, and other organizations of intelligence value. In addition, Venomous Bear is known for its unique use of hijacked satellite internet connections for command and control (C2) and hijacking of other non-Russian state-sponsored APT hacker infrastructure.

The cybersecurity authorities from the U.S., the U.K., Australia, Canada, and New Zealand urge critical infrastructure network defenders to prepare for and mitigate potential cyber threats, including destructive malware, ransomware, DDoS attacks, and cyber espionage, by hardening their cyber defenses and performing due diligence in identifying indicators of malicious activity. 

Some of the mitigation actions provided in the advisory include prioritizing patching of known exploited vulnerabilities, adopting MFA, monitoring remote desktop protocol (RDP) and other risky services, and providing end-user awareness and training.

“If you’re a critical infrastructure operator, and you aren’t already paying attention to potential cybersecurity consequences of the war in Ukraine, then this warning is unlikely to make a difference,” Tim Erlin, vice president of strategy at Tripwire, wrote in an emailed statement. “On the other hand, if you’re a critical infrastructure operator and you’re looking for a concrete reason to convince someone else in your organization to care about these threats, then this is a very useful advisory,” he added.

Erlin also pointed out an incredible and quite possibly overwhelming amount of detail in the joint advisory. “If you’re looking for a history of Russian-aligned threat groups and activity, this advisory is a good place to start. With a broad threat like this, it’s difficult to lay out a single mitigating activity that’s likely to make a difference,” he added. 

“CISA Alert AA22-110A contains a lot of useful information for defenders to understand something about the various threat actors, their methods, and motivations. The recommendations provided by CISA are….’bread and butter’ recommendations,” Chris Grove, director of cybersecurity strategy at Nozomi Networks, wrote in an emailed statement. “Meaning, there’s nothing out of the ordinary, nothing over the top, and if operators of critical infrastructure aren’t already doing those things, they should stop now, assume they’ve been breached, and start thinking about resilience, consequence reduction, and the impact to safety,” he added.

Grove said that the message should be loud and clear, Russian nexus-state actors are on the prowl, cyberspace has become a messy, hot war-zone, and everyone should be prepared for an attack from any direction. “I believe that’s the primary goal of this alert….to ring that bell in the city square letting everyone know there’s a storm on the horizon, so put countermeasures in place…now. Be prepared, and put your shields up,” he added.

On Wednesday, the CISA also expanded the scope of its JCDC initiative to include the ICS industry consisting of security vendors, integrators, and distributors. The move will strengthen and bolster the U.S. government’s focus on building cybersecurity posture and resilience of industrial control systems (ICS) and operational technology (ICS/OT) environments. The initial companies of the JCDC-ICS effort will include Bechtel, Claroty, Dragos, GE, Honeywell, Nozomi Networks, Schneider Electric, Schweitzer Engineering Laboratories, Siemens, and Xylem, as well as several JCDC alliance partners.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
Waterfall’s WF-600 unidirectional security gateway brings 'unbreachable protection' to OT/ICS networks
Waterfall, 2TS enter into cybersecurity alliance for African market
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
Radiflow helps customers achieve NIS2 compliance, spurring growth in Europe
Radiflow, Exclusive Networks partner to elevate OT cybersecurity
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration