Russian groups could launch ‘destructive and disruptive attacks’ on critical national infrastructure, UK NCSC warns

The U.K.’s National Cyber Security Centre (NCSC) issued an alert to critical national infrastructure (CNI) organizations warning of an emerging threat from state-aligned groups. The threat comes particularly from state-aligned groups sympathetic to Russia’s invasion of Ukraine and has emerged over the past 18 months. The NCSC also revealed that some groups have stated an intent to launch ‘destructive and disruptive attacks’ and that CNI organizations should ensure they have taken steps outlined in the NCSC’s heightened threat guidance to strengthen their defenses. 

“Over the past 18 months, a new class of Russian cyber adversary has emerged. These state-aligned groups are often sympathetic to Russia’s invasion and are ideologically, rather than financially, motivated,” the NCSC warned in a Wednesday alert. Although these groups can align with Russia’s perceived interests, they are often not subject to formal state control, so their actions are less constrained and have broader targeting than traditional cybercrime hackers, which makes them less predictable. 

These groups are not motivated by financial gain, nor subject to control by the state, so their actions can be less predictable and targeting broader than traditional cyber crime actors, the alert added. 

While in the short term, any activity from the groups is likely to take the form of Distributed Denial of Service (DDoS) attacks, website defacements, or the spread of misinformation, some groups have stated a desire to achieve a more destructive impact against western infrastructure, the alert said.

It added that while the cyber activity of these groups often focuses on DDoS attacks, website defacements, and/or the spread of misinformation, “some have stated a desire to achieve a more disruptive and destructive impact against western critical national infrastructure (CNI), including in the UK. We expect these groups to look for opportunities to create such an impact, particularly if systems are poorly protected,” the NCSC added.

Without external assistance, “we consider it unlikely that these groups have the capability to deliberately cause a destructive, rather than disruptive, impact in the short term. But they may become more effective over time, and so the NCSC is recommending that organisations act now to manage the risk against successful future attacks,” the alert added.

“It has become clear that certain state-aligned groups have the intent to cause damage to CNI organisations, and it is important that the sector is aware of this,” Dr. Marsha Quallo-Wright, NCSC deputy director for critical national infrastructure, said in a media statement. “In the wake of this emerging threat, our message to CNI sectors is to take sensible, proportionate steps now to protect themselves. The NCSC has produced advice for organisations on steps to take when the cyber threat is heightened, and I would strongly encourage all CNI organisations to follow this now,” she added.

Given that the threat level that an organization faces may vary over time, the NCSC identifies a need to strike a balance between the current threat, the measures needed to defend against it, the implications and cost of those defenses, and the overall risk this presents to the organization. There may be times when the cyber threat to an organization is greater than usual. Moving to heightened alert can help prioritize necessary cybersecurity work, offer a temporary boost to defenses, and give organizations the best chance of preventing a cyber attack when it may be more likely, and recovering quickly if it happens.

The NCSC said that ​​an organization’s view of its cyber risk might change if new information emerges that the threat has heightened. “This might be because of a temporary uplift in adversary capability if for example there is a zero-day vulnerability in a widely used service that capable threat actors are actively exploiting. Or it could be more specific to a particular organisation, sector, or even country, resulting from hacktivism or geopolitical tensions,” it added.

These diverse factors mean that organizations of all sizes must take steps to ensure they can respond to these events. It is rare for an organization to be able to influence the threat level, so actions usually focus on reducing your vulnerability to attack in the first place and reducing the impact of a successful attack, the NCSC identified. 

“Even the most sophisticated and determined attacker will use known vulnerabilities, misconfigurations or credential attacks (such as password spraying, attempting use of breached passwords or authentication token reuse) if they can,” the NCSC identified. “Removing their ability to use these techniques can reduce the cyber risk to your organisation,” it added. 

NCSC said that the most important thing for organizations of all sizes is to make sure that the fundamentals of cyber security are in place to protect their devices, networks, and systems. Organizations must check their system patching, verify access controls, ensure defenses are working, review logs and monitoring, and review their backups. They must also check that their incident response plan is up-to-date, check their internet footprint, phishing response, and have a comprehensive understanding of their third-party access. 

Large organizations should carry out all the actions outlined above, to ensure that the most fundamental security measures are in place, the NCSC added. “Organisations and sector regulators using the Cyber Assessment Framework to help them understand cyber risk should note that the CAF contains guidance on all the areas included in the actions above. If your organisation has deprioritised these areas of the CAF, you are advised to revisit those decisions immediately when the threat is heightened.”

The agency also said if the organization has plans in place to make cyber security improvements over time, they should review whether to accelerate the implementation of key mitigating measures, accepting that this will likely require reprioritization of resources or investment. “No technology service or system is entirely risk free and mature organisations take balanced and informed risk-based decisions. When the threat is heightened, organisations should revisit key risk-based decisions and validate whether the organisation is willing to continue to tolerate those risks or whether it is better to invest in remediation or accept a capability reduction,” it added.

NCSC also disclosed that some system functions, such as rich data exchange from untrusted networks, may inherently bring a greater level of cyber risk. “Large organisations should assess whether it is appropriate to accept a temporary reduction in functionality to reduce the threat exposure. Larger organisations will have mechanisms for assessing, testing, and applying software patches at scale. When the threat is heightened, your organisations may wish to take a more aggressive approach to patching security vulnerabilities, accepting that this may have a service impact itself,” it added.

During this time, large organizations should consider delaying any significant system changes that are not security related, the NCSC added. “If you have an operational security team or SOC it may be helpful to consider arrangements for extended operational hours or to put in place contingency plans to scale up operations quickly if a cyber incident occurs. If you have systems in place that can take automated action or notifications based on threat intelligence, you might also consider procuring threat feeds that may give you information relevant to the period of heightened threat.”

The U.K. government outlined in December proposals that concern all organizations within the scope of the Network and Information Systems (NIS) regulations, as well as other private and public entities that provide digital services (or a form of service) that an essential service relies on. These measures seek to address through a comprehensive set of interventions that will act as a response to the gaps and threats, particularly within the NIS regulations, and will mature into a longer-term vision for the protection of the U.K.’s essential services, critical national infrastructure, and the increase of wider cyber resilience across the economy.

On Tuesday, the NCSC released along with U.S. cybersecurity agencies – National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) a joint Cybersecurity Advisory (CSA) report on the tactics, techniques, and procedures (TTPs) associated with APT28’s exploitation of Cisco routers. The agencies assess that the APT28 group exploits a known vulnerability to carry out reconnaissance of routers and deploy malware, while also accessing poorly maintained Cisco routers and deploying malware on unpatched devices using CVE-2017-6742.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.