CISA
Critical infrastructure
News

Federal agencies warn of Russian state-sponsored cyber threats to U.S. critical infrastructure

January 12, 2022
Federal agencies warn of Russian state-sponsored cyber threats to U.S. critical infrastructure

U.S. security agencies released on Tuesday a joint cybersecurity advisory (CSA) providing an overview of Russian state-sponsored cyber operations, with their commonly observed tactics, techniques, and procedures (TTPs), detection actions, incident response guidance, and mitigations. The overview is intended to help the cybersecurity community, especially critical infrastructure network defenders, reduce the risk presented by these threats.

The joint CSA, authored by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA), calls upon the cybersecurity community to adopt a heightened state of awareness and to conduct proactive threat hunting. Additionally, the agencies urged network defenders to implement the recommendations, which could help organizations improve their functional resilience by reducing the risk of compromise or severe business degradation.

The joint CSA also pointed out that in some instances the Russian state-sponsored cyber operations against critical infrastructure organizations have specifically targeted operational technology (OT)/industrial control systems (ICS) networks with destructive malware. 

“Russian state-sponsored APT actors have used sophisticated cyber capabilities to target a variety of U.S. and international critical infrastructure organizations, including those in the Defense Industrial Base as well as the Healthcare and Public Health, Energy, Telecommunications, and Government Facilities Sectors,” the advisory said.

High-profile cyber activity publicly attributed to Russian state-sponsored APT actors by the U.S. government include Russian state-sponsored APT actors targeting state, local, tribal, and territorial (SLTT) governments and aviation networks, from September 2020 through at least December 2020, with the hackers having compromised networks and exfiltrated data from multiple victims.

Another instance cited in the joint CSA was the Russian state-sponsored APT hackers targeting the global energy sector intrusion campaign between 2011 to 2018. The Russian state-sponsored APT actors are said to have conducted a multi-stage intrusion campaign in which they gained remote access to the U.S. and international energy sector networks, deployed ICS-focused malware, and collected and exfiltrated enterprise and ICS-related data. 

The advisory also pointed to the time when the Russian state-sponsored APT hackers’ campaign targeted Ukrainian critical infrastructure between 2015 and 2016, with a cyberattack against Ukrainian energy distribution companies, leading to multiple companies experiencing unplanned power outages in December 2015. 

“The actors deployed BlackEnergy malware to steal user credentials and used its destructive malware component, KillDisk, to make infected computers inoperable. In 2016, these actors conducted a cyber-intrusion campaign against a Ukrainian electrical transmission company and deployed CrashOverride malware specifically designed to attack power grids,” the joint CSA pointed out.

Historically, Russian state-sponsored advanced persistent threat (APT) hackers have used common but effective tactics, including spearphishing, brute force, and exploiting known vulnerabilities against accounts and networks with weak security, to gain initial access to target networks, according to the CSA.

The agencies said that vulnerabilities known to be exploited by Russian state-sponsored APT adversaries for initial access affected FortiGate VPNs, Cisco router, Oracle WebLogic Server, Kibana, Zimbra software, Exim Simple Mail Transfer Protocol, Pulse Secure, Citrix, Microsoft Exchange, VMware, F5 Big-IP, and Oracle WebLogic.

Russian state-sponsored APT hackers have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware. The adversaries have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments, including cloud environments, by using legitimate credentials.

“To win the war, you need a strategy,” Julia O’Toole, founder and CEO of MyCena, told Industrial Cyber. “The real problem lies in an access architecture flaw, whereby one single point of access compromission can bring down not just the house but hundreds and thousands of other houses at the same time.” 

To stop lateral movement and supply-chain attacks, “we need to shift from a centralised to a decentralised access architecture, removing privileged accounts, automating systems segmentation and using encrypted access for each system. With no infrastructure change and no effort for users, companies can then contain any breach by default and reduce the impact of the attack,” O’Toole added.

“This alert not only contains information about the threat, but real, actionable information that organizations can use to defend themselves,” Tim Erlin, VP of strategy at Tripwire, wrote in an emailed statement. “The use of the MITRE ATT&CK framework to identify the malicious activity, and to map to valid mitigation actions is highly valuable. This alert is focused on a specific set of threats and actions to identify and respond to those threats.”

Organizations should also review their preventive controls against the tools and techniques described in this alert, according to Erlin. “Identifying the attack in progress is important, but preventing the attack from being successful at all is better,” he added.

In addition to coping with Russian state-sponsored APT hackers, the critical infrastructure sector has been dealing with the Log4j vulnerabilities for over a month now. CISA officials said on Monday that the agency is continuing to work with federal agencies and the public to mitigate potential exposure, and is also renewing calls for a software bill of materials (SBOM) to aid in system visibility and inventory management.

CISA director, Jen Easterly, and executive director of cybersecurity, Eric Goldstein, said that the agency hasn’t seen any ‘significant intrusions’ to date from the Log4j vulnerability

U.S. Senator Gary Peters convened a virtual committee briefing with administration officials last week to get additional information on how the Log4j cyber security threat is affecting the federal government, critical infrastructure, and other entities, and what the administration has been doing to help remediate the issue.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
Radiflow helps customers achieve NIS2 compliance, spurring growth in Europe
Radiflow, Exclusive Networks partner to elevate OT cybersecurity
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape