FBI warns US energy firms of network scanning activity from multiple Russia-based IP addresses

FBI warns US energy firms of network scanning activity from multiple Russia-based IP addresses

The Federal Bureau of Investigation (FBI) has reportedly warned the U.S. energy sector about network scanning activity stemming from multiple Russia-based IP addresses. The activity is believed to be associated with cyber hackers ‘who previously conducted destructive cyber activity against foreign critical infrastructure.’ 

“The FBI has identified 140 overlapping IP addresses linked to ‘abnormal scanning’ activity of at least five U.S. energy companies, as well as at least 18 other U.S. companies spanning the defense industrial base, financial services, and information technology,” the CBS News reported on Tuesday. 

However, according to the FBI assessment, the focus appears to be on entities within the energy sector. “US Energy Sector entities are advised to examine current network traffic for these IP addresses and conduct follow-on investigations if observed,” according to the alert.

Federal law enforcement revealed that activity of Russian IP addresses ‘likely indicates early stages of reconnaissance, scanning networks for vulnerabilities for use in potential future intrusions.’

The FBI said that the IP addresses, identified by law enforcement, began scanning U.S. critical infrastructure as early as March last year. “This scanning activity has increased since the start of the Russia/Ukraine conflict, leading to a greater possibility of future intrusions,” the bulletin notes. “While the FBI recognizes that scanning activity is common on a network, these reported IPs have been previously identified as conducting activity in conjunction with active exploitation of a foreign victim, which resulted in destruction of the victim’s systems.”

The FBI said it cannot directly correlate these IP addresses to successful exploitation and provides indicators of compromise ‘out of an abundance of caution.’

The FBI bulletin issued on Mar. 18 was published just a few days ahead of U.S. President Joe Biden announcing this week that critical infrastructure owners and operators must improve domestic cybersecurity and bolster national resilience. The President’s advisory comes from ‘evolving intelligence’ that the Russian government is exploring options for potential cyberattacks on the nation’s critical infrastructure.

The FBI alert came to light on the same day as Jen Easterly, Cybersecurity and Infrastructure Security Agency (CISA) director, pointed towards the growing threat to the maritime transportation sector as an increasingly imperiled soft spot in U.S. critical infrastructure.

“Given the vital role of the industry, the importance of securing systems and functions that make up the maritime transportation sector cannot be overstated,” Easterly said at the Hack the Port conference on Tuesday. “That said, protecting the industry from cyber threats is really becoming increasingly complex, as connected and often unsecure control systems make maritime organizations a prime target for malicious actors,” she added.

The U.S. Department of Health & Human Services Health Sector Cybersecurity Coordination Center (HC3) and Health-ISAC also called upon the healthcare sector on Tuesday to raise awareness of the Russia and Ukraine tensions, credible threats to US critical infrastructure sectors, though not specifically healthcare, and potential mitigations for Russian cyberattacks.

The WaterISAC also asked owners and operators in the water and wastewater sector to regularly review CISA’s Shields Up, Shields Up Technical Guidance, and Known Exploited Vulnerabilities Catalog for updates, and previously published WaterISAC and EPA webinars and advisories for cybersecurity measures and relevant resources to protect against Russian state-sponsored cyber activity.

The U.K.’s National Cyber Security Centre (NCSC) also supports President Biden’s call for increased cybersecurity vigilance among organizations to Russia’s unprovoked, illegal and unnecessary invasion of Ukraine. 

The European Commission proposed new rules to establish common cybersecurity and information security measures across the European Union (EU) institutions, bodies, offices, and agencies on Tuesday. The proposal aims to bolster their resilience and response capacities against cyber threats and incidents and to ensure a resilient, secure EU public administration amidst rising malicious cyber activities in the global landscape. 

“In a connected environment, a single cybersecurity incident can affect an entire organisation. This is why it is critical to build a strong shield against cyber threats and incidents that could disturb our capacity to act,” Johannes Hahn, Commissioner for Budget and Administration, said in a media statement. “The regulations we are proposing today are a milestone in the EU cybersecurity and information security landscape. They are based on reinforced cooperation and mutual support among EU institutions, bodies, offices, and agencies and on a coordinated preparedness and response. This is a real EU collective endeavour,” he added.

The prevailing geopolitical turbulence has led to numerous cyberattacks across various sectors, including energy and oil transport and storage companies across Europe. On Monday, the Anonymous hacker group said it “will continue our assault on Russian government systems until they leave Ukraine.” The latest announcement came after the group claimed to have leaked data stolen from Russian pipeline company Transneft.

In a Twitter message, Anonymous said that it had leaked “79 gigabytes of emails from the OMEGA Company, the R&D department of Russia’s state-controlled pipeline company #Transneft #Anonymous).”

Last week, the Anonymous hacker group said that they had attacked the systems of the German subsidiary of Russian energy giant Rosneft and stolen 20TB of data. The breach had not affected Rosneft’s business or the supply situation, though the company’s systems have been affected. 

However, the attack prompted German security authorities to issue a security warning to other stakeholders in the petroleum industry.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Webinar: State of Zero Trust in the Industrial Enterprise

Register: April 10, 2024, at 8am PDT | 11am CDT | 5pm CEST

Related