Cyber security specialists at the US government have warned critical infrastructure network defenders to "adopt a heightened state of awareness" against Russian state-sponsored cyber attacks.
The Federal Bureau of Investigation (FBI), Cyber Security and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) issued a joint advisory on Tuesday providing an overview of the commonly used tactics and techniques used by Russian state-backed threat actors so the security community can take a more proactive stance on threat hunting.
The trio of federal agencies said these Russian hackers typically exploit flaws in popular enterprise products, listing known issues in products including Cisco routers (CVE-2019-1653), Oracle WebLogic (CVE-2020-14882), Citrix (CVE-2019-19781), Pulse Secure (CVE-2019-11510), and Microsoft Exchange (CVE-2020-0688).
"Russian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware," the joint advisory reads. "The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments - including cloud environments - by using legitimate credentials.
"In some cases, Russian state-sponsored cyber operations against critical infrastructure organisations have specifically targeted operational technology (OT)/industrial control systems (ICS) networks with destructive malware."
Organisations are recommended to apply a range of mitigations to ensure functional resilience and lower the risk of compromise. These include measures such as confirming reporting processes, minimising personnel gaps in security coverage, following industry best practices for identity and access management, and proactively monitoring threat feeds for patches.
Because Russian threat actors have a history of lingering in networks undetected for long periods of time, the FBI, NSA, and CISA recommend all critical infrastructure organisations to also implement robust log collection and retention, to aid incident investigations, and to proactively look for behavioural irregularities such as password spray attempts and detecting use of compromised credentials.
The trio of agencies also highlighted a number of incidents in recent history where Russian state-sponsored hackers have been found to attack local governments and critical infrastructure.
From September 2020 to "at least" December 2020, Russian attackers targeted "dozens" of state, local, tribal, and territorial governments, as well as aviation networks, succeeding in extracting data from multiple victims.
They also pointed to Russia's instruction campaign in the US' energy sector between 2011 and 2018, deploying malware specially crafted for critical infrastructure environments and stealing data related to the industry.
RELATED RESOURCE
"When the FBI, CISA and NSA team up to issue a joint alert about Russian state-sponsored APTs, every security team on the planet needs to sit up and take notice," said Dr Süleyman Özarslan, co-founder of Picus Security to IT Pro. "This alert highlights the seriousness and prevalence of ongoing malicious cyber operations by Russian state-sponsored APT actors. It should also be of great assistance to the cybersecurity community in reducing the risk posed by these threats."
The advisory comes as US officials join Russia's representatives in Geneva to discuss Russia's potential invasion of Ukraine, a country which was also on the receiving end of Russian hackers targeting critical infrastructure between 2015 and 2016, the advisory noted.
Cyber security expert and former CISA director Chris Krebs suggested the timing of the advisory's publication could be interpreted as a warning to US organisations to prepare for the Geneva talks to go south, which they reportedly are after eight hours of discussions.
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
300 days under the radar: How Volt Typhoon eluded detection in the US electric grid for nearly a yearAnalysis Lengthy OT lifespans give attackers time to penetrate networks underpinning critical infrastructure and plan future disruption
-
The business value of Zscaler Data ProtectionWhitepaper Understand how this tool minimizes the risks related to data loss and other security events
-
Hackers are lying low in networks to wage critical infrastructure attacks - here’s how they do itNews Hackers are researching key IT workers in their bid to gain access to vital systems
-
Why your business needs zero trustWhitepaper How zero trust can right the wrongs of legacy security architecture
-
Definitive guide to ransomware 2023Whitepaper A guide to help rethink your defence against ransomware threats
-
Why Fulham FC’s geography makes running IT so challengingCase Study Fending off cyber criminals and keeping equipment updated on match days is more difficult than you might think
-
Hardware security and confidential computing in server platformswhitepaper Computing security is central to IT infrastructure transformation
-
ASUS, Cisco, Netgear devices exploited in ongoing Chinese hacking campaignNews Critical national infrastructure is the target of sustained attempts from state-sponsored hackers, according to Five Eyes advisories
