Mitigating Russian state-sponsored cyber threats to US critical infrastructure

In a new Cybersecurity Advisory (CSA), the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) are asking cybersecurity community — especially critical infrastructure network defenders — to adopt a heightened state of awareness, conduct proactive threat hunting, and implement the mitigations to mitigate Russian-state sponsored threat actors.

The CSA provides an overview of Russian state-sponsored cyber operations; commonly observed tactics, techniques, and procedures (TTPs); detection actions; incident response guidance; and mitigations. The overview is intended to help the cybersecurity community reduce the risk presented by these threats.

CISA, the FBI, and NSA are encouraging critical infrastructure network defenders to adopt the mitigations outlined in the CSA to help organizations improve their functional resilience by reducing the risk of compromise or severe business degradation.

Be prepared. Confirm reporting processes and minimize personnel gaps in IT/OT security coverage. Create, maintain, and exercise a cyber incident response plan, resilience plan, and continuity of operations plan so that critical functions and operations can be kept running if technology systems are disrupted or need to be taken offline.
Enhance the organization’s cyber posture. Follow best practices for identity and access management, protective controls and architecture, and vulnerability and configuration management.
Increase organizational vigilance. Stay current on reporting on this threat. Subscribe to CISA’s mailing list and feeds to receive notifications when CISA releases information about a security topic or threat.

In the CSA, the agencies note that Russian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware. The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments — including cloud environments — by using legitimate credentials.

Russian state-sponsored APT actors have used sophisticated cyber capabilities to target a variety of U.S. and international critical infrastructure organizations, including those in the Defense Industrial Base as well as the Healthcare and Public Health, Energy, Telecommunications, and Government Facilities Sectors. High-profile cyber activity publicly attributed to Russian state-sponsored APT actors by U.S. government reporting and legal actions includes:

Russian state-sponsored APT actors targeting state, local, tribal, and territorial (SLTT) governments and aviation networks, September 2020, through at least December 2020. Russian state-sponsored APT actors targeted dozens of SLTT government and aviation networks. The actors successfully compromised networks and exfiltrated data from multiple victims.
Russian state-sponsored APT actors’ global Energy Sector intrusion campaign, 2011 to 2018. These Russian state-sponsored APT actors conducted a multi-stage intrusion campaign in which they gained remote access to U.S. and international Energy Sector networks, deployed ICS-focused malware, and collected and exfiltrated enterprise and ICS-related data.
Russian state-sponsored APT actors’ campaign against Ukrainian critical infrastructure, 2015 and 2016. Russian state-sponsored APT actors conducted a cyberattack against Ukrainian energy distribution companies, leading to multiple companies experiencing unplanned power outages in December 2015. The actors deployed BlackEnergy malware to steal user credentials and used its destructive malware component, KillDisk, to make infected computers inoperable. In 2016, these actors conducted a cyber-intrusion campaign against a Ukrainian electrical transmission company and deployed CrashOverride malware specifically designed to attack power grids.

Tim Wade, Technical Director, CTO Team at Vectra, a California-based AI cybersecurity company, says, "I can’t recall a time in my life when Russia wasn’t aggressively probing western resolve, ranging from tactical incursions into air space to pulling strategic economic levers. This activity is just a continuation of that long standing tradition, and I read this advisory as another periodic reminder of the background radiation of global politics — if you’re operating critical infrastructure and are under the impression that you aren’t squarely in an operator’s crosshairs, you’re wrong."

Advisories like this do little to help defenders actually protect themselves, says John Bambenek, Principal Threat Hunter at Netenrich, a California-based digital IT and security operations company. "I read this and don’t have any more insight into detecting and preventing these attacks than before. Its 2022, these agencies hopefully can reach directly out to organizations with more specific guidance because public announcements aren’t helpful and there are reasons not to be too specific in them as well."

Rick Holland, Chief Information Security Officer, Vice President Strategy at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, says, "The main takeaway from the CISA Russian cyber threat alert is "logs, or it didn't happen." When defending against sophisticated Russian adversaries (or any group), you must have a security monitoring infrastructure that provides situational awareness to detect and respond to intrusions. You must have sensors in place to capture malicious activity. You must also retain those logs for retroactive threat hunting as you develop and acquire new intelligence. Defenders should conduct an annual gap analysis of their monitoring capabilities and quickly plan to mitigate any collection gaps. You don't want to be in a position where you have to say.

Holland adds, "The second takeaway is that these actors use "Common but effective tactics." Although these groups have sophisticated capabilities (e.g., Solarwinds intrusion), they also rely on low-hanging fruit tactics and techniques. While it isn't sexy, effective security hygiene like patching known vulnerabilities on external services raises the adversary costs and makes their job harder. Don't be a soft target. The advisory doesn't mention the current Russian Ukraine tensions, but if the conflict escalates, you can expect Russian cyber threats to increase their operations. Cyberspace has become a key component of geopolitics. Russian APT groups aren't at the top of the threat model for all companies, unlike the critical infrastructure providers mentioned in the alert, but could end up being collateral damage."

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.