The Federal Bureau of Investigation (FBI), The National Security Agency (NSA), and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint cybersecurity alert on Russian state-sponsored attacks targeting state, local, tribal, and territorial (SLTT) governments, critical infrastructure organizations, and aviation networks.
CISA, FBI, and NSA noted that the advisory was part of a “continuing cybersecurity mission” to alert “organizations of potential criminal or nation-state cyber threats.”
The alert highlighted various tactics, techniques, and procedures (TTPs), detection mechanisms, incident response guidelines, and mitigations to prevent Russian cyber aggression.
According to the joint cybersecurity advisory, Russian state-sponsored attacks exhibit an extreme degree of sophistication.
The agencies noted that Russian state-sponsored advanced persistent threat actors frequently utilized common but effective tactics such as spear phishing, brute force, and exploiting known vulnerabilities to gain initial access to target networks.
The agencies listed commonly exploited vulnerabilities utilized by Russian APTs targeting Fortigate VPNs, Cisco routers, Oracl WebLogic servers, Microsoft Exchange servers and other commonly deployed solutiosn.
The alert also stated that Russian state-sponsored hackers compromised third-party infrastructure, including cloud environments, third-party software, and developed custom malware for their campaigns.
Additionally, they demonstrated their ability to maintain long-time persistence without detection by using legitimate credentials.
The hackers also targeted critical infrastructure organizations through operational technology (OT) and industrial control systems (ICS) with potent malware. CISA had issued six alerts on Russian state-sponsored APTs targeting organizations through industrial control systems.
The alert also listed three cyber campaigns targeting critical infrastructure organizations, government, and aviation networks. Between September 2020 and December 2020, federal agencies observed Russian hackers targeting SLTT governments and aviation networks. And between 2011 and 2018, Russian state-sponsored APT actors targeted the global energy sector through ICS malware. Similarly, between 2015 to 2016, Russian state-sponsored hackers engaged in a cyber campaign against Ukrainian critical infrastructure by deploying BlackEnergy malware leading to power outages.
“The current security state of complex infrastructure systems is, unfortunately, one of the massive opportunities for attackers,” said Sam Jones, VP of Product Management, Stellar Cyber. “The attack surface of these systems is so large, and oftentimes very outdated, that it is incredibly difficult to defend everything. This is why mentally assuming a breach is so important and focusing on defending only what matters most is the only realistic approach to staying secure.”
Protecting critical infrastructure from Russian state-sponsored attacks
The federal agencies advised organizations to be proactive in security to prevent Russian state-sponsored actors from infiltrating critical infrastructure networks.
“CISA, the FBI, and NSA encourage the cybersecurity community, especially critical infrastructure network defenders to adopt a heightened state of awareness and to conduct proactive threat hunting, as outlined in the Detection section,” the alert stated.
Additionally, the federal agencies encouraged network defenders to apply various mitigations to prevent disruptions from Russian state-sponsored attacks.
The joint cybersecurity advisory outlined various actions that network defenders should take to protect organizations, especially for critical infrastructure entities.
Readiness – The agencies advised organizations to be prepared by confirming reporting processes and minimizing coverage gaps, and creating, maintaining, and exercising a cyber incident response plan, resilience plan, and continuity of operations plan
Enhancing organizational cybersecurity posture – Organizations can achieve this goal by following industry best practices in identity and access management, protective controls and architecture, and vulnerability and configuration management.
Increase organizational vigilance – Organizations should obtain the latest reporting of the Russian cyber threat by receiving notifications when CISA publishes information about various threats by subscribing to CISA’s mailing list.
More specific recommendations include logical zoning of OT and ICS networks based on operational necessity and risk, and defining acceptable communication conduits between the zones.
Organizations should also implement a patch management system, a robust log collection strategy, enforce strong passwords and multi-factor authentication, use security solutions like antivirus software, and block unnecessary ports and protocols.
However, Sanjay Raja, VP of Product Marketing and Solutions, Gurucul, disagrees with some suggestions. “The NCSC and CISA are absolutely missing the mark,” Raja said. “Preventive measures are certainly an important layer of defense, but antivirus is fairly useless against most advanced attacks.”
Raja added that vulnerabilities are lesser potent threats compared to social engineering.
“Vulnerabilities are no longer the primary entry point (aka initial compromise) for most attacks. While a vulnerability is often exploited as a step in an overall attack campaign, the primary mechanism being more actively used by many adversarial nation-states is a combination of phishing and social engineering. This means that initial compromise is dependent on human behaviors and impossible to prevent 100% of the time.”
He recommends a “stronger detection program” capable of monitoring and identifying risky access controls, user behaviors, and abnormal activity.
“This includes potential threats from the inside, not just outside threats. More advanced and adaptable technologies that use machine learning and artificial intelligence to compensate for threat actor activity and human behavior have proven to be more effective at stopping successful attacks.”
Dave Cundiff (he/him), Vice President, Member Delivery, Cyvatar, pointed out that critical infrastructure organizations should focus on future threats.
“With the most recent joint alert, the NSA, CISA, and FBI are providing additional focus to an ongoing concern,” said Dave. “These attacks as we have all seen are persistent and ongoing. While the critical infrastructure sectors should show a heightened more proactive approach, my concern lies in the attacks we haven’t detected yet.”
He noted that the tools, techniques, and procedures deployed in state-sponsored attacks are later commoditized and used by common cybercriminals.
“With that in mind, even organizations who are not directly identified to be targeted need to take a diligent approach. As the tactics and techniques are refined by state-sponsored actors, they quickly pivot to become commoditized in the new malware marketplace for lower-level attackers to leverage.”
He advised organizations to learn from the state-sponsored attacks and implement better defense mechanisms, and warned organizations not mentioned in the alert against adopting a false sense of security.
“One of the most concerning outcomes that this alert could provide is a false sense of safety to those industries not identified here. Cyber security is a constant journey never reaching a destination, always improving, always refining, always adapting and managing levels of effort to stay ahead of the attackers.”