U.S. Security Agencies Issue Advisory on Russian Cyber Attacks on Infrastructure

Federal cybersecurity officials are again warning of Russian cyber attacks and urging critical infrastructure networks in particular to be on alert.

The Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, and the National Security Agency released a joint Cybersecurity Advisory (CSA) that provides an overview of Russian state-sponsored cyber operations, including commonly observed tactics, techniques, and procedures.

Historically, Russian state-sponsored actors have used spearphishing, brute force, and exploiting known vulnerabilities against accounts and networks with weak security, as well as other “common but effective tactics” to gain initial access to target networks, according to the advisory.

The agencies did not cite a specific reason for releasing the Russia report at this time. They said only that it was being released to “help the cybersecurity community reduce the risk presented by Russian state-sponsored cyber threats.”

President Joe Biden has been pressuring Russian President Vladimir Putin to halt Russian cyber actions against the U.S. In recent weeks, there has been concern expressed in Washington that Russian may turn to cyber attacks as U.S.-Russia tensions over Ukraine grow. That’s something Russia did in 2015 and 2016, according to the advisory.

The agencies are encouraging the cybersecurity community, especially those involved protecting critical infrastructure, to adopt a “heightened state of awareness, conduct proactive threat hunting, and implement the mitigations” identified in the joint CSA.

CISA recommends network defenders review CISA’s Russia Cyber Threat Overview and Advisories page for more information on Russian state-sponsored malicious cyber activity. CISA recommends critical infrastructure leaders review CISA Insights: Preparing For and Mitigating Potential Cyber Threats.

In its review of past Russian cyber attacks, the advisory identifies key vulnerabilities that Russian hackers have exploited in systems including Microsoft Exchange, Cisco routers, Oracle servers, Zimbra software and Citrix networks among others.

The advisory says Russian actors have also “demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments—including cloud environments—by using legitimate credentials.”

Russian hackers in the past have targeted a variety of U.S. and international critical infrastructure organizations, including those in the defense industry, healthcare, public health, energy, telecommunications, and government facilities. Some of the high-profile cyber activity publicly attributed to Russian state-sponsored actors and cited in the report include:

• Russian state-sponsored actors targeted state, local, tribal, and territorial governments and aviation networks in September 2020, through at least December 2020. Russian actors targeted dozens of government and aviation networks. They successfully compromised networks and exfiltrated data from multiple victims.
• Russian state-sponsored actors’ conducted a global energy sector intrusion campaign, 2011 to 2018, in which they gained remote access to U.S. and international energy sector networks, deployed malware, and collected and exfiltrated enterprise data.
• Russian state-sponsored actors’ pursued a campaign against Ukrainian critical infrastructure, 2015 and 2016. They conducted a cyberattack against Ukrainian energy distribution companies, leading to multiple companies experiencing unplanned power outages in December 2015. The actors deployed BlackEnergy malware to steal user credentials and made infected computers inoperable. In 2016, these actors conducted a cyber-intrusion campaign against a Ukrainian electrical transmission company and deployed CrashOverride malware specifically designed to attack power grids.

Topics USA Cyber Agencies Russia Ukraine