U.S. federal security agencies are putting companies on alert to potential threats from Russian state-sponsored cybercriminal groups, warning in particular about dangers to critical infrastructure and urging organizations to learn how to detect and protect against attacks.
The joint cybersecurity advisory issued Jan. 11 by the FBI, National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) comes as tensions rise between Russia, the United States and European countries over Russia’s military activities related to Ukraine. The alert gives companies and agencies an overview of common tactics used by such Russia-based threat groups, lists of vulnerabilities they’ve been known to exploit and steps companies can take to detect, respond to and mitigate an attack.
“Historically, Russian state-sponsored advanced persistent threat (APT) actors have used common but effective tactics – including spearphishing, brute force, and exploiting known vulnerabilities against accounts and networks with weak security – to gain initial access to target networks,” the agencies wrote in the alert. “Russian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware.”
In addition, such groups have shown they can “maintain persistent, undetected, long-term access in compromised environments – including cloud environments – by using legitimate credentials,” they wrote. “In some cases, Russian state-sponsored cyber operations against critical infrastructure organizations have specifically targeted operational technology (OT)/industrial control systems (ICS) networks with destructive malware.”
Russian Groups Behind High-Profile Attacks
Russian-backed groups have been behind some of the most significant recent cyberattacks, including the SolarWinds breach (Nobelium) and the ransomware attacks on Colonial Pipeline (DarkSide) and global meat supplier JBS (REvil).
Government agencies and the Biden administration also have taken steps to push back against Russia and the cybercriminal groups it’s accused of supporting. President Biden in July called on Russian President Vladimir Putin to stem ransomware and other cyberattacks from these gangs. In addition, the administration has taken other actions, from working with U.S. companies on their security posture to putting bounties on the more active and notorious threat actors.
Despite all this, the threat of the Russian gangs continues to hang over the United States and is unlikely to disappear anytime soon, according to Erich Kron, security awareness advocate at security training firm KnowBe4.
“Targeting critical infrastructure is nothing new,” Kron told eSecurity Planet. “However, the increased attacks are certainly something to be concerned with, especially given the tensions between the U.S. and Russia over the Ukraine border crisis. Russia has very advanced cyber warfare skills which keep them hidden once a network is compromised, although ironically, the initial attack vectors are typically those of low-tech email phishing campaigns, taking advantage of people reusing already compromised passwords or using easily guessed passwords.”
Also read: Best Password Managers & Tools
Tactics and Responses
In their alert, the agencies laid out a range of tactics used by the Russian-supported groups, including using large-scale scans to find vulnerable servers, compromising third-party software (like SolarWinds’ Orion software), password-guessing and password-spraying efforts and leveraging the credentials of existing accounts to ensure long-term and persistent access to compromised networks.
In addition, the agencies also outlined a number of steps to detect and protect against such attacks. Detection is critical, given the APT actors’ capabilities to maintain a long-term presence in compromised enterprise and cloud environments. They urged companies to implement strong and centralized log collection and retention programs and look for behavioral evidence or network- and host-based artifacts related to known Russian ATP groups. This would include detecting password spray activity, checking authentication logs for system and application login failures of valid accounts, and detecting the use of compromised credentials.
There also was a list of responses companies should take if they’ve been compromised, including isolating affected systems and maintaining and securing backups. For mitigation, the recommendations include being prepared for such an attack, creating and maintaining cyber incident responses and resiliency plans and enhancing the security posture with tools like identity and access management (IAM) software and vulnerability and configuration solutions.
Know the Enemy
The agencies also urged U.S. companies to become familiar with the tactics and targets of these ATP groups.
“It’s important to remind ourselves that critical infrastructure is more than just a phrase,” Tim Erlin, vice president of strategy for cybersecurity firm Tripwire, told eSecurity Planet. “It describes a vast cross-section of infrastructure on which our nation relies. Critical infrastructure really is critical.”
The agencies’ alert contains both information about the threat and actionable information companies can use to protect themselves, such as the use of the MITRE ATT&CK framework for identifying malicious activity and mapping mitigation actions, Erlin said. “Identifying the attack in progress is important, but preventing the attack from being successful at all is better,” he said.
The Importance of Logs
Rick Holland, CISO and vice president of strategy at cybersecurity vendor Digital Shadows, told eSecurity Planet that a key message from the alert is the use of logs. When defending against any cybercriminal group, “you must have a security monitoring infrastructure that provides situational awareness to detect and respond to intrusions,” he said. “You must have sensors in place to capture malicious activity. You must also retain those logs for retroactive threat hunting as you develop and acquire new intelligence.”
It was also important for the alert to list the tactics used by the ATP groups, Holland said.
“Although these groups have sophisticated capabilities, [such as the] SolarWinds intrusion, they also rely on low-hanging fruit tactics and techniques,” he said. “While it isn’t sexy, effective security hygiene like patching known vulnerabilities on external services raises the advisory costs and makes their job harder. Don’t be a soft target.”
See also: Best SIEM Tools & Software
Holland echoed KnowBe4’s Kron regarding the threat of increased activity stemming from the tensions around Russia’s activities with Ukraine. Should the conflict escalate, the Russian-supported bad actors could also increase their operations.
“Cyberspace has become a key component of geopolitics,” he said. “Russian APT groups aren’t at the top of the threat model for all companies, unlike the critical infrastructure providers mentioned in the alert, but could end up being collateral damage.”
A Familiar Threat
Some cybersecurity professionals said the agencies’ security alert does little more than remind companies about the threat and to deliver information that they already should know.
Tim Wade, technical director and CTO at cybersecurity firm Vectra, told eSecurity Planet that he couldn’t “recall a time in my life when Russia wasn’t aggressively probing western resolve, ranging from tactical incursions into air space to pulling strategic economic levers. This activity is just a continuation of that long-standing tradition, and I read this advisory as another periodic reminder of the background radiation of global politics – if you’re operating critical infrastructure and are under the impression that you aren’t squarely in an operator’s crosshairs, you’re wrong.”
Tim Helming, security evangelist at threat intelligence company DomainTools, said the guidance in the alert is good, but that “it’s tempting to look at it as motherhood-and-apple-pie. The vast majority of owners and operators of critical infrastructure are well aware of the threats and are also cognizant of many of the fundamental steps toward hardening their assets against these threats. Many in the critical infrastructure community take an ‘assume breach.’”
Most companies and agencies already are using and improving the procedures and tools outlined in the alert, Helming told eSecurity Planet. CISA, the FBI and NSA likely issued the alert in part “because if they weren’t on record doing so and a compromise were confirmed, it would have been a glaring gap. It also gives owners and operators facing resource constraints more support in their requests and it’s important not to underestimate how important that can be.”