US Warns of Russia-Backed Threat to Critical InfrastructureCISA, NSA and FBI Urge Network Defenders to 'Increase Organizational Vigilance'
The Cybersecurity and Infrastructure Security Agency released a joint advisory with the National Security Agency and the FBI on Tuesday warning that Russian threat actors are leveraging certain tactics, techniques and procedures to infiltrate critical infrastructure. In the advisory, CISA lays out several measures to detect and mitigate threats posed by the state actors, with a particular focus on critical infrastructure.
"CISA, the FBI, and NSA encourage the cybersecurity community - especially critical infrastructure network defenders - to adopt a heightened state of awareness and to conduct proactive threat hunting," the advisory says. It encourages security teams to implement mitigation strategies immediately.
Security professionals are advised to prepare by:
- Creating and maintaining a cyber incident response plan;
- Following best practices in the area of identity and access management, among others;
- Staying vigilant and reporting any suspicious activity.
The advisory also contains a list of 13 vulnerabilities being exploited by the state-backed cybercriminals - including CVEs affecting Microsoft Exchange, Oracle WebLogic Server and Cisco Router - and six cases of malware related to operational technology.
This announcement comes on the heels of a bipartisan group of senators sending a letter to Department of Homeland Security Secretary Alejandro Mayorkas and Department of Transportation Secretary Pete Buttigieg urging them to respond to cyber threats targeting critical infrastructure - particularly the transportation sector (see: Senators Seek Clarity on DHS, DOT Cybersecurity Efforts).
In their advisory, the U.S. agencies say Russian APTs are using "common but effective tactics" to disrupt networks. The advisory also says that Russian attackers have shown an ability to infiltrate networks and go undetected for long periods of time.
Russian state-sponsored actors have also been known to target critical infrastructure, and CISA provides a list of "high-profile cyber activity" between 2011 and 2020, including attacks on Ukraine's energy distribution companies that led to a massive power outage.
Adam Flately, a former technical lead for the NSA and member of the U.S. Ransomware Task Force, says the joint advisory is clearly linked to the brewing tensions between Russia and Ukraine, which some are predicting could lead to war (see: Cyber Activity Surges as Russia Masses on Ukraine's Border).
“It doesn't take a huge analytic leap to assess that this advisory is likely tied to the tensions over the potential Russian invasion of Ukraine," he says. "It will be important for U.S. organizations, especially the critical infrastructure vertical, to pay extra attention to cybersecurity in order to mitigate Russia’s retaliatory options, should the U.S. 'act decisively' in response to an invasion as the Biden administration has promised."
As the pressure between Russia and Ukraine continues to build, Flately explains that organizations need to be vigilant when it comes to monitoring threats and "review and update incident response plans and [patch] regimes [to] ensure that everyone who has a role in an incident clearly understands their responsibilities in case of a crisis.”
Russian nation-states are currently leveraging the following vulnerabilities, according to CISA:
- CVE-2018-13379 FortiGate VPNs;
- CVE-2019-1653 Cisco router;
- CVE-2019-2725 Oracle WebLogic Server;
- CVE-2019-7609 Kibana;
- CVE-2019-9670 Zimbra software;
- CVE-2019-10149 Exim Simple Mail Transfer Protocol;
- CVE-2019-11510 Pulse Secure;
- CVE-2019-19781 Citrix;
- CVE-2020-0688 Microsoft Exchange;
- CVE-2020-4006 VMWare - a zero-day attack;
- CVE-2020-5902 F5 Big-IP;
- CVE-2020-14882 Oracle WebLogic;
- CVE-2021-26855 Microsoft Exchange - CISA also noted that this vulnerability works in conjunction with CVE-2021-26857 , CVE-2021-26858 and CVE-2021-27065.
Rick Holland, CISO and vice president of threat analysis firm Digital Shadows, cites the SolarWinds cyberattack - one of the most damaging cyberattacks to date that hit a company and then leapfrogged to its many customers - as a prime example of the capabilities of Russian attackers.
"Although these groups have sophisticated capabilities, they also rely on low-hanging fruit tactics and techniques," he says, adding that by patching known vulnerabilities, as outlined by CISA, can make it more difficult for nation-states.
Holland also says, that from his point of view, CISA is emphasizing the practice of retaining logs to monitor security infrastructure.
"You must have sensors in place to capture malicious activity. You must also retain those logs for retroactive threat hunting as you develop and acquire new intelligence. "
According to the advisory, if IT or OT network administrators detect any of these threats, they should:
- Isolate affected systems;
- Secure backup data by taking it offline, and then scan for additional malware;
- Review any relevant data, logs or artifacts;
- If unable to remediate with internal teams, consider seeking assistance from a third party;
- Report any incidents to CISA or the FBI.
The Department of State's Rewards for Justice Program also offers a reward of up to $10 million for tips about foreign actors operating or participating in malicious cyber activity, especially against critical infrastructure, according to the alert.
This story has been updated to include comments from Adam Flately and Rick Holland.