The cybersecurity authorities of the US, Australia, Canada, New Zealand and the UK have released a joint Cybersecurity Advisory (CSA). This CSA is to warn organizations about malicious cyber activity originating from Russia as a result of Russia’s invasion of Ukraine. Evolving intelligence indicates that the Russian government is currently exploring options for potential cyberattacks. Some of the recent state-sponsored attacks have consisted of distributed denial-of-service (DDoS) attacks and deployment of destructive malware. It is safe to expect an increase in Russian State-Sponsored Criminal Cyber Threats in the foreseeable future.
Some cybercrime groups have also recently publicly pledged their support for the Russian government and have threatened to conduct cyber operations in retaliation for perceived cyber offensives against the Russian government or the Russian people.
The aforementioned governments and their respective cybersecurity authorities urge critical infrastructure network defenders to prepare for and mitigate potential cyber threats, including destructive malware, ransomware, DDos attacks and espionage. Ensure you are hardening your cyber defenses and performing the necessary due diligence in identifying indications of malicious activity.
Reporting Suspicious or Criminal Activity
U.S. organizations may report suspicious or criminal activity by contacting CISA at [email protected] or (888) 282-0870 or their local FBI office via https://www.fbi.gov/contact-us/field-offices or (855) 292-3937.
Please ensure you include, when available, the following information with your report:
- Date and time of the incident
- Type of Activity
- Number of people affected
- Type of equipment used
- Name of the submitting company or organization
- A designated point of contact
State-sponsored cyber actors of Russian origin have demonstrated capabilities to compromise IT networks; developed mechanisms to maintain long-term, persistent access to IT networks; exfiltrate sensitive data from operational technology (OT) networks; and disrupt critical industrial control systems (ICS)/OT functions by deploying destructive malware.
Cyber threat actors from the following Russian government and military organizations have conducted malicious cyber attacks against IT and/or OT networks:
- Russian Federal Security Service (FSB), including Center 16 and Center 18
- Russian Foreign Intelligence Service (SVR)
- Russian General Staff Main Intelligence Directorate (GRU), 85th Main Special Service Center (GTsSSS)
- GRU’s Main Center for Special Technologies (GTsST)
- Russian Ministry of Defense, Central Scientific Institute of Chemistry and Mechanics
The FSB has conducted malicious cyber operations targeting the Energy Sector, including UK and U.S. energy companies, U.S. aviation organizations, U.S. government and military personnel as well as private organizations, cybersecurity companies and journalists. The FSB has also been known to task criminal hackers for espionage-focused cyber activity; usually the same hackers that have been separately responsible for disruptive ransomware and phishing campaigns.
Most recently, FSB employees were indicted by the U.S. Department of Justice for their involvement in a multi-stage campaign in which they gained remote access to U.S. and international Energy Sector networks, including a U.S. nuclear power plant.
Defense and Mitigation
Cyber authorities urge critical infrastructure organizations to prepare for and mitigate potential Russian State-Sponsored Criminal Cyber Threats. In the event you require assistance with the completion of these tasks, feel free to contact us at any time and we’ll be happy to assist.
- Update all software, including operating systems, applications and firmware on IT network assets. Ensure you prioritize the patching of known and exploited vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment.
- Enforce Multi-Factor Authentication to the greatest extent possible and require accounts with password logins, such as service accounts, to have STRONG passwords. Do not allow any passwords to be re-used across multiple accounts or stored on a system that an adversary may have or gain access to. (We utilize a self-hosted password vault with no public access as part of our Managed IT Services offering.)
- If you use commonly exploited protocols such as RDP, secure and monitor them closely.
- Provide your employees and end-users with security awareness and training to help prevent successful targeted social engineering and spearphishing campaigns. Phishing is one of the top infection vectors for ransomware. We include security awareness and cyber security training for all of our client’s employees.
- As part of a long-term effort, implement and follow a network segmentation plan based on role and functionality. This can help prevent the spread of ransomware and threat actor’s lateral movement.
In the event you are unable to tackle all of these tasks by yourself, we encourage you to get in touch with a trusted IT partner such as ATYXIT. We’ve assisted countless customers with tackling cyber-security issues and are happy to assist you as well.