CISA, NSA Warn of Russian Attacks on Critical Infrastructure
After threat actors linked to Russia used multiple techniques to attack a wide variety of U.S. targets, the FBI, CISA and the NSA issued a joint warning to those tasked with protecting critical infrastructure: Beef up your security.
The agencies encouraged “the cybersecurity community—especially critical infrastructure network defenders—to adopt a heightened state of awareness and to conduct proactive threat hunting,” according to an advisory.
The alert noted that Russian state-sponsored APT actors previously “used common but effective tactics—including spearphishing, brute force and exploiting known vulnerabilities against accounts and networks with weak security—to gain initial access to target networks.” The joint alert also pointed out that the attackers “have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware.” In addition, they have proven they can “maintain persistent, undetected, long-term access in compromised environments—including cloud environments—by using legitimate credentials,” the agencies warned.
In some of those cases, the miscreants specifically took aim at operational technology (OT) and industrial control system (ICS) networks and dropped destructive malware.
From Russia, With Love (Again)
“I can’t recall a time in my life when Russia wasn’t aggressively probing western resolve, ranging from tactical incursions into airspace to pulling strategic economic levers,” said Tim Wade, technical director, CTO team, at Vectra. “This activity is just a continuation of that long-standing tradition, and I read this advisory as another periodic reminder of the ‘background radiation’ of global politics—if you’re operating critical infrastructure and are under the impression that you aren’t squarely in an operator’s crosshairs, you’re wrong.”
To underscore the threat, the agencies pointed to Russian state-sponsored APT actors targeting state, local, tribal and territorial (SLTT) governments and aviation networks from September 2020 through December 2020, a global energy sector intrusion campaign from 2011 to 2018 and a campaign against Ukrainian critical infrastructure that took place in 2015 and 2016.
To counter these attacks, the agencies recommended a number of steps organizations can (and should) take around three main pillars—being prepared, enhanced organizational cybersecurity posture and increased organizational vigilance.
In addition to patching all systems, prioritizing threats by known exploited vulnerabilities, implementing multifactor authentication (MFA), using antivirus software and developing internal contact lists and surge support, the joint cybersecurity advisory (CSA) recommended that critical infrastructure organizations note any unexpected equipment behavior, record delays or disruptions in communication with field equipment or other OT devices and determine if system parts or components are lagging or unresponsive.
Logs, or it Didn’t Happen
“The main takeaway from the CISA Russian cyberthreat alert is ‘Logs, or it didn’t happen,’” said Rick Holland, CISO, vice president of strategy at Digital Shadows.
“When defending against sophisticated Russian adversaries (or any group), you must have a security monitoring infrastructure that provides situational awareness to detect and respond to intrusions,” he said. “You must have sensors in place to capture malicious activity. You must also retain logs for retroactive threat hunting as you develop and acquire new intelligence.” He recommended that defenders “conduct an annual gap analysis of their monitoring capabilities and quickly plan to mitigate any collection gaps.”
“The second takeaway is that these actors use common but effective tactics. Although these groups have sophisticated capabilities (e.g., the SolarWinds intrusion), they also rely on low-hanging fruit tactics and techniques,” said Holland. “While it isn’t sexy, effective security hygiene like patching known vulnerabilities on external services raises the adversary’s costs and makes their job harder. Don’t be a soft target.”
Even those organizations that are “not directly identified as targets need to take a diligent approach,” said Dave Cundiff, vice president, member delivery at Cyvatar. “As the tactics and techniques are refined by state-sponsored actors like Russia, they quickly pivot to become commoditized in the new malware marketplace for lower-level attackers to leverage.”
Separating network segments based on role and functionality is particularly important and by controlling traffic flow and access to subnetworks this separation can prevent lateral movement that can make an attack more wide-ranging and destructive. The advisory suggested appropriate segmentation between IT and OT networks. “Network segmentation limits the ability of adversaries to pivot to the OT network even if the IT network is compromised,” the advisory noted. “Define a demilitarized zone that eliminates unregulated communication between the IT and OT networks.”
The CSA advised companies to organize OT assets into logical zones according to account criticality, consequence and operational necessity. “Define acceptable communication conduits between the zones and deploy security controls to filter network traffic and monitor communications between zones,” the advisory said. “Prohibit ICS protocols from traversing the IT network.”
But John Bambenek, principal threat hunter at Netenrich, downplayed the significance of the alert. “Advisories like this do little to help defenders actually protect themselves. I read this and don’t have any more insight into detecting and preventing these attacks than before,” he said. “It’s 2022—these agencies hopefully can reach out directly to organizations with more specific guidance because public announcements aren’t helpful; there are reasons not to be too specific in them, as well.”
Holland cautioned that while “the advisory doesn’t mention the current tensions between Russia and the Ukraine, but if the conflict escalates, you can expect Russian cyberthreat attackers to increase their operations” since “cyberspace has become a key component of geopolitics.”
