The FBI, CISA, and the NSA have warned critical infrastructure network defenders to be ready to detect and block incoming attacks targeting organizations from US critical infrastructure sectors orchestrated by Russian-backed hacking groups.
Advanced persistent threat (APT) actors linked to Russia have been observed attacking a wide range of US organizations using various effective tactics to breach their networks, ranging from spearphishing and brute-forcing accounts to exploiting a large variety of known security vulnerabilities.
“Russian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware,” the joint advisory reads.
“The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments—including cloud environments—by using legitimate credentials.
“In some cases, Russian state-sponsored cyber operations against critical infrastructure organizations have specifically targeted operational technology (OT)/industrial control systems (ICS) networks with destructive malware.”
The three federal agencies highlight the following attacks where Russian APT groups — including APT29, APT28, and the Sandworm Team — have used destructive malware to specifically target industrial control systems (ICS) and operational technology (OT) networks belonging to critical infrastructure orgs worldwide:
- Russian state-sponsored APT actors targeting state, local, tribal, and territorial (SLTT) governments and aviation networks, September 2020, through at least December 2020. Russian state-sponsored APT actors targeted dozens of SLTT government and aviation networks. The actors successfully compromised networks and exfiltrated data from multiple victims.
- Russian state-sponsored APT actors’ global Energy Sector intrusion campaign, 2011 to 2018. These Russian state-sponsored APT actors conducted a multi-stage intrusion campaign in which they gained remote access to U.S. and international Energy Sector networks, deployed ICS-focused malware, and collected and exfiltrated enterprise and ICS-related data.
- Russian state-sponsored APT actors’ campaign against Ukrainian critical infrastructure, 2015 and 2016. Russian state-sponsored APT actors conducted a cyberattack against Ukrainian energy distribution companies, leading to multiple companies experiencing unplanned power outages in December 2015. The actors deployed BlackEnergy malware to steal user credentials and used its destructive malware component, KillDisk, to make infected computers inoperable. In 2016, these actors conducted a cyber-intrusion campaign against a Ukrainian electrical transmission company and deployed CrashOverride malware specifically designed to attack power grids.
US critical infrastructure orgs exposed to Russian-backed cyber operations are advised to focus on detecting their malicious activity by enforcing robust log collection/retention and looking for behavioral evidence or network and host-based artifacts.
If they detect any potential Russian-linked APT activity while monitoring their IT or OT networks, they’re also encouraged to isolate all potentially affected systems, secure their backups, collect evidence of the potential breach, and report the incident to CISA or the FBI after asking IT experts’ help with incident response tasks.
Warnings of Russian APTs targeting US orgs
This joint advisory follows an NCSC(UK)-CISA-FBI-NSA joint security advisory issued in May 2021 to urge network defenders to patch their systems as promptly as possible to match the speed with which Russian-sponsored SVR hackers (aka APT29, Cozy Bear, and The Dukes) were changing targets in their attacks.
That warning came after US and UK governments attributed the SolarWinds supply-chain attack and COVID-19 vaccine developer targeting to Russian SVR operators’ cyber-espionage efforts from April 2021.
The NSA, CISA, and the FBI also informed organizations and service providers on the same day regarding the top five vulnerabilities exploited in SVR attacks against US interests.
In a third joint advisory published in April, the FBI, DHS, and CIA alerted US orgs of continued attacks linked to the Russian SVR against the US and foreign organizations.
In July, the US government also announced it’s offering a reward of up to $10 million through its Rewards for Justice (RFJ) program for info on malicious cyber activities conducted by state-sponsored threat actors targeting the country’s critical infrastructure sectors.