DHS Warns of Potential Russian Cyberattacks on Critical Infrastructure

January 28, 2022 - As the US grapples with tensions between Russia and Ukraine, the Department of Homeland Security (DHS) warned of the potential for Russian cyberattacks on US critical infrastructure, according to a DHS memo obtained by CNN.

“Russia maintains a range of offensive cyber tools that it could employ against US networks—from low-level denials-of-service to destructive attacks targeting critical infrastructure," the January 23 memo stated.

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) issued a joint advisory in early January warning critical infrastructure entities to remain vigilant against Russian state-sponsored cyberattacks.

Healthcare organizations could become collateral damage of Russian-deployed malware, John Riggi, national advisor for cybersecurity and risk at the American Hospital Association (AHA) cautioned in an AHA notice in response to the advisory.

Hospitals could find themselves as targets for attacks on US critical infrastructure, and disruptions to critical service providers that serve hospitals could cause further damage.

“When targeting organizations in critical infrastructure, unpredictable events can occur, mistakes can be made by adversaries, and resulting kinetic physical impacts may result. Which would likely then be followed by escalating responses,” Tim Conway, senior instructor at SANS Institute, told HealthITSecurity via email. 

“Determining which actions were state-sponsored, and which actions were intentional vs mistakes begins to become challenging and time-consuming to determine. Cooperation with Governments and asset owners and operators who know these systems is more important than ever during these times.”

Conway said that no organization is too big or too small to be targeted by cybercriminals.

“[B]egin working with your teams through case studies of other attacks in your sector or outside your sector and work through what the attack would mean for your organization, what can you learn, and what actions can you take to have a better response,” Conway suggested.

CISA has observed Russian state-sponsored advanced persistent threat (APT) actors using common tactics in the past to successfully deploy cyberattacks, including spearphishing, brute force, and vulnerability exploitation.

“Russian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware,” CISA continued.

“The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments—including cloud environments—by using legitimate credentials.”

Echoing CISA’s advisory, the Health Sector Cybersecurity Coordination Center (HC3) urged the healthcare sector to implement mitigation techniques and practice incident response plans.

HC3 advised healthcare entities to reduce their attack surface “to the greatest extent possible” by ensuring that known vulnerabilities are patched, establishing a comprehensive data backup program, and using multi-factor authentication.

As always, healthcare organizations should also encourage employees to practice proper cyber hygiene, and organizations should implement and frequently rehearse cyber incident response plans as required by HIPAA.