FBI, CISA, NSA Warn of Russian Cyber Threats to Critical Infrastructure

January 12, 2022 - The Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory warning US critical infrastructure of ongoing Russian cyber threats.

The advisory outlined frequently observed the tactics, techniques, and procedures (TTPs) of Russian state-sponsored cyber operations. The brief noted that the Russian threat actors have been known to target the healthcare, energy, telecommunications, and government facilities sectors.

“Historically, Russian state-sponsored advanced persistent threat (APT) actors have used common but effective tactics—including spearphishing, brute force, and exploiting known vulnerabilities against accounts and networks with weak security—to gain initial access to target networks,” the advisory stated.

Commonly exploited vulnerabilities that Russian state-sponsored APT actors leverage for initial access include those in FortiGate VPNs, Oracle WebLogic Servers, Citrix, Microsoft Exchange, and VMWare products.

“Russian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware,” the advisory continued.

“The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments—including cloud environments—by using legitimate credentials.”

The APT actors have also been known to specifically target operational technology (OT) or industrial control systems (ICS) with malware.

From September to December 2020, the APT actors targeted dozens of state, local, tribal, and territorial (SLTT) government and aviation networks, the advisory stated. The attackers managed to successfully compromise networks and exfiltrate data from multiple victims.

CISA, the FBI, and NSA encouraged critical infrastructure entities to implement a centralized log collection and monitoring capability in order to investigate incidents and detect threats in a timely manner.

The agencies also recommended that organizations look for network and host-based artifacts and behavioral evidence of known Russian state-sponsored actors. Security teams should review authentication logs to look for login failures of valid accounts or multiple failed authentication attempts across numerous accounts.

In order to respond effectively, organizations that detect suspicious activity should immediately isolate infected systems, secure backups, collect data and artifacts, and engage a third-party expert to assist with response and recovery. Impacted organizations should also notify CISA and the FBI.

CISA, the FBI, and NSA also provided a list of security best practices that all organizations should have in place to mitigate cyber threats, including identity and access management, protective controls, and vulnerability and configuration management.

“CISA, the FBI, and NSA also recommend, as a longer-term effort, that critical infrastructure organizations implement network segmentation to separate network segments based on role and functionality,” the advisory continued.

Network segmentation can help prevent lateral movement by controlling traffic flows between—and access to—various subnetworks.”

In a previous brief, CISA identified a “lack of endpoint protection due to overreliance on network security” as one of the top cybersecurity challenges to the healthcare sector in 2020.

CISA’s website provided additional technical details and mitigation techniques that may be effective against Russian state-sponsored threat actors.