Critical Infrastructure Entities Warned About Cyberattacks by State-sponsored Russian APT Actors
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have issued a joint advisory warning about the threat of Russian cyberattacks on critical infrastructure, including the healthcare, energy, government, and telecommunications sectors.
“CISA, the FBI, and NSA encourage the cybersecurity community – especially critical infrastructure network defenders – to adopt a heightened state of awareness and to conduct proactive threat hunting,” explained the agencies in the advisory.
The agencies have shared details of the tactics, techniques, and procedures (TTPs) commonly used by Russian state-sponsored advanced persistent threat (APT) actors to gain persistent access to networks for espionage and destructive cyberattacks.
Russian APT actors use a variety of methods to breach perimeter defenses including spear phishing, brute force attacks against accounts and networks with weak security, and the exploitation of unpatched vulnerabilities, and have previously targeted vulnerable Citrix, Pulse Secure, F5 Big-IP, and VMWare products, FortiGate VPNs, Microsoft Exchange, Cisco Router, and Oracle WebLogic Servers.
Russian APT actors have extensive cyber capabilities and are known to conduct highly sophisticated attacks and maintain a long-term presence in compromised networks and cloud environments, with initial access, often gained using legitimate credentials. Custom malware is often deployed on operational technology (OT) and industrial control systems (ICS) and the malware is used to exfiltrate sensitive data.
All critical infrastructure entities have been advised to closely monitor their networks and systems for signs of malicious activity and take steps to improve their cybersecurity defenses. Security professionals have been advised to create and maintain a cyber incident response plan and follow cybersecurity best practices for identity and access management.
Centralized log collection and monitoring will make it easier to investigate and detect threats in a timely manner. Security teams should search for network and host-based artifacts, review authentication logs for signs of multiple failed login attempts across different accounts, and investigate login failures using valid usernames. It is also recommended to implement security solutions capable of behavioral analysis to identify suspicious network and account activity.
It is important to implement network segmentation as this will help to limit lateral movement within compromised networks and subnetworks if the perimeter defenses are breached. Regular backups should be performed, and backups should be tested to make sure data recovery is possible. Backups should be stored offline and should not be accessible from the systems where the data resides.
If suspicious activity is detected, affected systems should be isolated from the network, backup data should be secured by taking it offline, and data and artifacts should be collected. In the event of a cyberattack, critical infrastructure entities should consider engaging a third-party cybersecurity firm to assist with response and recovery. Any attack should be reported to the FBI and CISA.
While Russian APT actors have previously concentrated their efforts on attacks on utilities, government, and defense, there is a significant threat of attacks on the healthcare and pharmaceutical sectors as a result of the COVID-19 pandemic. Russian state-sponsored APT actors continue to seek intellectual property related to COVID-19 research, vaccines, treatments, and testing, along with any clinical research data supporting those areas.
The agencies have also issued a reminder that the Department of State is running a Rewards for Justice Program, which provides a reward of up to $10 million for information about foreign actors who are engaging in malicious cyber activities, in particular cyberattacks against U.S. critical infrastructure organizations.