The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) has released a joint notification to warn about the risk of Russian cyberattacks on critical infrastructure, which includes the healthcare, energy, government, and telecommunications industries.
“CISA, the FBI, and NSA urge the cybersecurity community, particularly critical infrastructure network defenders, to undertake a greater state of awareness and to carry out proactive threat hunting,” explained the agencies in the alert.
The agencies have disclosed information about the tactics, techniques, and procedures (TTPs) that Russian state-sponsored advanced persistent threat (APT) actors frequently utilized to obtain persistent access to networks for spying and damaging cyberattacks.
Russian APT actors utilize a number of strategies to breach perimeter defenses such as spear phishing, brute force attacks against accounts and systems with poor security, and the exploitation of unpatched vulnerabilities, and have earlier targeted unsecured Citrix, Pulse Secure, F5 Big-IP, and VMWare products, Microsoft Exchange, FortiGate VPNs, Cisco Router, Oracle WebLogic Servers.
Russian APT actors have substantial cyber capabilities and are recognized to perform very sophisticated attacks and sustain a prolonged presence in compromised networks and cloud environments, with preliminary access, frequently acquired using legitimate credentials. Custom malware is usually deployed on operational technology (OT) and industrial control systems (ICS) and the malware is employed to exfiltrate sensitive files.
Every critical infrastructure entity was told to carefully check their networks and systems for indications of malicious activity and do something to improve their cybersecurity defenses. Security specialists were instructed to create and keep a cyber incident response plan and observe cybersecurity best practices for identity and access management.
Centralized log collection and checking will make it less difficult to inspect and identify risks in a timely fashion. Security teams ought to look for network and host-based artifacts, evaluate authentication logs for signs of several failed login attempts across various accounts, and check out login failures utilizing valid usernames. It is additionally advisable to employ security solutions capable of behavioral evaluation to determine suspicious network and account activity.
It is important to use network segmentation since this will help to restrict lateral movement within breached networks and subnetworks when the perimeter defenses are breached. Normal backups must be done, and backups must be tested to ensure data recovery can be done. Backups ought to be kept offline and shouldn’t be accessible from the systems where the information stays.
When suspicious activity is seen, affected systems ought to be separated from the system, backup data must be kept secure by taking it offline, and information and artifacts ought to be obtained. When a cyberattack occurs, critical infrastructure entities must consider engaging a third-party cybersecurity company to help with response and recovery. Any cyber-attack ought to be reported to the FBI and CISA.
Although Russian APT actors have formerly concentrated their attempts on attacks on government, defense and utilities, there is a considerable danger of attacks on the medical care and pharmaceutical sectors due to the COVID-19 pandemic. Russian state-sponsored APT actors keep on to search for intellectual property associated with COVID-19 research, vaccines, treatments, and testing, together with any clinical research data aiding those areas.
The agencies have additionally reminded that the Department of State is running a Rewards for Justice Program, which provides a reward of as much as $10 million for information regarding foreign actors who are doing malicious cyber activities, particularly cyberattacks against U.S. critical infrastructure establishments.