US’s federal cybersecurity agencies are recommending operators of critical infrastructure to enhance their preparedness to counter Russian state-sponsored cyber operations.
Namely, CISA, the FBI, and NSA encourage the cybersecurity community, and especially critical infrastructure network defenders, to adopt a heightened state of awareness, and conduct proactive threat hunting, to proactively strengthen their organization’s operational resiliency against sophisticated threat actors, including nation-states and their proxies.
Be prepared: Confirm reporting processes and minimize personnel gaps in IT/OT security coverage. Create, maintain, and exercise a cyber incident response plan, resilience plan, and continuity of operations plan so that critical functions and operations can be kept running if technology systems are disrupted or need to be taken offline.
Enhance your organization’s cyber posture: Follow best practices for identity and access management, protective controls and architecture, and vulnerability and configuration management.
Increase organizational vigilance: Stay current on reporting on this threat.
According to the agencies, Russian state-sponsored APT actors have used sophisticated cyber capabilities to target a variety of U.S. and international critical infrastructure organizations. High-profile cyber activity publicly attributed to Russian state-sponsored APT actors by U.S. government reporting and legal actions includes:
- Russian state-sponsored APT actors targeting state, local, tribal, and territorial (SLTT) governments and aviation networks, September 2020, through at least December 2020.
- Russian state-sponsored APT actors’ global Energy Sector intrusion campaign, 2011 to 2018. These Russian state-sponsored APT actors conducted a multi-stage intrusion campaign in which they gained remote access to U.S. and international Energy Sector networks, deployed ICS-focused malware, and collected and exfiltrated enterprise and ICS-related data.
- Russian state-sponsored APT actors’ campaign against Ukrainian critical infrastructure, 2015 and 2016.
Detection
CISA, the FBI, and NSA encourage all critical infrastructure organizations to:
- Implement robust log collection and retention.
- Look for behavioral evidence or network and host-based artifacts from known Russian state-sponsored TTPs.
- Detect use of compromised credentials in combination with a VPS.
Incident Response
Organizations detecting potential APT activity in their IT or OT networks should:
- Immediately isolate affected systems.
- Secure backups: Ensure your backup data is offline and secure. If possible, scan your backup data with an antivirus program to ensure it is free of malware.
- Collect and review relevant logs, data, and artifacts.
- Consider soliciting support from a third-party IT organization to provide subject matter expertise, ensure the actor is eradicated from the network, and avoid residual issues that could enable follow-on exploitation.
- Report incidents to CISA and/or the FBI.
Mitigations
CISA, the FBI, and NSA encourage all organizations to implement the following recommendations to increase their cyber resilience against this threat:
- Assign main points of contact for a suspected incident as well as roles and responsibilities and ensure personnel know how and when to report an incident.
- Minimize gaps in IT/OT security personnel availability by identifying surge support for responding to an incident.
- Ensure IT/OT security personnel monitor key internal security capabilities and can identify anomalous behavior.
- Create, maintain, and exercise a cyber incident response and continuity of operations plan.
EXPLORE MORE AT THE AGENCIES’ TIPS TO REDUCE CYBER THREATS
