Critical Infrastructure Security , Fraud Management & Cybercrime , Governance & Risk Management

US Warns of Russia-Backed Threat to Critical Infrastructure

CISA, NSA and FBI Urge Network Defenders to 'Increase Organizational Vigilance'
US Warns of Russia-Backed Threat to Critical Infrastructure

The Cybersecurity and Infrastructure Security Agency released a joint advisory with the National Security Agency and the FBI on Tuesday warning that Russian threat actors are leveraging certain tactics, techniques and procedures to infiltrate critical infrastructure. In the advisory, CISA lays out several measures to detect and mitigate threats posed by the state actors, with a particular focus on critical infrastructure.

See Also: On Demand | Identify, Prioritise and Respond Faster: APAC’s Strategy to Build Resilience

"CISA, the FBI, and NSA encourage the cybersecurity community - especially critical infrastructure network defenders - to adopt a heightened state of awareness and to conduct proactive threat hunting," the advisory says. It encourages security teams to implement mitigation strategies immediately.

Security professionals are advised to prepare by:

  • Creating and maintaining a cyber incident response plan;
  • Following best practices in the area of identity and access management, among others;
  • Staying vigilant and reporting any suspicious activity.

The advisory also contains a list of 13 vulnerabilities being exploited by the state-backed cybercriminals - including CVEs affecting Microsoft Exchange, Oracle WebLogic Server and Cisco Router - and six cases of malware related to operational technology.

This announcement comes on the heels of a bipartisan group of senators sending a letter to Department of Homeland Security Secretary Alejandro Mayorkas and Department of Transportation Secretary Pete Buttigieg urging them to respond to cyber threats targeting critical infrastructure - particularly the transportation sector (see: Senators Seek Clarity on DHS, DOT Cybersecurity Efforts).

Russian APTs

In their advisory, the U.S. agencies say Russian APTs are using "common but effective tactics" to disrupt networks. The advisory also says that Russian attackers have shown an ability to infiltrate networks and go undetected for long periods of time.

Russian state-sponsored actors have also been known to target critical infrastructure, and CISA provides a list of "high-profile cyber activity" between 2011 and 2020, including attacks on Ukraine's energy distribution companies that led to a massive power outage.

Adam Flately, a former technical lead for the NSA and member of the U.S. Ransomware Task Force, says the joint advisory is clearly linked to the brewing tensions between Russia and Ukraine, which some are predicting could lead to war (see: Cyber Activity Surges as Russia Masses on Ukraine's Border).

“It doesn't take a huge analytic leap to assess that this advisory is likely tied to the tensions over the potential Russian invasion of Ukraine," he says. "It will be important for U.S. organizations, especially the critical infrastructure vertical, to pay extra attention to cybersecurity in order to mitigate Russia’s retaliatory options, should the U.S. 'act decisively' in response to an invasion as the Biden administration has promised."

As the pressure between Russia and Ukraine continues to build, Flately explains that organizations need to be vigilant when it comes to monitoring threats and "review and update incident response plans and [patch] regimes [to] ensure that everyone who has a role in an incident clearly understands their responsibilities in case of a crisis.”

Russian nation-states are currently leveraging the following vulnerabilities, according to CISA:

Incident Response

Rick Holland, CISO and vice president of threat analysis firm Digital Shadows, cites the SolarWinds cyberattack - one of the most damaging cyberattacks to date that hit a company and then leapfrogged to its many customers - as a prime example of the capabilities of Russian attackers.

"Although these groups have sophisticated capabilities, they also rely on low-hanging fruit tactics and techniques," he says, adding that by patching known vulnerabilities, as outlined by CISA, can make it more difficult for nation-states.

Holland also says, that from his point of view, CISA is emphasizing the practice of retaining logs to monitor security infrastructure.

"You must have sensors in place to capture malicious activity. You must also retain those logs for retroactive threat hunting as you develop and acquire new intelligence. "

According to the advisory, if IT or OT network administrators detect any of these threats, they should:

  • Isolate affected systems;
  • Secure backup data by taking it offline, and then scan for additional malware;
  • Review any relevant data, logs or artifacts;
  • If unable to remediate with internal teams, consider seeking assistance from a third party;
  • Report any incidents to CISA or the FBI.

The Department of State's Rewards for Justice Program also offers a reward of up to $10 million for tips about foreign actors operating or participating in malicious cyber activity, especially against critical infrastructure, according to the alert.

This story has been updated to include comments from Adam Flately and Rick Holland.

About the Author

Devon Warren-Kachelein

Devon Warren-Kachelein

Former Staff Writer, ISMG

Warren-Kachelein began her information security journey as a multimedia journalist for SecureWorld, a Portland, Oregon-based cybersecurity events and media group. There she covered topics ranging from government policy to nation-states, as well as topics related to diversity and security awareness. She began her career reporting news for a Southern California-based paper called The Log and also contributed to tech media company Digital Trends.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.