US gov issues fresh warning over Russian threat to critical infrastructure

Abstract silhouette of a computer hacker in front of a Russian flag
(Image credit: Shutterstock)

Cyber security specialists at the US government have warned critical infrastructure network defenders to "adopt a heightened state of awareness" against Russian state-sponsored cyber attacks.

The Federal Bureau of Investigation (FBI), Cyber Security and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) issued a joint advisory on Tuesday providing an overview of the commonly used tactics and techniques used by Russian state-backed threat actors so the security community can take a more proactive stance on threat hunting.

The trio of federal agencies said these Russian hackers typically exploit flaws in popular enterprise products, listing known issues in products including Cisco routers (CVE-2019-1653), Oracle WebLogic (CVE-2020-14882), Citrix (CVE-2019-19781), Pulse Secure (CVE-2019-11510), and Microsoft Exchange (CVE-2020-0688).

"Russian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware," the joint advisory reads. "The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments - including cloud environments - by using legitimate credentials.

"In some cases, Russian state-sponsored cyber operations against critical infrastructure organisations have specifically targeted operational technology (OT)/industrial control systems (ICS) networks with destructive malware."

Organisations are recommended to apply a range of mitigations to ensure functional resilience and lower the risk of compromise. These include measures such as confirming reporting processes, minimising personnel gaps in security coverage, following industry best practices for identity and access management, and proactively monitoring threat feeds for patches.

Because Russian threat actors have a history of lingering in networks undetected for long periods of time, the FBI, NSA, and CISA recommend all critical infrastructure organisations to also implement robust log collection and retention, to aid incident investigations, and to proactively look for behavioural irregularities such as password spray attempts and detecting use of compromised credentials.

The trio of agencies also highlighted a number of incidents in recent history where Russian state-sponsored hackers have been found to attack local governments and critical infrastructure.

From September 2020 to "at least" December 2020, Russian attackers targeted "dozens" of state, local, tribal, and territorial governments, as well as aviation networks, succeeding in extracting data from multiple victims.

They also pointed to Russia's instruction campaign in the US' energy sector between 2011 and 2018, deploying malware specially crafted for critical infrastructure environments and stealing data related to the industry.


The Okta digital trust index

Exploring the human edge of trust


"When the FBI, CISA and NSA team up to issue a joint alert about Russian state-sponsored APTs, every security team on the planet needs to sit up and take notice," said Dr Süleyman Özarslan, co-founder of Picus Security to IT Pro. "This alert highlights the seriousness and prevalence of ongoing malicious cyber operations by Russian state-sponsored APT actors. It should also be of great assistance to the cybersecurity community in reducing the risk posed by these threats."

The advisory comes as US officials join Russia's representatives in Geneva to discuss Russia's potential invasion of Ukraine, a country which was also on the receiving end of Russian hackers targeting critical infrastructure between 2015 and 2016, the advisory noted.

Cyber security expert and former CISA director Chris Krebs suggested the timing of the advisory's publication could be interpreted as a warning to US organisations to prepare for the Geneva talks to go south, which they reportedly are after eight hours of discussions.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.