IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

US gov issues fresh warning over Russian threat to critical infrastructure

The FBI, NSA and CISA have urged network defenders to be on "heightened alert" for Russian cyber attacks

Cyber security specialists at the US government have warned critical infrastructure network defenders to "adopt a heightened state of awareness" against Russian state-sponsored cyber attacks.

The Federal Bureau of Investigation (FBI), Cyber Security and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) issued a joint advisory on Tuesday providing an overview of the commonly used tactics and techniques used by Russian state-backed threat actors so the security community can take a more proactive stance on threat hunting.

The trio of federal agencies said these Russian hackers typically exploit flaws in popular enterprise products, listing known issues in products including Cisco routers (CVE-2019-1653), Oracle WebLogic (CVE-2020-14882), Citrix (CVE-2019-19781), Pulse Secure (CVE-2019-11510), and Microsoft Exchange (CVE-2020-0688).

"Russian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware," the joint advisory reads. "The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments - including cloud environments - by using legitimate credentials.

"In some cases, Russian state-sponsored cyber operations against critical infrastructure organisations have specifically targeted operational technology (OT)/industrial control systems (ICS) networks with destructive malware."

Organisations are recommended to apply a range of mitigations to ensure functional resilience and lower the risk of compromise. These include measures such as confirming reporting processes, minimising personnel gaps in security coverage, following industry best practices for identity and access management, and proactively monitoring threat feeds for patches.

Because Russian threat actors have a history of lingering in networks undetected for long periods of time, the FBI, NSA, and CISA recommend all critical infrastructure organisations to also implement robust log collection and retention, to aid incident investigations, and to proactively look for behavioural irregularities such as password spray attempts and detecting use of compromised credentials.

The trio of agencies also highlighted a number of incidents in recent history where Russian state-sponsored hackers have been found to attack local governments and critical infrastructure. 

From September 2020 to "at least" December 2020, Russian attackers targeted "dozens" of state, local, tribal, and territorial governments, as well as aviation networks, succeeding in extracting data from multiple victims.

They also pointed to Russia's instruction campaign in the US' energy sector between 2011 and 2018, deploying malware specially crafted for critical infrastructure environments and stealing data related to the industry. 

Related Resource

The Okta digital trust index

Exploring the human edge of trust

Woman types on a laptop, image is faded purple with title text beside it on white backgroundFree download

"When the FBI, CISA and NSA team up to issue a joint alert about Russian state-sponsored APTs, every security team on the planet needs to sit up and take notice," said Dr Süleyman Özarslan, co-founder of Picus Security to IT Pro. "This alert highlights the seriousness and prevalence of ongoing malicious cyber operations by Russian state-sponsored APT actors. It should also be of great assistance to the cybersecurity community in reducing the risk posed by these threats."

The advisory comes as US officials join Russia's representatives in Geneva to discuss Russia's potential invasion of Ukraine, a country which was also on the receiving end of Russian hackers targeting critical infrastructure between 2015 and 2016, the advisory noted.

Cyber security expert and former CISA director Chris Krebs suggested the timing of the advisory's publication could be interpreted as a warning to US organisations to prepare for the Geneva talks to go south, which they reportedly are after eight hours of discussions.

Featured Resources

Accelerating healthcare transformation through patient-centred medtech solutions

Seize the digital transformation opportunities to streamline patient care and optimise patient outcomes

Free Download

Big payoffs from big bets in AI-powered automation

Automation disruptors realise 1.5 x higher revenue growth

Free Download

Hyperscaler cloud service providers top ten

Why it's important for companies to consider hyperscaler cloud service providers, and why they matter

Free Download

Strategic app modernisation drives digital transformation

Address business needs both now and in the future

Free Download

Recommended

NSA: Phase out memory-unsafe languages like C and C++
programming languages

NSA: Phase out memory-unsafe languages like C and C++

11 Nov 2022
What is cyber warfare?
Security

What is cyber warfare?

20 May 2022

Most Popular

Empowering employees to truly work anywhere
Sponsored

Empowering employees to truly work anywhere

22 Nov 2022
Salesforce co-CEO Bret Taylor resigns with cryptic parting message
Business operations

Salesforce co-CEO Bret Taylor resigns with cryptic parting message

1 Dec 2022
Larger monitors aren't all they're cracked up to be
monitors

Larger monitors aren't all they're cracked up to be

3 Dec 2022