CISA, FBI Warn of Ongoing Russian Cyber Threats to Critical Infrastructure
Federal agencies are reiterating the looming threat of Russian state-sponsored cyber threats to U.S. critical infrastructure this week
New advisories issued by US and British governments this week are aiming to curb Russian state-sponsored cyber threats against critical infrastructure.
A warning on Tuesday from the Cybersecurity & Infrastructure Security Agency and Department of Homeland Security, issued alongside the National Security Agency and the Federal Bureau of Investigation, called on critical infrastructure network defenders in particular to pay special attention to Russian hacking, whether it’s through their normal day to day activities, like threat hunting or incident response.
In its Cybersecurity Advisory, CISA gave defenders tips for improving functional resilience, listed a slew of vulnerabilities commonly used by Russian hackers to gain initial access and pivot from, previous examples of Russian cyber intrusion campaigns and malware that have successfully targeted US entities, and TTPs (tactics, techniques, and procedures) commonly observed.
If you’re tasked with defending a network, you’ve no doubt heard of the CVEs that CISA is encouraging users patch – many showed up on its Binding Operational Directive, Reducing the Significant Risk of Known Exploited Vulnerabilities, last November:
• CVE-2018-13379 FortiGate VPNs
• CVE-2019-1653 Cisco router
• CVE-2019-2725 Oracle WebLogic Server
• CVE-2019-7609 Kibana
• CVE-2019-9670 Zimbra software
• CVE-2019-10149 Exim Simple Mail Transfer Protocol
• CVE-2019-11510 Pulse Secure
• CVE-2019-19781 Citrix
• CVE-2020-0688 Microsoft Exchange
• CVE-2020-4006 VMWare (note: this was a zero-day at time.)
• CVE-2020-5902 F5 Big-IP
• CVE-2020-14882 Oracle WebLogic
• CVE-2021-26855 Microsoft Exchange
Some of the previous hacking examples that CISA gives include details on dozens of government and aviation networks that Russian hackers successfully compromised from September to December 2020 along with hacks from 2011 to 2018 that granted Russian hackers access to energy networks. In both scenarios, attackers managed to not only compromise networks but steal and exfiltrate data.
The National Cyber Security Centre, part of the UK's GCHQ, echoed CISA’s recommendations on Wednesday, urging organizations there to follow advice set out in the advisory.
The NCSC also pushed critical infrastructure organizations to:
• Patch all systems and prioritize patching known exploited vulnerabilities
• Implement multi-factor authentication
• Use antivirus software
The warnings come amid pressure as Russia tries to prevent Ukraine from joining NATO. Following two diplomatic talks this week, the country has still not fully committed to de-escalate its presence on the Ukrainian border. Last month, per US intelligence, Russia was planning a military offensive against Ukraine, something that could involve 175,00 troops.
In what could be a logical progression, the United States is hinting that the heightened drama could soon translate to tension online and urging those who oversee critical infrastructure to be ready.
As Chris Krebs, the former director of CISA tweeted yesterday: “…here’s how I read this: ‘State and NSC are in Geneva right now trying to keep the Russians out of Ukraine, but in case that doesn’t work, you might want to prepare for badness and here’s how Russian cyber operators do business…’”