U.S. Security Agencies Issue Advisory for Russian Cyber Attacks on Infrastructure

Federal cybersecurity officials are again warning of Russian cyber attacks and urging critical infrastructure networks in particular to be on alert.

The Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, and the National Security Agency released a joint Cybersecurity Advisory (CSA) that provides an overview of Russian state-sponsored cyber operations, including commonly observed tactics, techniques and procedures.

Historically, Russian state-sponsored actors have used spearphishing, brute force and exploiting known vulnerabilities against accounts and networks with weak security, as well as other “common but effective tactics” to gain initial access to target networks, according to the advisory.

The agencies did not cite a specific reason for releasing the Russia report at this time. They said only that it was being released to “help the cybersecurity community reduce the risk presented by Russian state-sponsored cyber threats.”

President Joe Biden has been pressuring Russian President Vladimir Putin to halt Russian cyber actions against the U.S. In recent weeks, there has been concern expressed in Washington that Russia may turn to cyber attacks as U.S.-Russia tensions over Ukraine grow. That’s something they did in 2015 and 2016 when the U.S. and Russia last squared off over Ukraine, according to the advisory.

The agencies are encouraging the cybersecurity community, especially those involved in protecting critical infrastructure, to adopt a “heightened state of awareness, conduct proactive threat hunting and implement the mitigations” identified in the joint CSA.

In its review of past Russian cyber attacks, the advisory identifies key vulnerabilities that Russian hackers have exploited in systems including Microsoft Exchange, Cisco routers, Oracle servers, Zimbra software and Citrix networks, among others.

The advisory says Russian actors have also “demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments—including cloud environments—by using legitimate credentials.”

Russian hackers in the past have targeted a variety of U.S. and international critical infrastructure organizations, including those in the defense industry, healthcare, public health, energy, telecommunications and government facilities. Some of the high-profile cyber activity publicly attributed to Russian state-sponsored actors and cited in the report include:

• Russian state-sponsored APT actors targeted state, local, tribal and territorial governments and aviation networks in September 2020, through at least December 2020. Russian state-sponsored APT actors targeted dozens of government and aviation networks. The actors successfully compromised networks and exfiltrated data from multiple victims.

• Russian state-sponsored APT actors conducted a global energy sector intrusion campaign, 2011 to 2018, in which they gained remote access to U.S. and international energy sector networks, deployed malware, and collected and exfiltrated enterprise data.

• Russian state-sponsored APT actors pursued a campaign against Ukrainian critical infrastructure, 2015 and 2016. They conducted a cyber attack against Ukrainian energy distribution companies, leading to multiple companies experiencing unplanned power outages in December 2015. The actors deployed BlackEnergy malware to steal user credentials and made infected computers inoperable. In 2016, these actors conducted a cyber-intrusion campaign against a Ukrainian electrical transmission company and deployed CrashOverride malware specifically designed to attack power grids.