Site icon IT World Canada

US warns critical infrastructure of Russian state-sponsored threats

Image by BeeBright from GettyImages.ca

With the U.S. and Russia eyeing each other over Ukraine this week, American cybersecurity authorities have issued a guide to managing Russian state-sponsored cyber threats to U.S. critical infrastructure.

The joint advisory released Tuesday by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the National Security Agency (NSA) is part of their “continuing cybersecurity mission to warn organizations of cyber threats and help the cybersecurity community reduce the risk presented by these threats.”

But — perhaps coincidentally — it also came the day after the U.S. and Russia held eight hours of fruitless talks on Moscow’s buildup of troops on its border with Ukraine and the Russian demand that Ukraine not be admitted into NATO. Reuters says Russia has repeatedly said it has no intent of attacking Ukraine.

Russian officials will also meet Wednesday with NATO in Brussels and Thursday with NATO the Organisation for Security and Cooperation in Europe (OSCE) in Vienna.

In its guide, the American authorities give an overview of Russian state-sponsored cyber operations, commonly observed tactics, techniques, and procedures (TTPs), detection actions, incident response guidance, and mitigations.

“The CISA, the FBI, and NSA encourage the cybersecurity community — especially critical infrastructure network defenders — to adopt a heightened state of awareness and to conduct proactive threat hunting,” it says.

Private-sector-controlled critical infrastructure includes the financial, transportation, water and power utility, healthcare, food and transportation sectors.

The report lists a number of attacks Russian-sponsored threat actors recently have been using (for example, vulnerabilities in Microsoft Exchange, Fortinet FortiGate VPNs, Citrix, Oracle WebLogic and other products). U.S. authorities blame the compromise of the SolarWinds Orion security update mechanism — one of the biggest supply chain attacks in history — on a Russian-based group dubbed Nobelium.

Tuesday’s report says Russian-backed threat groups use common but effective tactics—including spearphishing, brute force, and exploiting vulnerabilities. “Russian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware. The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments—including cloud environments—by using legitimate credentials,” the report says.

In some cases, the report adds, Russian state-sponsored cyber operations against critical infrastructure organizations have specifically targeted operational technology (OT)/industrial control systems (ICS) networks with destructive malware.

But when it comes to fighting back, the report advises methods that apply to any threat actor: Apply best practices for identity and access management, protective controls and architecture, and vulnerability and configuration management.

They include:

“There is good guidance here from the agencies,” said Tim Helming, security evangelist at DomainTools, “though it’s tempting to look at it as motherhood-and-apple-pie: the vast majority of owners and operators of critical infrastructure are well aware of the threats, and are also cognizant of many of the fundamental steps toward hardening their assets against these threats. Many in the critical infrastructure community take an ‘assume breach’ posture already, based on what we know about the capabilities of these actors. Procedures and tools to improve asset visibility and vulnerability management, identity and access management, log management, ingress and egress filtering, anomaly detection, and behavioral analytics are all recognized as fundamental necessities, and it’s safe to say are being actively improved, to a greater or lesser extent, in the majority of installations.”

“So why did CISA et al issue the advisory? In part, because if they weren’t on record doing so and a compromise were confirmed, it would have been a glaring gap. It also gives owners and operators facing resource constraints more support in their requests, and it’s important not to underestimate how important that can be.”

 

Exit mobile version