Russian Hacking Groups Targeting Critical Infrastructure
The FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) are warning critical infrastructure network defenders to be ready to detect and block incoming attacks by Russian-backed hacking groups targeting organizations from U.S. critical infrastructure sectors.
“Russian state-sponsored advanced persistent threat (APT) actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware,” the alert said. “The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments, including cloud environments, by using legitimate credentials.”
In some cases, Russian state-sponsored cyber operations against critical infrastructure organizations have specifically targeted networks with destructive malware.
Tim Wade is technical director of Vectra‘s CTO team.
“I can’t recall a time in my life when Russia wasn’t aggressively probing western resolve, ranging from tactical incursions into air space to pulling strategic economic levers,” he said. “This activity is just a continuation of that longstanding tradition, and I read this advisory as another periodic reminder of the background radiation of global politics. If you’re operating critical infrastructure and are under the impression that you aren’t squarely in an operator’s crosshairs, you’re wrong.”
Rick Holland is CISO and vice president of strategy at Digital Shadows.
“When defending against sophisticated Russian adversaries or any group, you must have a security monitoring infrastructure that provides situational awareness to detect and respond to intrusions,” he said. “You must have sensors in place to capture malicious activity. You must also retain those logs for retroactive threat hunting as you develop and acquire new intelligence. Defenders should conduct an annual gap analysis of their monitoring capabilities and quickly plan to mitigate any collection gaps.”
The second takeaway is that these actors use common, but effective tactics, Holland said. Although these groups have sophisticated capabilities, they also rely on low-hanging fruit tactics and techniques. While it isn’t sexy, effective security hygiene like patching known vulnerabilities on external services raises the advisory costs and makes their job harder.
“The advisory doesn’t mention the current Russian-Ukraine tensions, but if the conflict escalates, you can expect Russian cyber threats to increase their operations,” he said. “Cyberspace has become a key component of geopolitics. Russian APT groups aren’t at the top of the threat model for all companies, unlike the critical infrastructure providers mentioned in the alert, but could end up being collateral damage.”
