The Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Cybersecurity and Infrastructure Security Agency (CISA) have given a joint alert to caution about the danger of Russian cyberattacks on critical infrastructures, such as medical care, government, energy and telecommunications markets.
“CISA, the FBI, and NSA advise the cybersecurity community, specifically critical infrastructure network defenders, to take up an increased state of consciousness and to perform proactive threat hunting,” stated the agencies in the alert.
The agencies have revealed facts involving the tactics, techniques, and procedures (TTPs) that Russian state-sponsored advanced persistent threat (APT) actors generally employed to acquire persistent access to systems for surveillance and detrimental cyberattacks.
Russian APT actors employ different techniques to breach perimeter defenses which include spear phishing, brute force attacks against accounts and systems with vulnerable security, and the exploitation of unpatched vulnerabilities, and have formerly targeted weak Pulse Secure Citrix, Vmware F5 Big-IP products, Microsoft Exchange, Cisco Router Fortigate VPNs, Oracle WebLogic Servers.
Russian APT actors have considerable cyber capabilities and are regarded to perform remarkably sophisticated attacks and keep a long-lasting presence in breached systems and cloud solutions, with first access, usually obtained utilizing legit credentials. Custom malware is frequently used on industrial control systems (ICS) and operational technology (OT) and the malware is utilized to exfiltrate sensitive information.
Every critical infrastructure entity was instructed to meticulously keep track of their networks and systems for indicators of malicious activity and take action to improve their cybersecurity defenses. Security experts were instructed to make and manage a cyber incident response program and adhere to cybersecurity guidelines for identity and access management.
Centralized log collection and tracking will make it simpler to check and discover dangers in a prompt way. Security groups must find network and host-based artifacts, examine authentication records for indications of a number of unsuccessful sign-in attempts throughout diverse accounts, and look at login failures making use of valid usernames. It is furthermore suggested to use security options capable of behavioral examination to distinguish suspicious system and account activity.
It is vital to employ network segmentation because this is going to help to control lateral movement inside breached networks and subnetworks in case the perimeter protection is compromised. Standard backups ought to be conducted, and backups must be tested to be sure data recovery is achievable. Backups ought to be saved offline and must not be accessible via the systems where the records are located.
In case of suspicious activity is discovered, impacted systems must be singled out from the system, backup information must be safeguarded by taking it off the internet, and information and artifacts must be compiled. If a cyberattack happens, critical infrastructure entities must consider having a third-party cybersecurity agency to support with response and recovery. Any attack must be reported to the FBI and CISA.
Though Russian APT actors have earlier concentrated their initiatives on attacks on government, utilities, and defense, there is a substantial danger of attacks on the medical care and pharmaceutical industries because of the COVID-19 outbreak. Russian state-sponsored APT actors still look for intellectual property linked to COVID-19 vaccines, research, testing and treatments, in addition to any clinical research information helping those areas.
The agencies have likewise given a reminder that the Department of State is having a Rewards for Justice Program, which gives a reward of around $10 million for information concerning international actors who are participating in malicious cyber activities, specifically cyberattacks versus U.S. critical infrastructure companies.