H-ISAC TLP White Threat: CISA Releases Alert AA22-011A: Understanding and Mitigating Russian State-Sponsored Cyber Threats

The United States Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the National Security Agency released a joint Cybersecurity Advisory, titled Understanding and Mitigating Russian State-Sponsored Cyber Threats to US Critical Infrastructure. The released TLP:WHITE report provides an overview of Russian state-sponsored cyber operations, commonly observed tactics, techniques, and procedures (TTPs), detection actions, incident response guidance, and mitigations. This advisory is being released to warn organizations of potential cyber threats from geopolitical actors.

CISA, the FBI, and NSA encourage the cybersecurity community, especially critical infrastructure network defenders, to adopt a heightened state of awareness and to conduct proactive threat hunting. Additionally, we strongly urge network defenders to implement the CSA’s recommendations and mitigations, which will 

help organizations improve their functional resilience by reducing the risk of compromise or severe business degradation. 

The Health-ISAC Threat Operations Center recommends recipients review the alert, and incorporate the intelligence and recommendations with their own internal security posture.

The full CSA, which can be accessed here, has additional technical details, analysis, and recommendations, which have been included in this alert.

Historically, Russian state-sponsored advanced persistent threat (APT) actors have used common but effective tactics, including spearphishing, brute force, and exploiting known vulnerabilities against accounts and networks with weak security, to gain initial access to target networks. Vulnerabilities known to be exploited by Russian state-sponsored APT actors for initial access include:

• CVE-2018-13379 FortiGate VPNs
• CVE-2019-1653 Cisco router
• CVE-2019-2725 Oracle WebLogic Server
• CVE-2019-7609 Kibana
• CVE-2019-9670 Zimbra software
• CVE-2019-10149 Exim Simple Mail Transfer Protocol
• CVE-2019-11510 Pulse Secure
• CVE-2019-19781 Citrix
• CVE-2020-0688 Microsoft Exchange
• CVE-2020-4006 VMWare (note: this was a zero-day at time.)
• CVE-2020-5902 F5 Big-IP
• CVE-2020-14882 Oracle WebLogic
• CVE-2021-26855 Microsoft Exchange (Note: this vulnerability is frequently observed used in conjunction with CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065)

Russian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware. The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments, including cloud environments, by using legitimate credentials.

In some cases, Russian state-sponsored cyber operations against critical infrastructure organizations have specifically targeted operational technology (OT)/industrial control systems (ICS) networks 

with destructive malware. See the following advisories and alerts for information on historical Russian state-sponsored cyber-intrusion campaigns and customized malware that have targeted ICS:

• ICS Advisory ICS Focused Malware – Havex
• ICS Alert Ongoing Sophisticated Malware Campaign Compromising ICS (Update E)
• ICS Alert Cyber-Attack Against Ukrainian Critical Infrastructure
• Technical Alert CrashOverride Malware
• CISA MAR HatMan: Safety System Targeted Malware (Update B)
• CISA ICS Advisory Schneider Electric Triconex Tricon (Update B)

Russian state-sponsored APT actors have used sophisticated cyber capabilities to target a variety of U.S. and international critical infrastructure organizations, including those in the Defense Industrial Base as well as the Healthcare and Public Health, Energy, Telecommunications, and Government Facilities Sectors. High-profile cyber activity publicly attributed to Russian state-sponsored APT actors by U.S. government reporting and legal actions include:

• Russian state-sponsored APT actors targeting state, local, tribal, and territorial (SLTT) governments and aviation networks, September 2020, through at least December 2020. Russian state-sponsored APT actors targeted dozens of SLTT government and aviation networks. The actors successfully compromised networks and exfiltrated data from multiple victims.
• Russian state-sponsored APT actors’ global Energy Sector intrusion campaign, 2011 to 2018. These Russian state-sponsored APT actors conducted a multi-stage intrusion campaign in which they gained remote access to U.S. and international Energy Sector networks, deployed ICS-focused malware, and collected and exfiltrated enterprise and ICS-related data.

Russian state-sponsored APT actors’ campaign against Ukrainian critical infrastructure, 2015 and 2016. Russian state-sponsored APT actors conducted a cyberattack against Ukrainian energy distribution companies, leading to multiple companies experiencing unplanned power outages in December 2015. The actors deployed BlackEnergy malware to steal user credentials and used its destructive malware component, KillDisk, to make infected computers inoperable. In 2016, these actors conducted a cyber-intrusion campaign 

• against a Ukrainian electrical transmission company and deployed CrashOverride malware specifically designed to attack power grids.

For more information on recent and historical Russian state-sponsored malicious cyber activity, see the referenced products below or by visiting cisa.gov/Russia.

• Joint FBI-DHS-CISA CSA Russian Foreign Intelligence Service (SVR) Cyber Operations: Trends and Best Practices for Network Defenders
• Joint NSA-FBI-CISA CSA Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments
• Joint FBI-CISA CSA Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets
• Joint CISA-FBI CSA APT Actors Chaining Vulnerabilities against SLTT, Critical Infrastructure, and Elections Organizations
• CISA’s webpage Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise
• CISA Alert Russian Government Cyber Activity Targeting Energy Sector and Other Critical Infrastructure Sectors 

CISA ICS Alert: Cyber-Attack Against Ukrainian Critical Infrastructure

View the entire document below.