H-ISAC TLP White UPDATE: AA22-011A: Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure

Today, February 11, 2022, we are observing increasing tensions and rhetoric between Russia and Ukraine. 

There are continued reports of a Russian military build-up on the border with Ukraine, indicating potential for significant military action against Ukraine. The security conditions, particularly along Ukraine's borders, in Russia-occupied Crimea, and in Russia-controlled eastern Ukraine, are unpredictable and can deteriorate with little notice.

The US State Department issued a Level 4: Do Not Travel Advisory for Ukraine urging Americans to leave the country immediately due to increased threats of Russian military action. 

Israel issued a travel warning and is evacuating Ukraine embassy staff and diplomats' families according to The Times of Israel article available here.

The Netherlands advised Dutch citizens to leave Ukraine as soon as possible due to the security situation. BNB News reported The Netherlands will move its diplomatic post from Kyiv to Lviv in western Ukraine. 

In response, Health-ISAC urges members to review the advisory and follow the recommendations provided.  

Health-ISAC will continue to monitor the situation. If the situation escalates, a session for membership will be hosted to continue the conversation. 

Original release date: January 11, 2022

Actions Critical Infrastructure Organizations Should Implement to immediately Strengthen Their Cyber Posture.

• Patch all systems. Prioritize patching known exploited vulnerabilities
• Implement multi-factor authentication.
• Use antivirus software.
• Develop internal contact lists and surge support.

Note: this advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, version 10. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.

This joint Cybersecurity Advisory (CSA)—authored by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA)—is part of our continuing cybersecurity mission to warn organizations of cyber threats and help the cybersecurity community reduce the risk presented by these threats. This CSA provides an overview of Russian state-sponsored cyber operations; commonly observed tactics, techniques, and procedures (TTPs); detection actions; incident response guidance; and mitigations. This overview is intended to help the cybersecurity community reduce the risk presented by these threats. 

CISA, the FBI, and NSA encourage the cybersecurity community—especially critical infrastructure network defenders—to adopt a heightened state of awareness and to conduct proactive threat hunting, as outlined in the Detection section. Additionally, CISA, the FBI, and NSA strongly urge network defenders to implement the recommendations listed below and detailed in the Mitigations section. These mitigations will help organizations improve their functional resilience by reducing the risk of compromise or severe business degradation. 

1. Be prepared. Confirm reporting processes and minimize personnel gaps in IT/OT security coverage. Create, maintain, and exercise a cyber incident response plan, resilience plan, and continuity of operations plan so that critical functions and operations can be kept running if technology systems are disrupted or need to be taken offline.
2. Enhance your organization’s cyber posture. Follow best practices for identity and access management, protective controls and architecture, and vulnerability and configuration management.
3. Increase organizational vigilance. Stay current on reporting on this threat. Subscribe to CISA’s mailing list and feeds to receive notifications when CISA releases information about a security topic or threat.

CISA, the FBI, and NSA encourage critical infrastructure organization leaders to review CISA Insights: Preparing for and Mitigating Cyber Threats for information on reducing cyber threats to their organization.

Click here for a PDF version of this report.

View the detailed report below.