New advice has been issued by the U.S. Cybersecurity & Infrastructure Security Agency (CISA), the FBI, and the National Security Agency (NSA) in countering the threat of Russian state-sponsored cyber threats targeting Critical National Infrastructure. The joint advisory encourages those who are responsible for critical infrastructure networks to remain vigilant against Russian-backed hacking groups and “provides an overview of Russian state-sponsored cyber operations and their tools intending to “help the cybersecurity community reduce the risk presented by these threats.”
You can read plenty more detailed information about this advice on CISA’s website, which is strongly recommended.
CISA, the FBI, and NSA encourage the entire cybersecurity community—, but especially those in charge of defending critical infrastructure, to adopt a heightened state of awareness and to conduct proactive threat hunting. They generously supply some tips in the document.
Additionally, the organizations strongly urge network defenders to implement the recommendations listed below. The advice is also written with more detail in the Mitigations section of the advisory document.
- Be prepared. Confirm reporting processes and minimize personnel gaps in IT/OT security coverage. Create, maintain, and exercise a cyber incident response plan, resilience plan, and continuity of operations plan so that critical functions and operations can be kept running if technology systems are disrupted or need to be taken offline.
- Enhance your organization’s cyber posture. Follow best practices for identity and access management, protective controls and architecture, and vulnerability and configuration management.
- Increase organizational vigilance. Stay current on reporting on this threat. You can subscribe to CISA’s emailing list to receive notifications when CISA releases information about this or any other security topic or threat.
Historically, Russian state-sponsored threat-actors have been on top of their games. They are known to use common tactics such as spearphishing, brute-force attacks, and exploitation of well-known vulnerabilities to significant success. On the advisory, there is a lengthy list of CVE numbers that state-sponsored groups have been known to exploit. Notably, on the list is F5 Big-IP, Microsoft Exchange, VMWare, Oracle WebLogic, and PulseSecure.