U.S., allies provide 'comprehensive' look at Russia cyber threats to critical infrastructure

U.S and international authorities on Wednesday issued a joint alert warning state-backed Russian hackers and criminal groups remain a top threat to critical infrastructure worldwide.

The Cybersecurity and Infrastructure Security Agency (CISA) described the public alert as the “most comprehensive view of the cyber threat posed by Russia to critical infrastructure released by government cyber experts since the invasion of Ukraine in February.”

It comes just a week after a similar warning that unnamed hackers had developed tools designed to "gain full system access" to industrial control networks. That malware was discovered before it was used.

“We know that malicious cyber activity is part of the Russian playbook. We also know that the Russian government is exploring options for potential cyberattacks against U.S. critical infrastructure,” CISA Director Jen Easterly said in a statement.

Her organization has waged a “shields up” campaign to warn network administrators everywhere to be on guard for suspicious activity that could disrupt business or government operations.

The latest advisory “reinforces the demonstrated threat and capability of Russian state-sponsored and Russian aligned cyber-criminal groups to our Homeland,” Easterly added.

The alert from CISA, the FBI, the National Security Agency and the top cyber authorities in Australia, Canada, New Zealand and the United Kingdom details the techniques used by various Russian government and military organizations and criminal hackers and how to best guard against them.

The list of state-aligned actors includes the Russian Main Intelligence Directorate, or GRU, which the Biden administration in February blamed for distributed denial of service (DDoS) attacks against several Ukraine government websites in the lead up to Moscow’s invasion. Earlier this month the Justice Department announced the U.S. had disrupted a global botnet of thousands of infected devices allegedly controlled by the intelligence arm of the Russian military.

The advisory identifies specific GRU units responsible for the online attacks, including the 85th Main Special Service Center, military unit 26165. That entity is linked to another hacking group, APT28, aka "Fancy Bear," which the U.S. blamed for breaking into the Democratic National Committee in 2016.

It also cites the GRU’s Main Center of Special Technologies, known more commonly as Sandworm. The military unit has gained international notoriety as one of Russia’s most prolific hacking groups and has been implicated in the 2016 DNC hack, repeated hacks of the Ukrainian power grid, the 2018 Winter Olympics breach and the devastating NotPetya malware outbreak. 

In addition to groups backed by Moscow, the alert provides a who’s who of Russian-aligned digital threat groups and cybercriminal organizations.

Among the offenders is Venomous Bear, also known as Turla. The group has become known for waging stealthy cyberespionage attacks on high-level targets like governmental services and strategic industries with malware tools of its own design.

The advisory also name-checks TA542, also known as Mummy Spider and by other monikers, a criminal hacking group that has distributed the Emotet malware.

Authorities also offered a lengthy list of mitigation steps organizations should take to better defend their networks and government resources entities could take advantage of should they come under digital assault.

“Threats to critical infrastructure remain very real,” Rob Joyce, NSA cybersecurity director, said in a statement. “The Russia situation means you must invest and take action.”