US warns of Russian state-sponsored attacks on critical infrastructure

Less than one day after Russia and the US held bilateral talks ​​over the deployment of troops near Ukraine, US intelligence and law enforcement agencies issued a warning to critical infrastructure operators about threats from Russian state-sponsored hackers.

The alert, jointly authored by the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, and the National Security Agency, disclosed commonly observed tactics, techniques, and procedures (TTPs) used by the threat actors, as well as guidance on incident response and mitigation.

“CISA, the FBI, and NSA encourage the cybersecurity community—especially critical infrastructure network defenders—to adopt a heightened state of awareness and to conduct proactive threat hunting,” the report reads.

Logging is key! With Russian focus on persistent access to compromised networks, you need robust logs and focused effort to hunt, find, and kick them out. https://t.co/hDznXvZCqu

— Rob Joyce (@NSA_CSDirector) January 11, 2022

The advisory warned against “common but effective tactics” used to gain initial access to victim networks, including spearphishing, brute force attacks, and exploiting known vulnerabilities. In the past, Russian state-sponsored actors have used the following vulnerabilities to gain access to targeted systems:

• CVE-2018-13379 FortiGate VPNs
• CVE-2019-1653 Cisco router
• CVE-2019-2725 Oracle WebLogic Server
• CVE-2019-7609 Kibana
• CVE-2019-9670 Zimbra software
• CVE-2019-10149 Exim Simple Mail Transfer Protocol
• CVE-2019-11510 Pulse Secure
• CVE-2019-19781 Citrix
• CVE-2020-0688 Microsoft Exchange
• CVE-2020-4006 VMWare
• CVE-2020-5902 F5 Big-IP
• CVE-2020-14882 Oracle WebLogic
• CVE-2021-26855 Microsoft Exchange 

But the alert also cautioned that actors have demonstrated “sophisticated tradecraft and cyber capabilities” by launching attacks using compromised third-party infrastructure and software, or deploying custom malware.

The agencies have issued a number of reports and advisories related to Russia-linked hacks in recent years, and the guidance issued Tuesday will likely be read by cybersecurity professionals as a warning to be on the lookout for certain malicious behavior. It references previous attacks including Russian state-sponsored actors targeting state, local, tribal, and territorial government networks in 2020, energy sector intrusions between 2011 and 2018, and a widely-reported campaign against Ukrainian critical infrastructure in 2015 and 2016.

In that last incident, Russian-linked hackers attacked Ukrainian energy companies leading to broad power outages. The attacks used malware to make computers inoperable and disrupt power grids.

As the conflict between Ukraine and Russia continues to escalate, the US and Britain in recent weeks sent cyberwarfare experts to Ukraine to better prepare the country for attacks on the electric grid and other critical infrastructure components, The New York Times reported.