{"id":20514,"date":"2022-01-12T20:38:28","date_gmt":"2022-01-12T20:38:28","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/?p=20514"},"modified":"2022-01-14T00:49:25","modified_gmt":"2022-01-14T00:49:25","slug":"u-s-security-agencies-issue-russian-threat-alert","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/threats\/u-s-security-agencies-issue-russian-threat-alert\/","title":{"rendered":"U.S. Security Agencies Warn About Russian Threat Gangs Amid Ukraine Tensions"},"content":{"rendered":"

U.S. federal security agencies are putting companies on alert to potential threats from Russian state-sponsored cybercriminal groups, warning in particular about dangers to critical infrastructure<\/a> and urging organizations to learn how to detect and protect against attacks.<\/p>\n

The joint cybersecurity advisory<\/a> issued Jan. 11 by the FBI, National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) comes as tensions rise between Russia, the United States and European countries over Russia\u2019s military activities related to Ukraine. The alert gives companies and agencies an overview of common tactics used by such Russia-based threat groups, lists of vulnerabilities<\/a> they\u2019ve been known to exploit and steps companies can take to detect, respond to and mitigate an attack.<\/p>\n

\u201cHistorically, Russian state-sponsored advanced persistent threat (APT)<\/a> actors have used common but effective tactics \u2013 including spearphishing<\/a>, brute force, and exploiting known vulnerabilities against accounts and networks with weak security \u2013 to gain initial access to target networks,\u201d the agencies wrote in the alert. \u201cRussian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware<\/a>.\u201d<\/p>\n

In addition, such groups have shown they can \u201cmaintain persistent, undetected, long-term access in compromised environments \u2013 including cloud environments \u2013 by using legitimate credentials,\u201d they wrote. \u201cIn some cases, Russian state-sponsored cyber operations against critical infrastructure organizations have specifically targeted operational technology (OT)\/industrial control systems (ICS) networks with destructive malware.\u201d<\/p>\n

Also read: Critical Infrastructure Protection: Physical and Cyber Security Both Matter<\/a><\/p>\n

Russian Groups Behind High-Profile Attacks<\/strong><\/h2>\n

Russian-backed groups have been behind some of the most significant recent cyberattacks, including the SolarWinds breach (Nobelium) and the ransomware<\/a> attacks on Colonial Pipeline<\/a> (DarkSide) and global meat supplier JBS<\/a> (REvil).<\/p>\n

Government agencies and the Biden administration<\/a> also have taken steps to push back against Russia and the cybercriminal groups it\u2019s accused of supporting. President Biden in July called on Russian President Vladimir Putin to stem ransomware<\/a> and other cyberattacks from these gangs. In addition, the administration has taken other actions, from working with U.S. companies<\/a> on their security posture to putting bounties<\/a> on the more active and notorious threat actors.<\/p>\n

Despite all this, the threat of the Russian gangs continues to hang over the United States and is unlikely to disappear anytime soon, according to Erich Kron, security awareness<\/a> advocate at security training firm KnowBe4.<\/p>\n

\u201cTargeting critical infrastructure is nothing new,\u201d Kron told eSecurity Planet<\/em>. \u201cHowever, the increased attacks are certainly something to be concerned with, especially given the tensions between the U.S. and Russia over the Ukraine border crisis. Russia has very advanced cyber warfare skills which keep them hidden once a network is compromised, although ironically, the initial attack vectors are typically those of low-tech email phishing campaigns, taking advantage of people reusing already compromised passwords<\/a> or using easily guessed passwords.\u201d<\/p>\n

Also read: Best Password Managers & Tools<\/a><\/p>\n

Tactics and Responses<\/strong><\/h2>\n

In their alert, the agencies laid out a range of tactics used by the Russian-supported groups, including using large-scale scans to find vulnerable servers, compromising third-party software<\/a> (like SolarWinds\u2019 Orion software), password-guessing and password-spraying efforts and leveraging the credentials of existing accounts to ensure long-term and persistent access to compromised networks.<\/p>\n

In addition, the agencies also outlined a number of steps to detect and protect against such attacks. Detection is critical, given the APT actors\u2019 capabilities to maintain a long-term presence in compromised enterprise and cloud environments. They urged companies to implement strong and centralized log collection and retention programs<\/a> and\u00a0 look for behavioral evidence or network- and host-based artifacts related to known Russian ATP groups. This would include detecting password spray activity, checking authentication logs for system and application login failures of valid accounts, and detecting the use of compromised credentials.<\/p>\n

There also was a list of responses companies should take if they\u2019ve been compromised, including isolating affected systems and maintaining and securing backups<\/a>. For mitigation, the recommendations include being prepared for such an attack, creating and maintaining cyber incident responses and resiliency plans and enhancing the security posture with tools like identity and access management (IAM)<\/a> software and vulnerability<\/a> and configuration solutions.<\/p>\n

See also: Best Incident Response Tools and Software<\/a><\/p>\n

Know the Enemy<\/strong><\/h2>\n

The agencies also urged U.S. companies to become familiar with the tactics and targets of these ATP groups.<\/p>\n

\u201cIt\u2019s important to remind ourselves that critical infrastructure is more than just a phrase,\u201d Tim Erlin, vice president of strategy for cybersecurity firm Tripwire, told eSecurity Planet<\/em>. \u201cIt describes a vast cross-section of infrastructure on which our nation relies. Critical infrastructure really is critical.\u201d<\/p>\n

The agencies\u2019 alert contains both information about the threat and actionable information companies can use to protect themselves, such as the use of the MITRE ATT&CK framework<\/a> for identifying malicious activity and mapping mitigation actions, Erlin said. \u201cIdentifying the attack in progress is important, but preventing the attack from being successful at all is better,\u201d he said.<\/p>\n

Also read: Best Ransomware Removal and Recovery Services<\/a><\/p>\n

The Importance of Logs<\/strong><\/h2>\n

Rick Holland, CISO and vice president of strategy at cybersecurity vendor Digital Shadows, told eSecurity Planet<\/em> that a key message from the alert is the use of logs. When defending against any cybercriminal group, \u201cyou must have a security monitoring infrastructure that provides situational awareness to detect and respond to intrusions,” he said. “You must have sensors in place to capture malicious activity. You must also retain those logs for retroactive threat hunting as you develop and acquire new intelligence.\u201d<\/p>\n

It was also important for the alert to list the tactics used by the ATP groups, Holland said.<\/p>\n

\u201cAlthough these groups have sophisticated capabilities, [such as the] SolarWinds intrusion, they also rely on low-hanging fruit tactics and techniques,\u201d he said. \u201cWhile it isn’t sexy, effective security hygiene like patching known vulnerabilities on external services raises the advisory costs and makes their job harder. Don’t be a soft target.\u201d<\/p>\n

See also: Best SIEM Tools & Software<\/a><\/p>\n

Geopolitical Tensions<\/strong><\/h2>\n

Holland echoed KnowBe4\u2019s Kron regarding the threat of increased activity stemming from the tensions around Russia\u2019s activities with Ukraine. Should the conflict escalate, the Russian-supported bad actors could also increase their operations.<\/p>\n

\u201cCyberspace has become a key component of geopolitics,\u201d he said. \u201cRussian APT groups aren’t at the top of the threat model for all companies, unlike the critical infrastructure providers mentioned in the alert, but could end up being collateral damage.\u201d<\/p>\n

A Familiar Threat<\/strong><\/h2>\n

Some cybersecurity professionals said the agencies\u2019 security alert does little more than remind companies about the threat and to deliver information that they already should know.<\/p>\n

Tim Wade, technical director and CTO at cybersecurity firm Vectra, told eSecurity Planet<\/em> that he couldn\u2019t \u201crecall a time in my life when Russia\u00a0wasn\u2019t\u00a0aggressively probing western resolve, ranging from tactical incursions into air space to pulling strategic economic levers.\u00a0This activity is just a continuation of that long-standing tradition, and I read this advisory as another periodic reminder of the background radiation of global politics \u2013 if you\u2019re operating critical infrastructure and are under the impression that you aren\u2019t squarely in an operator\u2019s crosshairs, you\u2019re wrong.\u201d<\/p>\n

Tim Helming, security evangelist at threat intelligence company DomainTools, said the guidance in the alert is good, but that \u201cit\u2019s tempting to look at it as motherhood-and-apple-pie. The vast majority of owners and operators of critical infrastructure are well aware of the threats and are also cognizant of many of the fundamental steps toward hardening their assets against these threats. Many in the critical infrastructure community take an \u2018assume breach.\u2019\u201d<\/p>\n

Most companies and agencies already are using and improving the procedures and tools outlined in the alert, Helming told eSecurity Planet<\/em>. CISA, the FBI and NSA likely issued the alert in part \u201cbecause if they weren\u2019t on record doing so and a compromise were confirmed, it would have been a glaring gap. It also gives owners and operators facing resource constraints more support in their requests and it\u2019s important not to underestimate how important that can be.\u201d<\/p>\n

Further reading: Cybersecurity Outlook 2022: Third-Party, Ransomware and AI Attacks Will Get Worse<\/a><\/p>\n\n\n

\n \n\n \n\n
\n \n <\/path>\n <\/svg>\n <\/div>\n \n
\n
\n

\n Get the Free Cybersecurity Newsletter <\/h3>\n \n \n

\n Strengthen your organization's IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday <\/p>\n <\/div>\n\n

\n
\n \n Email Address\n <\/label>\n \n <\/div>\n\n
\n
\n \n \n By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time. <\/label>\n <\/div>\n <\/div>\n \n