Canada and its allies in the Five Eyes intelligence co-operative have issued another warning to organizations in the critical infrastructure sectors to be prepared for cyberattacks from Russia as a response to governments helping Ukraine.
Similar to a warning issued in March, it says “evolving intelligence” indicates that the Russian government is exploring options for potential cyberattacks. Recent Russian state-sponsored cyber operations have included distributed denial-of-service (DDoS) attacks, and older operations have included deployment of destructive malware against Ukrainian government and critical infrastructure organizations.
The advisory — co-authored by U.S., Australian, Canadian, New Zealand, and U.K. cyber authorities with contributions from industry members of the Joint Cyber Defense Collaborative (JCDC)— provides an overview of Russian state-sponsored advanced persistent threat (APT) groups, Russian-aligned cyber threat groups, and Russian-aligned cybercrime groups to help the cybersecurity community protect against possible cyber threats.
The agencies urge critical infrastructure network defenders to prepare for and mitigate potential cyber threats — including destructive malware, ransomware, DDoS attacks, and cyber espionage — by hardening their cyber defenses and performing due diligence in identifying indicators of malicious activity. They provide a mitigations section of the advisory with recommended hardening actions.
The critical infrastructure sector includes financial institutions, energy providers, telecom providers, the healthcare sector, transportation companies, food growers and distributors, manufacturers and governments.
They are urged to
- create, maintain, and exercise a cyber incident response and continuity of operations plan including a ransomware-specific annex;
- maintain offline (i.e., physically disconnected) backups of data. “Backup procedures should be conducted on a frequent, regular basis,” says the alert. “Regularly test backup procedures and ensure that backups are isolated from network connections that could enable the spread of malware”;
- ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.
- OT (operational technology) assets and networks — such as internet-connected industrial control systems — should have a resilience plan that addresses how to operate if organizations lose access to—or control of—the IT and/or OT environment.
There’s also a link to this version of the alert from the U.S. Cybersecurity and Infrastructure Security Agency with more detailed recommended mitigations for a cyber attack from any threat group, which is a great resource for IT professionals.
The lengthy warning also outlines the tactics of many Russian government and Russian-aligned criminal hacking groups.