With the U.S. and Russia eyeing each other over Ukraine this week, American cybersecurity authorities have issued a guide to managing Russian state-sponsored cyber threats to U.S. critical infrastructure.
The joint advisory released Tuesday by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the National Security Agency (NSA) is part of their “continuing cybersecurity mission to warn organizations of cyber threats and help the cybersecurity community reduce the risk presented by these threats.”
But — perhaps coincidentally — it also came the day after the U.S. and Russia held eight hours of fruitless talks on Moscow’s buildup of troops on its border with Ukraine and the Russian demand that Ukraine not be admitted into NATO. Reuters says Russia has repeatedly said it has no intent of attacking Ukraine.
Russian officials will also meet Wednesday with NATO in Brussels and Thursday with NATO the Organisation for Security and Cooperation in Europe (OSCE) in Vienna.
In its guide, the American authorities give an overview of Russian state-sponsored cyber operations, commonly observed tactics, techniques, and procedures (TTPs), detection actions, incident response guidance, and mitigations.
“The CISA, the FBI, and NSA encourage the cybersecurity community — especially critical infrastructure network defenders — to adopt a heightened state of awareness and to conduct proactive threat hunting,” it says.
Private-sector-controlled critical infrastructure includes the financial, transportation, water and power utility, healthcare, food and transportation sectors.
The report lists a number of attacks Russian-sponsored threat actors recently have been using (for example, vulnerabilities in Microsoft Exchange, Fortinet FortiGate VPNs, Citrix, Oracle WebLogic and other products). U.S. authorities blame the compromise of the SolarWinds Orion security update mechanism — one of the biggest supply chain attacks in history — on a Russian-based group dubbed Nobelium.
Tuesday’s report says Russian-backed threat groups use common but effective tactics—including spearphishing, brute force, and exploiting vulnerabilities. “Russian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware. The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments—including cloud environments—by using legitimate credentials,” the report says.
In some cases, the report adds, Russian state-sponsored cyber operations against critical infrastructure organizations have specifically targeted operational technology (OT)/industrial control systems (ICS) networks with destructive malware.
But when it comes to fighting back, the report advises methods that apply to any threat actor: Apply best practices for identity and access management, protective controls and architecture, and vulnerability and configuration management.
- creating, maintaining, and exercising a cyber incident response and continuity of operations plan;
- ensuring backup data is offline and secure;
- having a resilience plan that addresses how to operate if you lose access to—or control of—the IT and/or OT (operational technology) environments;
- regularly test manual controls so that critical functions can be kept running if industrial control systems (ICS) or OT networks need to be taken offline;
- requiring multi-factor authentication for all users, without exception, and enforcing the principle of least privilege (allow access to sensitive data or devices to only those who need it);
- identifying, detecting and investigating abnormal activity that may indicate lateral movement by a threat actor or malware;
- segmenting IT and OT networks;
- implementing rigorous configuration management programs;
- disabling all unnecessary ports and protocols.
“There is good guidance here from the agencies,” said Tim Helming, security evangelist at DomainTools, “though it’s tempting to look at it as motherhood-and-apple-pie: the vast majority of owners and operators of critical infrastructure are well aware of the threats, and are also cognizant of many of the fundamental steps toward hardening their assets against these threats. Many in the critical infrastructure community take an ‘assume breach’ posture already, based on what we know about the capabilities of these actors. Procedures and tools to improve asset visibility and vulnerability management, identity and access management, log management, ingress and egress filtering, anomaly detection, and behavioral analytics are all recognized as fundamental necessities, and it’s safe to say are being actively improved, to a greater or lesser extent, in the majority of installations.”
“So why did CISA et al issue the advisory? In part, because if they weren’t on record doing so and a compromise were confirmed, it would have been a glaring gap. It also gives owners and operators facing resource constraints more support in their requests, and it’s important not to underestimate how important that can be.”