Russia backed hackers exploited vulnerabilities in Cisco, Microsoft, Oracle and VMware equipment in attacks against “dozens” of state, local, tribal, and territorial governments and aviation networks from September, 2020 to at least December, 2020, the Cybersecurity and Infrastructure Security Agency (CISA) said in a recent advisory.
CISA said Kremlin-sponsored advanced persistent threat (APT) hackers “successfully compromised networks and exfiltrated data from multiple victims” at the local government levels. The nation's cyber central also said that from 2011 to 2018 Russian actors executed a “multi-stage intrusion campaign” in which they gained remote access to international energy sector networks.
Along those lines, Russian cyber operatives are believed to have architected a number of high profile cyber attacks on U.S. critical infrastructure and executed the SolarWinds operation, and the Kaseya and JBS offensives. Russia-linked hackers are also suspected of repeated cyber forays targeting members of Parliaments, government officials, politicians, the press, schools and other entities in the European Union.
“Russian state-sponsored APT actors have used sophisticated cyber capabilities to target a variety of U.S. and international critical infrastructure organizations, including those in the Defense Industrial Base as well as the Healthcare and Public Health, Energy, Telecommunications, and Government Facilities Sectors,” CISA said.
The CISA bulletin, issued jointly with the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA), urges organizations, particularly critical infrastructure owners and operators, to “adopt a heightened state of awareness, conduct proactive threat hunting, and implement the mitigations” identified by CISA.
As for the alert, CISA intends it to provide an overview of:
- Russian state-sponsored cyber operations.
- Tactics, techniques, and procedures (TTPs).
- Detection actions.
- Incident response guidance.
CISA, the FBI, and the NSA also released a list of 13 vulnerabilities that Russian state-sponsored groups have used to gain initial network access.
Of particular note, on incident response, CISA recommends organizations engage with MSSPs for subject matter expertise, make sure the actor is “eradicated” from the network and ensure that the network is locked down.
Here’s a sampling of CISA’s recommended actions for all critical infrastructure operations. You can find a complete list here:
- Implement robust log collection and retention. Without a centralized log collection and monitoring capability, organizations have limited ability to investigate incidents or detect the threat actor behavior
- Immediately isolate affected systems.
- Secure backups. Ensure your backup data is offline and secure. If possible, scan your backup data with an antivirus program to ensure it is free of malware.
- Collect and review relevant logs, data, and artifacts.
- Be prepared. Create, maintain, and exercise a cyber incident response plan, resilience plan, and continuity of operations plan.
- Enhance your organization’s cyber posture. Follow best practices for identity and access management, protective controls and architecture, and vulnerability and configuration management.
- Increase organizational vigilance. Stay current on reporting on this threat.