The Five Eyes nations’ cybersecurity agencies this week urged critical infrastructure to be ready for attacks by crews backed by or sympathetic to the Kremlin amid strong Western opposition to Russia’s invasion of Ukraine.
The joint alert, issued by cybersecurity authorities in the US, UK, Australia, Canada and New Zealand, provides technical details on more than a dozen Russian state-sponsored hacking groups and Russia-aligned cybercrime gangs.
The missive urges critical infrastructure organizations to take immediate actions to protect against cyberattacks from these foes. These steps include patching known exploited vulnerabilities, updating software, enforcing multi-factor authentication, securing and monitoring remote desktop protocol (RDP) and other “potentially risky” services, and providing end-user security awareness and training.
(If this action is truly surprising to critical infrastructure operators, we’re screwed.)
“Given recent intelligence indicating that the Russian government is exploring options for potential cyberattacks against US critical infrastructure, CISA along with our interagency and international partners are putting out this advisory to highlight the demonstrated threat and capability of Russian state-sponsored and Russian aligned cybercrime groups,” CISA Director Jen Easterly said in a statement.
The cybersecurity alert comes as Russian forces intensified their attacks against Ukraine along the eastern front, and the international community stepped up its support for the invaded nation while cracking down on Moscow. On Wednesday, Russia claimed it successfully tested an intercontinental ballistic missile that President Vladimir Putin said should encourage Russia’s adversaries to “think twice.”
The security notice also follows about a week after CISA, along with the US Department of Energy, National Security Agency, and FBI warned that cybercriminals have created custom tools to control a range of industrial control system and supervisory control and data acquisition devices.
While the Five Eyes’ joint security alert doesn’t provide details about specific threats to critical infrastructure, the amount of technical details on state-sponsored and sympathetic criminal organizations is not to be ignored.
It notes that Russian state-sponsored attackers have already shown they can compromise and maintain persistence in IT networks (remember SolarWinds?), steal sensitive data from both IT and operational technology (OT) networks, and deploy destructive malware.
Some recent examples include BlackEnergy and NotPetya, which Russia used against Ukrainian government and critical infrastructure organizations.
Russian goverment orgs lead the charge
Tthe state-sponsored groups carrying out these attacks includes a laundry list of Russian government and military organizations:
- The Russian Federal Security Service (FSB), including FSB’s Center 16 and Center 18
- Russian Foreign Intelligence Service (SVR)
- Russian General Staff Main Intelligence Directorate (GRU), 85th Main Special Service Center (GTsSS)
- GRU’s Main Center for Special Technologies (GTsST)
- Russian Ministry of Defense, Central Scientific Institute of Chemistry and Mechanics (TsNIIKhM)
It’s worth noting that in late March, the FBI issued a warning about TsNIIKhM. This security alert said the Russian government-backed research institution, which deployed Triton malware against a Middle East–based petrochemical plant’s safety instrumented system in 2017, continues to use Triton malware and remains a threat to the global energy sector.
Also recently GTsST, aka Sandworm, has been increasing its nefarious cyber activities. In early April the US Justice Department revealed details of a court-authorized take-down of command-and-control systems the Sandworm cyber-crime ring used to direct network devices infected by its Cyclops Blink malware.
Ransomware gangs join in
In addition to Russian government agencies looking to attack critical infrastructure, the US and its allies warn that several Russian cybercrime groups pose a threat to these same foreign targets. These miscreants are usually more financially motivated than their government counterparts, and tend to exploit software and human vulnerabilities to steal money (by obtaining bank login credentials) or extort money (via ransomware) from their victims.
However, they still pose a threat, through ransomware and DDoS attacks against websites, that’s directly related to the war in Ukraine, the Five Eyes warn.
These groups include the CoomingProject, Killnet, Mummy Spider, Salty Spider, Scully Spider, Smokey Spider, Wizard Spider and the Xaknet Team. Some of them have publicly pledged to support Mother Russia and threatened to conduct cyberattacks against anyone that attacks Russia — or supports Ukraine.
Mummy Spider is the gang that developed and operates the Emotet botnet, which, according to new Kasperspy research, is increasing its nefarious activities these days.
And Wizard Spider is the group that developed Trickbot and Coni ransomware. Despite famously suffering a massive data leak of its own source code and other internal files, Conti remains active, according to a March alert from the Feds. This group has also deployed ransomware against US healthcare and first responder networks [PDF].
DHHS issues Hive ransomware warning
And while it’s not on the Five Eye’s most-wanted list, it’s worth noting that the US Department of Health and Human Services also this week warned [PDF] hospitals and other health-sector operations to be on high alert for Hive ransomware attacks.
“Prevention is always the optimal approach,” in defending against Hive or other ransomware, the department noted. It advised using multi-factor authentication, strong passwords — especially for RDP, VPNs and other remote-access services — and securely backing up data, starting with the most critical information first. ®