CISA, AHA Sound Alarm on Russian State-Sponsored Cyber Threats

The Cybersecurity and Infrastructure Security Agency (CISA) and authorities from Australia, the UK, New Zealand, and Canada released a new joint cybersecurity advisory regarding Russian state-sponsored cyber threats.

The advisory encouraged critical infrastructure entities to patch all systems, enforce multifactor authentication, and secure Remote Desktop Protocol (RDP) and other services.

The advisory serves as an update to CISA’s January advisory, which provided an overview of tactics, techniques, and procedures (TTPs) used by Russian state-sponsored actors. The latest advisory contains more information about specific Russian state-sponsored advanced persistent threat (APT) groups and Russian-aligned cybercrime groups.

“U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities urge critical infrastructure network defenders to prepare for and mitigate potential cyber threats—including destructive malware, ransomware, DDoS attacks, and cyber espionage—by hardening their cyber defenses and performing due diligence in identifying indicators of malicious activity. Refer to the Mitigations section of this advisory for recommended hardening actions,” the advisory stated.

The authorities have observed Russian state-sponsored actors leveraging malicious cyber tactics to compromise IT networks, exfiltrate data, and disrupt industrial control systems (ICS) via destructive malware.

Specifically, the advisory identified the following Russian government and military organizations, all of which have been tied to malicious cyber operations against IT or OT networks:

• The Russian Federal Security Service (FSB), including FSB’s Center 16 and Center 18
• Russian Foreign Intelligence Service (SVR)
• Russian General Staff Main Intelligence Directorate (GRU), 85th Main Special Service Center (GTsSS)
• GRU’s Main Center for Special Technologies (GTsST)
• Russian Ministry of Defense, Central Scientific Institute of Chemistry and Mechanics (TsNIIKhM)

CISA and other authorities have observed FSB conducting cyber operations against the energy sector, aviation organizations, and cybersecurity companies, among other targets. The KGB successor agency typically leverages BERSERK BEAR to target critical infrastructure.

Meanwhile, the Russian Foreign Intelligence Service uses custom malware to target Windows and Linux systems. The advisory also identified numerous “Russian-aligned” cyber groups outside of state-sponsored cyber operations.

MUMMY SPIDER and WIZARD SPIDER are two groups identified that have historically targeted healthcare organizations.

“This multi-agency, multi-nation advisory highlights what I refer to as the ‘Russian hybrid cyber threat’ — criminal hacking groups that are ideologically aligned with the Russian government or operating under their safe harbor,” John Riggi, national advisor for cybersecurity and risk at the American Hospital Association, stated in an accompanying advisory to the healthcare sector.

“These criminal groups may be poised to conduct disruptive or destructive cyberattacks targeting the Western critical infrastructure either independently or at the direction of the Russian government and military. This timely alert also provides an excellent summary of historical and current Russian cyber threats, along with actionable risk-mitigation measures.”

To combat these risks, CISA recommended that all critical infrastructure organizations provide end-user awareness training, secure risky systems, and implement cybersecurity best practices such as MFA and network segmentation.

“The alert should be brought to the attention of all leaders in your organization,” Riggi advised.

“Once again, this is a stark reminder that the Russian cyber threat is real and why it is so important to have robust multi-week business continuity plans, downtime procedures and multiple secure, immutable, off-line backups in place — among the many other recommendations in the alert.”