In a move demonstrative of international cooperation and partnership, the Five Eyes (United States, Australia, Canada, New Zealand, and United Kingdom) issued an alert giving a “comprehensive overview of Russian state-sponsored and cyber criminal threats to critical infrastructure.” The alert also includes remediation guidance, which CISOs will find of particular import.
Alert AA22-110A – Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure, provides details on the cyber operations attributable to Russian state actors, including the Russian Federal Security Service (FSB), Russian Foreign Intelligence Service (SVR), Russian General Staff Main Intelligence Directorate (GRU), and Russian Ministry of Defense, Central Scientific Institute of Chemistry and Mechanics (TsNIIKhM).
The alert also identifies cyber criminal organisations, including some which have expressed fealty to the Russian Federation, that have pledged to conduct cyber operations against entities that are providing support to Ukraine.
Thus, a company’s position on Russia’s invasion of Ukraine very well may place said company in the target sights of Russian state actors or their cyber criminal cronies.
Need to invest in cyber security
It cannot be overstated that investment in cyber security is a must. “Threats to critical infrastructure remain very real," said Rob Joyce, NSA Cybersecurity Director. "The Russia situation means you must invest and take action.”
The four areas of immediate concern that infosec teams should be addressing will not be alien to any entity with a modicum of cyber security acumen:
- Prioritise patching of known exploited vulnerabilities
- Enforce multi-factor authentication
- Monitor remote desktop protocol (RDP)
- Provide end-user awareness and training
The fact that the alert leads with these four items, which many would consider “Cyber security 101,” suggests that many entities are devoid of such acumen.
CISOs will benefit from the depth of this brief, which clearly embraces the axiom, “knowledge is power,” as the multinational comments and attribution statements provide additional clarity to a number of historical cyber security incidents.
Russia’s cyber threat actors
The alert goes into great detail on the various threat actors, a brief synopsis on these follows:
FSB: The U.S. and UK have attributed Berserk Bear to be associated with FSB’s Center 16 or GRU Unit 71330, and that the targets are “critical IT systems and infrastructure in Europe, the Americas and Asia.”
SVR:S., Canada and the UK have attributed the SolarWinds Orion compromise to have been conducted by the SVR. An advanced persistent threat (APT) group from within the SVR has been targeting critical infrastructure since at least 2008.
GRU: Multiple units within the GRU have been previously identified as potential cyber threat actors. This alert highlights two of those units, Unit 26165 and Unit 74455.
- Unit 26165 is an APT group whose targets are primarily “government organisations, travel, and hospitality entities, research institutions, and non-governmental organisations, in addition to other critical infrastructure organisations.” Furthermore, the Drovorub malware used in the conduct of cyber espionage activities is attributed to have its origin within the GRU.
- Unit 74455 is also an APT group is primarily associated with cyber espionage activities, with a particular focus on critical infrastructure within the energy, transportation, and financial services sectors. Unit 74455 notoriety comes from their effective destructive cyber actions -- DDOS and wiper malware attacks. Multiple governments have attributed this APT group to have been instrumental in the 2016 Ukrainian power grid attack and the 2019 attack against Georgian entities.
TsNIIKhM: This entity is a part of the R&D arm of the Russian Ministry of Defense. They are adept at creating destructive ICS malware. The attacks against U.S. energy entities in 2021 resulted in this entity being sanctioned and an employee indicted by the Department of Energy.
Primitive Bear and Venomous Bear: These have been identified as two state-sponsored APT groups by industry. The alert highlights that the Five Eyes have not, as yet, attributed these two entities as being associated with the Russian government. Nonetheless, the groups are targeting western government entities including Ukrainian government entities, governments aligned with NATO, defence contractors and others deemed of intelligence value.
Additionally, Russian cyber criminal groups have been highlighted and their efforts cataloged within the alert. These include The CoomingProject, Killnet, Mummy Spider, Salty Spider, Scully Spider, Smokey Spider, Wizard Spider, and The Xaknet Team.