American cybersecurity and intelligence agencies last week published a joint advisory on mitigating cyberattacks orchestrated by Russian-sponsored actors amid a perceived strengthening of Russia’s actions in this space. Here’s what brought on this unprecedented step, and why.
The report was a joint-publication between the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and National security Agency (NSA). It was the first such joint-report of its kind by these three extremely powerful agencies.
The report addressed the increase in spear-phishing, brute force attacks and exploitation of known vulnerabilities currently taking place in unprecedently high rates by Russian attackers: both individuals and state-backed entities.
Some effective flaws exploited by the Russian hacking groups in the last month include:
- CVE-2018-13379 (FortiGate VPNs)
- CVE-2019-1653 (Cisco router)
- CVE-2019-2725 (Oracle WebLogic Server)
- CVE-2019-7609 (Kibana)
- CVE-2019-9670 (Zimbra software)
- CVE-2019-10149 (Exim Simple Mail Transfer Protocol)
- CVE-2019-11510 (Pulse Secure)
- CVE-2019-19781 (Citrix)
- CVE-2020-0688 (Microsoft Exchange)
- CVE-2020-4006 (VMWare)
- CVE-2020-5902 (F5 Big-IP)
- CVE-2020-14882 (Oracle WebLogic)
- CVE-2021-26855 (Microsoft Exchange, exploited frequently alongside CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065)
In a joint statement, the agencies proclaimed that “Russian state-sponsored APT actors have demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware”.
Among the recent objectives of Russian hacker groups include disruption to the U.S. energy sector, disruption of the Ukraine in the midst of sustained geopolitical tensions, and (as ever) the desire to extort and win financial gain.
Those groups backed by state-based interests have also had their eyes on operational technology (OT) and industrial control systems (ICS).
The report went on to say that “the actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments — including cloud environments — by using legitimate credentials.”
The agencies have recommended enforcing network segmentation, keeping operating systems, applications, and firmware up to date, mandating multi-factor authentication and staying vigilant for abnormal activity that indicate signs of lateral movements.
Some of the other best practices include the following, which are as applicable to companies and utilities all around the world as they are to American ones:
- Strong passwords
- Optimized spam filters
- Disabling all unnecessary ports and protocol
- Strong log collection and retention systems
- Implementing configuration management programs
- Having OT hardware in read-only mode
As geopolitical tensions over the Ukraine continued to rise, we expect to see an increase in activity by Russian-backed ands supportive threat actors.