The Cybersecurity and Infrastructure Security Agency (CISA) issued a joint cybersecurity advisory April 20, along with Federal law enforcement partners and international allies, that the agency says lays out the “most comprehensive view” of the cyber threat Russia poses to critical infrastructure owners since Russia invaded Ukraine in February.
The joint cyber advisory – developed and released with the FBI, National Security Agency (NSA), and cyber experts from Australia, Canada, New Zealand, and the United Kingdom – includes technical details from cyber threat actors either from Russia, or aligned with Russian military and intelligence groups.
“We know that malicious cyber activity is part of the Russian playbook,” CISA Director Jen Easterly said in the release. “We also know that the Russian government is exploring options for potential cyberattacks against U.S. critical infrastructure.”
“Today’s cybersecurity advisory released jointly by CISA and our interagency and international partners reinforces the demonstrated threat and capability of Russian state-sponsored and Russian aligned cyber-criminal groups to our homeland,” she said.
To protect against potential threats to critical infrastructure and organizations, the advisory recommends organizations immediately:
- “Prioritize patching of known exploited vulnerabilities;
- Enforce multifactor authentication;
- Monitor remote desktop protocol (RDP); and
- Provide end-user awareness and training.”
“We urge all organizations to review the guidance in this advisory as well as visit [CISA’s ‘Shields Up’ site] for continually updated information on how to protect yourself and your business,” Easterly added.
The advisory warns that “Russian state-sponsored cyber actors” have shown the ability to compromise networks, exfiltrate data from IT and operational technology (OT) networks, and develop “long-term, persistent access to IT networks.” Additionally, it warns that those cyber actors have also proven their ability to disrupt industrial control systems (ICS) or OT functions by deploying malware.
The alert names the Russian Federal Security Service (FSB), Foreign Intelligence Service (SVR), General Staff Main Intelligence Directorate (GRU), the GRU’s Main Center for Special Technologies, and the Russian Ministry of Defense Central Scientific Institute of Chemistry and Mechanics as state-sponsored cyber actors that “have conducted malicious cyber operations against IT and/or OT networks.”
“The FBI is focused on exposing and disrupting malicious cyber activity by Russia against our allies and our own networks,” Bryan Vorndran, FBI Cyber Division Assistant Director, said in the release.
“We are working alongside our Federal and international partners to quickly share information that helps private industry as well as the public to better protect and defend their systems from these threats,” he said. “We will continue to investigate these malicious threat actors through our unique authorities and hold them accountable for their actions. We urge our partners and the public to report any suspicious activity.”
The alert also notes that two Russian-aligned cyber threat groups have been targeting Ukrainian and North Atlantic Treaty Organization (NATO) aligned governments, but their actions have not been attributed to the Russian government.
The final group of threat actors the advisory flags is Russian-aligned cybercrime groups. The advisory notes that some of these groups have been independently pledging support for the Russian government since the invasion started in February and pose a threat to critical infrastructure. The advisory says the groups are most likely to operate by deploying ransomware or a distributed denial of service attack.
“Threats to critical infrastructure remain very real,” Rob Joyce, NSA Cybersecurity Director, said. “The Russia situation means you must invest and take action.”