The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) collaborated on this joint Cybersecurity Advisory (CSA), which is part of our ongoing cybersecurity mission to warn organizations about cyber threats and assist the cybersecurity community in reducing the risk posed by these threats. This CSA gives an overview of Russian state-sponsored cyber operations, including common TTPs, detecting steps, incident response recommendations, and mitigations. This overview aims to assist the cybersecurity community in reducing the threat posed by these threats.
CISA, the FBI, and the NSA encourage the cybersecurity community—particularly critical infrastructure network defenders—to adopt a heightened level of awareness and conduct proactive threat hunting. CISA, the FBI, and the NSA also strongly advise network defenders to follow the recommendations outlined below and explained in the Mitigations section. These mitigations will aid organizations in improving their functional resilience by lowering the chance of a security breach or severe business disruption.
Prepare yourself: Confirm reporting procedures and close any holes in IT/OT security coverage with staff. Create, manage, and test a cyber incident response plan, a resilience strategy, and a continuity of operations plan to ensure that vital services and operations can continue if technological systems are affected or must be taken offline.
Improve your company's cyber security: Follow best practices when it comes to identity and access management, security controls and architecture, and vulnerability and configuration management.
Boost your organization's alertness: Maintain up-to-date coverage of this hazard. Subscribe to CISA's mailing list and RSS feeds to be notified when the organization publishes new material on a security topic or threat.
CISA, the FBI, and the NSA recommend leaders of critical infrastructure organizations to read CISA Insights: Preparing for and Mitigating Cyber Threats for tips on lowering cyber threats.
Technical Details
To acquire initial access to target networks, Russian state-sponsored advanced persistent threat (APT) actors have traditionally employed conventional but effective approaches such as spear phishing, brute force, and exploiting known vulnerabilities against accounts and networks with inadequate security. Russian state-sponsored APT actors are known to exploit the following vulnerabilities for first access:
CVE-2018-13379 FortiGate VPNs
CVE-2019-1653 Cisco router
CVE-2019-2725 Oracle WebLogic Server
CVE-2019-7609 Kibana
CVE-2019-9670 Zimbra software
CVE-2019-10149 Exim Simple Mail Transfer Protocol
CVE-2019-11510 Pulse Secure
CVE-2019-19781 Citrix
CVE-2020-0688 Microsoft Exchange
CVE-2020-4006 VMWare (note: this was a zero-day at time.)
CVE-2020-5902 F5 Big-IP
CVE-2020-14882 Oracle WebLogic
CVE-2021-26855 Microsoft Exchange (Note: this vulnerability is frequently observed used in conjunction with CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065)
By hacking third-party infrastructure, compromising third-party software, or building and deploying proprietary malware, Russian state-sponsored APT attackers have shown advanced tradecraft and cyber capabilities. By utilizing authentic credentials, the actors have proved their capacity to sustain persistent, undetected, long-term access in compromised networks, including cloud environments.
Russian state-sponsored cyber operations against critical infrastructure firms have in certain cases used damaging malware to target operational technology (OT) and industrial control systems (ICS) networks. For details on previous Russian state-sponsored cyber-intrusion campaigns and specialized malware that have attacked ICS, see the following advisories and alerts:
ICS Advisory ICS Focused Malware – Havex
ICS Alert Ongoing Sophisticated Malware Campaign Compromising ICS (Update E)
ICS Alert Cyber-Attack Against Ukrainian Critical Infrastructure
Technical Alert CrashOverride Malware
CISA MAR HatMan: Safety System Targeted Malware (Update B)
CISA ICS Advisory Schneider Electric Triconex Tricon (Update B)
Russian state-sponsored APT actors have targeted a variety of U.S. and international critical infrastructure organizations, including those in the Defense Industrial Base, Healthcare and Public Health, Energy, Telecommunications, and Government Facilities Sectors, with sophisticated cyber capabilities. The following are examples of high-profile cyber behavior that has been publicly attributed to Russian state-sponsored APT actors as a result of US government reporting and legal actions:
From September 2020 to at least December 2020, Russian state-sponsored APT actors will target state, local, tribal, and territorial (SLTT) administrations and aviation networks. Hundreds of SLTT government and aviation networks were targeted by Russian state-sponsored APT actors. The perpetrators were successful in compromising networks and stealing data from a number of victims.
The global Energy Sector penetration campaign was carried out by Russian state-sponsored APT actors from 2011 to 2018. These Russian state-sponsored APT actors carried out a multi-stage intrusion campaign, gaining remote access to US and foreign Energy Sector networks, deploying ICS-focused malware, and collecting and exfiltrating corporate and ICS-related data.
Campaign against Ukrainian critical infrastructure by Russian state-sponsored APT actors in 2015 and 2016. In December 2015, Russian state-sponsored APT attackers launched a cyberattack against Ukrainian energy distribution businesses, resulting in unscheduled power outages at various companies. The attackers utilized BlackEnergy malware to steal user passwords and KillDisk, a destructive malware component, to render targeted systems unusable. In 2016, these hackers launched a cyber-attack against a Ukrainian power transmission firm, using the CrashOverride virus, which is specifically designed to target power grids.