New Five Eyes alert warns of Russian threats targeting critical infrastructure

In a move demonstrative of international cooperation and partnership, the Five Eyes (United States, Australia, Canada, New Zealand, and United Kingdom) issued an alert giving a “comprehensive overview of Russian state-sponsored and cybercriminal threats to critical infrastructure.” The alert also includes remediation guidance, which CISOs will find of particular import.

Alert AA22-110A – Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure, provides details on the cyber operations attributable to Russian state actors, including the Russian Federal Security Service (FSB), Russian Foreign Intelligence Service (SVR), Russian General Staff Main Intelligence Directorate (GRU), and Russian Ministry of Defense, Central Scientific Institute of Chemistry and Mechanics (TsNIIKhM). It also identifies cybercriminal organizations, including some which have expressed fealty to the Russian Federation, that have pledged to conduct cyber operations against entities that are providing support to Ukraine. Thus, your company’s position on Russia’s invasion of Ukraine very well may place your company in the target sights of Russian state actors or their cybercriminal cronies.

Need to invest in cybersecurity

It cannot be overstated that investment in cybersecurity is a must. “Threats to critical infrastructure remain very real,” said Rob Joyce, NSA Cybersecurity Director. “The Russia situation means you must invest and take action.”

The four areas of immediate concern that infosec teams should be addressing will not be alien to any entity with a modicum of cybersecurity acumen:

• Prioritize patching of known exploited vulnerabilities
• Enforce multi-factor authentication
• Monitor remote desktop protocol (RDP)
• Provide end-user awareness and training

The fact that the alert leads with these four items, which many would consider “Cybersecurity 101,” suggests that many entities are devoid of such acumen.

CISOs will benefit from the depth of this brief, which clearly embraces the axiom, “knowledge is power,” as the multinational comments and attribution statements provide additional clarity to a number of historical cybersecurity incidents.

Russia’s cyber threat actors

The alert goes into great detail on the various threat actors, a brief synopsis on these follows:

• FSB: The U.S. and UK have attributed Berserk Bear to be associated with FSB’s Center 16 or GRU Unit 71330, and that the targets are “critical IT systems and infrastructure in Europe, the Americas and Asia.”
• SVR:S., Canada and the UK have attributed the SolarWinds Orion compromise to have been conducted by the SVR. An advanced persistent threat (APT) group from within the SVR has been targeting critical infrastructure since at least 2008.
• GRU: Multiple units within the GRU have been previously identified as potential cyber threat actors. This alert highlights two of those units, Unit 26165 and Unit 74455.
  • Unit 26165 is an APT group whose targets are primarily “government organizations, travel, and hospitality entities, research institutions, and non-governmental organizations, in addition to other critical infrastructure organizations.” Furthermore, the Drovorub malware used in the conduct of cyberespionage activities is attributed to have its origin within the GRU.
  • Unit 74455 is also an APT group is primarily associated with cyber espionage activities, with a particular focus on critical infrastructure within the energy, transportation, and financial services sectors. Unit 74455 notoriety comes from their effective destructive cyber actions — DDOS and wiper malware attacks. Multiple governments have attributed this APT group to have been instrumental in the 2016 Ukrainian power grid attack and the 2019 attack against Georgian entities.
• TsNIIKhM: This entity is a part of the R&D arm of the Russian Ministry of Defense. They are adept at creating destructive ICS malware. The attacks against U.S. energy entities in 2021 resulted in this entity being sanctioned and an employee indicted by the Department of Energy.
• Primitive Bear and Venomous Bear: These have been identified as two state-sponsored APT groups by industry. The alert highlights that the Five Eyes have not, as yet, attributed these two entities as being associated with the Russian government. Nonetheless, the groups are targeting western government entities including Ukrainian government entities, governments aligned with NATO, defense contractors and others deemed of intelligence value.

Additionally, Russian cybercriminal groups have been highlighted and their efforts cataloged within the alert. These include The CoomingProject, Killnet, Mummy Spider, Salty Spider, Scully Spider, Smokey Spider, Wizard Spider, and The Xaknet Team.

Report incidents and unusual cyber activity

The alert asks organizations to report incidents and unusual cyber activity with their respective government cybersecurity authorities and provides contact information for CISA.

CISA Director Jen Easterly emphasized, “We know that malicious cyber activity is part of the Russian playbook. We also know that the Russian government is exploring options for potential cyberattacks against U.S. critical infrastructure. Today’s cybersecurity advisory released jointly by CISA and our interagency and international partners reinforces the demonstrated threat and capability of Russian state-sponsored and Russian aligned cybercriminal groups to our homeland.”

Easterly urged all organizations to review the guidance in the advisory and on CISA’s Shields Up website, which is updated regularly.