As we have mentioned a few times here at OODA Loop, we are very discerning in our amplification of US-CERT e-mail notifications. Emergency Directives and Joint Cybersecurity Advisories (CSAs) are the exceptions. The Joint CSA released today by CISA, the FBI, and the NSA is very much aligned with our coverage of the current tension in Ukraine and the role of cyber and information threat vectors in gray-zone conflicts.

In 2021, Gray Zones proved a proxy for a larger information warfare threat vector, as Bob Gourley laid out in his recent C-Suite Guide To Improving Your Cybersecurity Posture Before Russia Invades Ukraine. We also included Bob’s assessment in our 2021 Year-end Review: Geopolitical Risk and Technology.

Following are the details of the Joint CSA released today.

OODA Loop Sponsor

From the CISA press release announcing the Joint CSA:

CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have released a joint Cybersecurity Advisory (CSA) that provides an overview of Russian state-sponsored cyber operations, including commonly observed tactics, techniques, and procedures. The CSA also provides detection actions, incident response guidance, and mitigations. CISA, the FBI, and NSA are releasing the joint CSA to help the cybersecurity community reduce the risk presented by Russian state-sponsored cyber threats.

CISA, the FBI, and NSA encourage the cybersecurity community—especially critical infrastructure network defenders—to adopt a heightened state of awareness, conduct proactive threat hunting, and implement the mitigations identified in the joint CSA. CISA recommends network defenders review CISA’s Russia Cyber Threat Overview and Advisories page for more information on Russian state-sponsored malicious cyber activity. CISA recommends critical infrastructure leaders review CISA Insights: Preparing For and Mitigating Potential Cyber Threats for steps to proactively strengthen their organization’s operational resiliency against sophisticated threat actors, including nation-states and their proxies.

From the Joint CSA:

These mitigations will help organizations improve their functional resilience by reducing the risk of compromise or severe business degradation.

Be prepared. Confirm reporting processes and minimize personnel gaps in IT/OT security coverage. Create, maintain, and exercise a cyber incident response plan, resilience plan, and continuity of operations plan so that critical functions and operations can be kept running if technology systems are disrupted or need to be taken offline.
Enhance your organization’s cyber posture. Follow best practices for identity and access management, protective controls and architecture, and vulnerability and configuration management.
Increase organizational vigilance. Stay current on reporting on this threat. Subscribe to CISA’s mailing list and feeds to receive notifications when CISA releases information about a security topic or threat.

the Joint CSA includes technical details of tactics—including spearphishing, brute force, and exploiting known vulnerabilities against accounts and networks with weak security—to gain initial access to target networks by Russian state-sponsored advanced persistent threat (APT) actors. Vulnerabilities known to be exploited by Russian state-sponsored APT actors are itemized in the advisory.

Operational Technology (OT) and Industrial Control Systems (ICS) Network Vulnerabilities Highlighted

In some cases, Russian state-sponsored cyber operations against critical infrastructure organizations have specifically targeted operational technology (OT)/industrial control systems (ICS) networks with destructive malware. See the following advisories and alerts for information on historical Russian state-sponsored cyber-intrusion campaigns and customized malware that have targeted ICS:

ICS Advisory ICS Focused Malware – Havex
ICS Alert Ongoing Sophisticated Malware Campaign Compromising ICS (Update E)
ICS Alert Cyber-Attack Against Ukrainian Critical Infrastructure
Technical Alert CrashOverride Malware
CISA MAR HatMan: Safety System Targeted Malware (Update B)
CISA ICS Advisory Schneider Electric Triconex Tricon (Update B)

Russian state-sponsored APT actors have used sophisticated cyber capabilities to target a variety of U.S. and international critical infrastructure organizations, including those in the Defense Industrial Base as well as the Healthcare and Public Health, Energy, Telecommunications, and Government Facilities Sectors. High-profile cyber activity publicly attributed to Russian state-sponsored APT actors by U.S. government reporting and legal actions includes:

Russian state-sponsored APT actors targeting state, local, tribal, and territorial (SLTT) governments and aviation networks, September 2020, through at least December 2020. Russian state-sponsored APT actors targeted dozens of SLTT government and aviation networks. The actors successfully compromised networks and exfiltrated data from multiple victims.
Russian state-sponsored APT actors’ global Energy Sector intrusion campaign, 2011 to 2018. These Russian state-sponsored APT actors conducted a multi-stage intrusion campaign in which they gained remote access to U.S. and international Energy Sector networks, deployed ICS-focused malware, and collected and exfiltrated enterprise and ICS-related data.
Russian state-sponsored APT actors’ campaign against Ukrainian critical infrastructure, 2015 and 2016. Russian state-sponsored APT actors conducted a cyberattack against Ukrainian energy distribution companies, leading to multiple companies experiencing unplanned power outages in December 2015. The actors deployed BlackEnergy malware to steal user credentials and used its destructive malware component, KillDisk, to make infected computers inoperable. In 2016, these actors conducted a cyber-intrusion campaign against a Ukrainian electrical transmission company and deployed CrashOverride malware specifically designed to attack power grids.

For more information on recent and historical Russian state-sponsored malicious cyber activity, see the referenced products below or cisa.gov/Russia.