Though the feds don’t cite any specific threat, a joint advisory from CISA, the FBI and the NSA offers advice on how to detect and mitigate cyberattacks sponsored by Russia.
Cyberattacks sponsored by hostile nation-states are always a major concern, for governments and organizations. Using advanced and sophisticated tactics, these types of attacks can inflict serious and widespread damage, as we’ve already seen in such incidents as the SolarWinds exploit. As such, organizations need to be vigilant for such attacks and make sure they have the means to prevent or combat them. In an advisory issued on Tuesday, the U.S. government provides advice on how to do that.
SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)
Authored by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the NSA, the joint advisory doesn’t point to a specific threat but does advise organizations to adopt a “heightened state of awareness” about Russia-sponsored cyberattacks. The warning comes at a time when tension between the Kremlin and NATO is high over fears that Russia is planning a new invasion of Ukraine.
“The advisory doesn’t mention the current Russian-Ukraine tensions, but if the conflict escalates, you can expect Russian cyber threats to increase their operations,” said Rick Holland, chief information security officer at Digital Shadows. “Cyberspace has become a key component of geopolitics. Russian APT groups aren’t at the top of the threat model for all companies, unlike the critical infrastructure providers mentioned in the alert, but could end up being collateral damage.”
On a general level, the advisory provides three pieces of advice to ensure that your organization is ready to defend itself against these state-sponsored attacks.
- Be prepared. Confirm your processes for reporting a cyber incident and make sure there are no gaps among your IT staff for handling security threats. Create and test a cyber incident response plan, a resiliency plan and a continuity of operations plan so that critical business operations aren’t disrupted in the event of a cyberattack.
- Beef up your cyber posture. Adopt best practices for identity and access management, protective controls and architecture, and vulnerability and configuration management.
- Increase your vigilance. Stay current on potential cyber threats. Subscribe to CISA’s mailing list and feeds to get notifications when details are released about a security topic or threat.
The advisory also describes some of the specific vulnerabilities that Russian-sponsored hackers have targeted or exploited in the past to gain initial access into an organization:
Further, organizations should be aware of some of the tactics and targets used in Russian state-sponsored attacks. In many cases, these hackers will target third-party infrastructure and software as a way of impacting an entire supply chain, as seen in the SolarWinds attack. In other cases, they’ll go after operational technology (OT) and industrial control systems (ICS) networks by installing malware. Further, these attackers often use legitimate and stolen account credentials to infiltrate a network or cloud environment where they remain undetected as they plot their malicious campaigns.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
The advisory also offers more specific tips for organizations on protection, detection and response to a cyberattack or other security incident.
- Require multi-factor authentication for all users without exception.
- Require that accounts have strong passwords. Don’t allow passwords to be used across multiple accounts to which an attacker might have access.
- Establish a strong password policy for service accounts.
- Secure your account and login credentials. Russian state-sponsored hackers often take advantage of compromised credentials.
- Disable the storage of clear text passwords in LSASS memory.
- Enable strong spam filters to stop phishing emails from reaching your users.
- Update and patch all operating systems, applications and firmware. Prioritize patching the most critical and exploited vulnerabilities. Consider adopting a centralized patch management system to help with this process.
- Disable all unnecessary ports and protocols.
- Ensure that all OT hardware is in read-only mode.
- Make sure you monitor for and collect logs about security incidents so you can fully investigate them. For this, you can turn to such tools as Microsoft Sentinel, CISA’s free Sparrow tool, the open-source Hawk tool or CrowdStrike’s Azure Reporting Tool.
- Watch out for evidence of known Russian state-sponsored tactics, techniques and procedures (TTPs). For this, review your authentication logs for login failures of valid accounts, especially multiple failed attempts. Look for “impossible logins” such as ones with changing usernames and ones that don’t match the actual user’s geographic location.
- Upon detecting a cyber incident on your network, quickly isolate any affected systems.
- Secure your backups. Make sure your backed data is offline and secure. Scan your backup to make sure it’s free of malware.
- Review any relevant logs and other artifacts.
- Consider contacting a third-party IT company to advise you and help you ensure that the attacker is removed from your network.
- Report incidents to CISA and/or the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
“Russia has very advanced cyber warfare skills which keep them hidden once a network is compromised, although ironically, the initial attack vectors are typically those of low-tech email phishing campaigns, taking advantage of people reusing already compromised passwords or using easily guessed passwords,” said Erich Kron, security awareness advocate at KnowBe4.
“To strengthen organizations against these attacks, it is critical that they have a comprehensive security awareness program in place to help users spot and report suspected phishing attacks and to educate them on good password hygiene,” Kron added. “In addition, technical controls such as multi-factor authentication and monitoring against potential brute force attacks can play a critical role in avoiding the initial network intrusion.”