CISA: Russian state-sponsored groups exploited vulnerabilities in Microsoft, Cisco, Oracle tools

The US cybersecurity agency said Russian APT actors targeted state, local, tribal, and territorial governments from September 2020 to at least December 2020.

The Cybersecurity and Infrastructure Security Agency (CISA) released an alert on Tuesday detailing a variety of tactics used by Russian state-sponsored groups to attack local and tribal governments across the US between September 2020 and December 2020. 

ZDNet Recommends

The best security key The best security key While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

When pressed on why the guide was being released now and which local governments were attacked in 2020, CISA said it was part of their "continuing cybersecurity mission" with "interagency partners to warn organizations of potential criminal or nation-state cyber threats." 

"As described in the advisory, Russian state-sponsored actors have targeted a variety of the US and international critical infrastructure organizations over the years. This guidance is being released to broadly share known tactics, techniques, and procedures, and encourage network defenders to take recommended actions," a CISA spokesperson said. 

The alert said Russian state-sponsored advanced persistent threat (APT) actors have generally targeted the US and international critical infrastructure organizations, but it also said the "high-profile cyber activity" revolved around the attacks on the state, local, tribal, and territorial (SLTT) governments and aviation networks in the fall of 2020. 

CISA said the groups "targeted dozens of SLTT government and aviation networks" and were able to successfully compromise networks before exfiltrating data from an unknown number of victims.

The US cybersecurity agency also said APT groups conducted "multi-stage intrusion" campaigns across multiple companies in the energy sector, deploying ICS-focused malware and collecting enterprise and ICS-related data from 2011 to 2018. 

screen-shot-2022-01-11-at-2-38-23-pm.png

CISA

The notice includes a range of advice for organizations as they try to protect themselves and their systems. CISA, the FBI, and the NSA also released a full list of vulnerabilities that Russian state-sponsored groups typically use to gain initial access to target networks.

Rick Holland, CISO at Digital Shadows, said these groups use "common but effective tactics," relying on low-hanging fruit as well as sophisticated capabilities.

"While it isn't sexy, effective security hygiene like patching known vulnerabilities on external services raises the adversary costs and makes their job harder. Don't be a soft target," Holland said, noting the recent geopolitical issues embroiling the US-Russia relationship. 

ICS/OT industry expert Mark Carrigan said the guide would be helpful because "highly-sophisticated threats from state-sponsored actors aren't going away and companies large and small are in the cross-hairs."

"The political leverage that can be gained from infiltrating critical infrastructure is enormous," said Carrigan, vice president of OT cybersecurity at Hexagon PPM. "The fingerprints of Energetic Bear, the Russian organization behind past attacks on critical infrastructure, are visible in these recent activities."

The US is still in the process of recovering from the SolarWinds scandal, which saw Russian government groups gain widespread access to 100 government contractors and multiple agencies, including the State Department, Department of Homeland Security, National Institutes of Health, the Pentagon, the Treasury Department, the Department of Commerce, the Department of Energy and the National Nuclear Security Administration.

Rep. Carolyn Maloney, chairwoman of the House Committee on Oversight and Reform, held a hearing on Tuesday about efforts to strengthen the Federal Information Security Management Act (FISMA), which would force federal agencies to improve their cybersecurity standards.  

Maloney noted that FISMA hasn't been updated since 2014 and that federal agencies reported 30,819 cybersecurity incidents in 2020 alone.

The CISA release also comes as the US and Russia spar over multiple issues in Ukraine and Kazakhstan. The alert cites previously reported attacks by Russian groups on critical infrastructure in Ukraine. A US Homeland Security report from 2016 said 225,000 customers were left without power two days before Christmas because of the Russian attack on three regional electric power distribution companies. 

CISA explained on Tuesday that the Russian groups involved in the attack used the BlackEnergy malware to steal user credentials, and then they used its malware component KillDisk to make infected computers inoperable. 

"In 2016, these actors conducted a cyber-intrusion campaign against a Ukrainian electrical transmission company and deployed CrashOverride malware specifically designed to attack power grids," the CISA alert said. 

Chris Krebs, the former director of CISA, tweeted about the alert, saying, "State and NSC are in Geneva right now trying to keep the Russians out of Ukraine, but in case that doesn't work, you might want to prepare for badness..."

Show Comments