The US government encourages organisations to be prepared for Russian-sponsored cyber attacks

Although the feds have not identified any particular threat, a joint advisory by CISA, FBI, and NSA provides advice on how to detect, mitigate, and prevent cyberattacks sponsored or coordinated by Russia.

Image: iStock/Aterrassi

Governments and organizations should be concerned about cyberattacks that are sponsored by hostile nations-states. These attacks can be very serious and widespread, and they often use advanced and sophisticated techniques, as we have seen with the SolarWinds attack. These types of attacks can be devastating to organizations, so it is important to be aware of them and to have the tools to combat them. In A Tuesday advisoryThe U.S. government gives advice on how you can do that.

SEE: Zero trust security: A cheatsheet (free PDF). (TechRepublic)  

Although the joint advisory was not intended to identify a specific threat, it does recommend that organizations adopt a “heightened level of awareness” regarding Russia-sponsored cyberattacks. The warning comes at an era when tensions between NATO, Russia and the Kremlin have been high.

Rick Holland, Chief Information Security Officer at Digital Shadows, said that although the advisory doesn’t address the current Russian-Ukraine tensions however, if the conflict escalates you can expect Russian cyber threats will increase their operations.” “Cyberspace was a major component of geopolitics. Unlike the alert’s critical infrastructure providers, Russian APT groups don’t appear to be at the top of the threat models for all companies. However, they could end up as collateral damage.

This advisory contains three pieces of general advice to help ensure that your company is ready to defend against these state-sponsored attacks.

  • Prepare. Confirm your procedures for reporting a cybersecurity incident. Make sure that your IT staff is trained to deal with security threats. Test a cyber incident response, a resiliency and continuity of operations plan to ensure that business operations are not disrupted by a cyberattack.
  • Cybersecurity: Improve your online presence. Use best practices in identity and access management, protection controls and architecture management, vulnerability management and configuration management.
  • Increase your vigilance. Keep up-to-date on cyber threats RegisterCISA’s Mailing list and FeedsTo receive notifications whenever details are released on a security topic/threat

The advisory also lists some of the vulnerabilities Russian-sponsored hacker have exploited or targeted in the past to gain first access to an organisation.

Additionally, organizations need to be aware of some tactics and targets that are used in Russian state-sponsored hacking attacks. As demonstrated in the SolarWinds attack, hackers often target third-party infrastructure or software to impact an entire supply chain. They may also install malware to attack industrial control systems and operational technology (OT). Infiltrating networks and cloud environments is another way these hackers can use stolen or legitimate account credentials. They are often undetected until they start their malicious campaigns.

SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (free PDF) (TechRepublic).

This advisory provides additional tips to organizations regarding how to protect, detect and respond in the event of a cyberattack.

Protection

  1. All users must be authenticated using multi-factor authentication.
  2. Strong passwords are a must for all accounts. Do not allow passwords to be shared between accounts that an attacker might have access to.
  3. For service accounts, establish a strong password policy.
  4. Protect your login credentials and account. Russian state-sponsored hackers are known to take advantage compromised credentials.
  5. Clear text passwords can be disabled LSASS memory.
  6. Set up strong spam filters in order to prevent phishing email from reaching your users.
  7. Patch all operating systems and firmware. Prioritize patching exploited vulnerabilities that are most critical. This can be achieved by implementing a centralized patch management process.
  8. All unneeded ports and protocols should be disabled
  9. Ensure all OT hardware remains in read-only mode

Detection

  1. To fully investigate security incidents, make sure to keep logs. This is where such tools come in handy. Microsoft Sentinel, CISA’s Sparrow Tool is Free, The open-source Hawk tool or CrowdStrike’s Azure Reporting Tool.
  2. Watch out for evidence of known Russian state-sponsored tactics, techniques and procedures (TTPs). For this, review your authentication logs for login failures of valid accounts, especially multiple failed attempts. Look for “impossible logins” such as ones with changing usernames and ones that don’t match the actual user’s geographic location.

Response

  1. Upon detecting a cyber incident on your network, quickly isolate any affected systems. 
  2. Secure your backups. Make sure your backed data is offline and secure. Scan your backup to make sure it’s free of malware.
  3. Review any relevant logs and other artifacts.
  4. Consider contacting a third-party IT company to advise you and help you ensure that the attacker is removed from your network.
  5. Report incidents to CISA and/or the FBI via your local FBI field officeOr the FBI’s 24/7 CyWatch at (855) 292-3937 or [email protected]

“Russia is very skilled in cyber warfare and keeps them hidden once a system is compromised,” stated Erich Kron of KnowBe4.

Kron stated, “To help organizations resist these attacks it is important that they have an extensive security awareness program in place to assist users in identifying and reporting suspected phishing attacks as well as to teach them good password hygiene.” Technical controls like multi-factor authentication and monitoring for potential brute force attacks could play a crucial role in avoiding initial network intrusions.

Also, see