On April 20, 2022, the cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom—the so-called “Five Eye” governments—announced the publication of Alert AA22-110A, a Joint Cybersecurity Advisory (the “Advisory”) warning critical infrastructure organizations throughout the world that the Russian invasion of Ukraine could expose them “to increased malicious cyber activity from Russian state-sponsored cyber actors or Russian-aligned cybercrime groups.” The Advisory is intended to update a January 2022 Joint Cybersecurity Advisory, which provided an overview of Russian state-sponsored cyber operations and tactics, techniques, and procedures (“TTPs”).
In its announcement, the authorities urged critical infrastructure network defenders in particular “to prepare for and mitigate potential cyber threats by hardening their cyber defenses” as recommended in the Advisory.
Overview. The Advisory notes that “evolving intelligence” indicates that the Russian government is exploring options for potential cyber attacks and that some cybercrime groups have recently publicly pledged support for the Russian government and threatened to conduct cyber operations on behalf of the Russian government. The Advisory summarizes TTPs used by five state-sponsored advanced persistent threat (“APT”) groups, two Russian-aligned cyber threat groups, and eight Russian-aligned cybercrime groups. Additionally, it provides a list of mitigations and suggests that critical infrastructure organizations should implement certain mitigations “immediately.”
Russian State-Sponsored Cyber Operations. The Advisory notes that Russian state-sponsored cyber actors have “demonstrated capabilities” to compromise networks; maintain long-term, persistent access to networks; exfiltrate sensitive data from information technology (“IT”) and operational technology (“OT”) networks; and disrupt critical industrial control systems (“ICS”) and OT networks by deploying destructive malware. The Advisory details five Russian APT groups:
Russian Federal Security Service (“FSB”): The FSB, the successor agency to the Soviet KGB, has conducted malicious cyber operations targeting various organizations within multiple critical infrastructure sectors, including the Energy Sector (including U.S. and UK companies), the Transportation Sector (including U.S. aviation organizations), the Water and Wastewater Systems Sector, and the Defense Industrial Base Sector. The Advisory notes the FSB has also targeted U.S. government and military personnel, private organizations, cybersecurity companies, and journalists. Common TTPs include exploiting internet-facing infrastructure and network appliances, conducting brute force attacks against public-facing web applications, and leveraging compromised infrastructure, such as websites frequented or owned by their target.
Russian Foreign Intelligence Service (“SVR”): SVR has likewise targeted multiple critical infrastructure organizations, although the Advisory does not specify the sectors in which these organizations operate. SVR’s TTPs include custom and sophisticated malware targeting Windows and Linux systems and lateral movement within a compromised network that can bypass multi-factor authentication (“MFA”) on privileged cloud accounts. The U.S., UK, and Canada have attributed the SolarWinds Orion supply chain compromise to the SVR.
Russian General Staff Main Intelligence Directorate (“GRU”), 85th Main Special Service Center (“GTsSS”): GTsSS primarily targets government organizations, travel and hospitality entities, research institutions, non-government organizations, and critical infrastructure entities. Its TTPs include harvesting credentials to gain access to targets via spear phishing emails and spoofed websites that trick users into entering their account names and passwords.
GRU’s Main Center for Special Technologies (“GTsST”): GTsST is known to target critical infrastructure entities, including those within the Energy, Transportation, and Financial Services Sectors, as well as member states belonging to the North Atlantic Treaty Organization (“NATO”) and Western governments and military organizations. GTsST is particularly known to use destructive or disruptive attacks, such as distributed denial of service (“DDoS”) and wiper malware.
Russian Ministry of Defense, Central Scientific Institute of Chemistry and Mechanics (“TsNIIKhM”): TsNIIKhM is known publicly as a research organization in the Russian Ministry of Defense, but the Advisory notes it has developed destructive ICS malware, known as Triton, HatMan, and TRISIS.
Russian-Aligned Cyber Threat Groups. The Advisory addresses two state-sponsored cyber threat groups: PRIMITIVE BEAR and VENOMOUS BEAR. The former is known to target Ukrainian organizations and the latter is known to target NATO governments, defense contractors, and “other organizations of intelligence value.” Notably, the Advisory explains that none of the governments responsible for the Advisory have formally attributed either of these groups to the Russian government, but nevertheless seems to recognize that these groups are aligned with the Russian government.
Russian-Aligned Cybercrime Groups. The Advisory details eight cybercrime groups aligned with the Russian government. The Advisory notes that these groups are often financially motivated and pose a threat to critical infrastructure organizations throughout the world, primarily through ransomware and DDoS attacks. The Advisory notes that while these groups “may conduct cyber operations in support of the Russian government . . . cyber criminals will most likely continue to operate primarily based on financial motivations, which may include targeting government and critical infrastructure organizations.”
The CoomingProject: This group extorts victims by exposing or threatening to expose leaked data. In response to perceived cyberattacks against Russia, the CoomingProject pledged support for the Russian government.
Killnet: Killnet likewise pledged support to the Russian government. It also claimed credit for a March 2022 DDoS attack against a U.S. airport conducted in response to U.S. materiel support for Ukraine.
MUMMY SPIDER: This group operates an advanced, modular botnet, known as Emotet, which primarily functions as a downloader and distribution service for other cybercrime groups. Emotet has been used to target “financial, e-commerce, healthcare, academia, government, and technology organizations’ networks” throughout the world.
SALTY SPIDER: This group also operates a botnet, known as Sality, which uses advanced peer-to-peer malware loaders. SALTY SPIDER has conducted DDoS attacks against Ukrainian web forums discussing the Russian invasion of Ukraine.
SCULLY SPIDER: This group operates a “malware-as-a-service” model, which includes maintaining a command and control infrastructure and selling access to its malware and infrastructure to affiliates. SCULLY SPIDER also operates the DanaBot botnet, which effectively functions as an initial access vector for other malware and can result in ransomware deployment. The group primarily targets organizations in the United States, Canada, Germany, United Kingdom, Australia, Italy, Poland, Mexico, and Ukraine.
SMOKEY SPIDER: This group operates a malicious bot, known as Smoke Loader or Smoke Bot, which is used to upload other malware. The group’s bot has been used to distribute malware payloads used in DDoS attacks against Ukrainian targets.
WIZARD SPIDER: This group develops TrickBot malware and Conti ransomware. This group has targeted construction and engineering companies, legal and professional services, manufacturing, retail, U.S. healthcare, and first responder networks, and has publicly pledged support to the Russian government, threatened critical infrastructure organizations of countries perceived to “carry out cyberattacks or war against the Russian government,” and threatened to “retaliate against perceived attacks against the Russian people.”
The Xaknet Team: The Xaknet Team has only been active since March 2022 and has stated they will work “exclusively for the good of [Russia].” The group has threatened to target Ukrainian organizations in response to perceived attacks against Russia and, in March 2022, leaked emails of a Ukrainian official.
Mitigations. The Advisory provides several mitigations that it recommends critical infrastructure organizations implement “immediately”: (1) updating software; (2) enforcing MFA to the greatest extent possible and requiring strong passwords; (3) securing and monitoring “potentially risky services,” such as remote desktop protocol; and (4) providing end-user awareness and training on potential cyber threats.
As part of longer-term mitigation, the Advisory recommends implementing network segmentation to separate network segments based on role and functionality and implement a series of more detailed mitigations related to preparing for cyber incidents, identity and access management, protective controls and architecture, and vulnerability and configuration management.
Responding to Cyber Incidents. The Advisory also recommends that defenders of critical infrastructure organizations “exercise due diligence in identifying indicators of potential malicious activity” and undertake specific steps after detecting possible APT or ransomware activity.
These steps include: (1) immediately isolating affected systems; (2) for DDoS attacks, identifying and blocking suspected attacker IP traffic, enabling firewall rate limiting, and notifying the organization’s Internet Service Provider and enabling remote triggered blackhole; (3) securing backups; (4) collecting and reviewing relevant logs, data, and artifacts; (5) considering engaging a third-party IT organization; and (6) reporting incidents to appropriate cyber and law enforcement authorities. The Advisory also “strongly discourage[s]” paying a ransom to criminal actors, noting that such payments do not always result in successful recovery of the victim’s files and that such payments may “embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.”
Additional Resources. The Advisory also provides links to many additional resources on a variety of topics, including: Russian state-sponsored malicious cyber activity; other malicious and criminal cyber activity; protecting against and responding to ransomware; destructive malware; incident response; and additional resources for critical infrastructure owners and operators with OT/ICS networks.
Next Steps. U.S. cybersecurity, law enforcement, and intelligence agencies have recently issued numerous alerts and advisories warning of the gravity of the Russian cyber threat. This Advisory provides a uniquely detailed glimpse into recent U.S. and allied intelligence gathering on Russian cyber operations, and underscores the broad scope of malicious Russian-affiliated cyber activity and the significant threats posed by such activity. Organizations, especially those within critical infrastructure sectors and those operating critical ICS and OT networks, should consider assessing their cybersecurity posture in light of these threats, including whether any gaps exist in the organizations’ cybersecurity posture and whether implementing any of the specific mitigations identified in the Advisory are warranted.