The Cybersecurity and Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), National Cyber Security Centre New Zealand (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) and National Crime Agency (NCA), with contributions from industry members of the Joint Cyber Defense Collaborative, issued a joint Cybersecurity Advisory on Russian state-sponsored and criminal cyber threats to critical infrastructure that could impact organizations both within and beyond Ukraine.
It is the most comprehensive view of the cyber threat posed by Russia to critical infrastructure released by government cyber experts since the invasion of Ukraine in February.
The advisory provides technical details on malicious cyber operations by actors from the Russian Federal Security Service (FSB), Russian Foreign Intelligence Service (SVR), Russian General Staff Main Intelligence Directorate (GRU), and Russian Ministry of Defense, Central Scientific Institute of Chemistry and Mechanics (TsNIIKhM). It also includes details on Russian-aligned cyber threat groups and cybercrime groups. Some of these cybercrime groups have recently publicly pledged support for the Russian government and have threatened to conduct cyber operations in retaliation for perceived cyber offensives against Russia or against countries or organizations providing materiel support to Ukraine.
The advisory recommends several immediate actions for all organizations to take to protect their networks, which include:
- Prioritize patching of known exploited vulnerabilities;
- Enforce multifactor authentication;
- Monitor remote desktop protocol (RDP); and
- Provide end-user awareness and training
“We know that malicious cyber activity is part of the Russian playbook. We also know that the Russian government is exploring options for potential cyberattacks against U.S. critical infrastructure. Today’s cybersecurity advisory released jointly by CISA and our interagency and international partners reinforces the demonstrated threat and capability of Russian state-sponsored and Russian aligned cyber-criminal groups to our Homeland,” said CISA Director Jen Easterly. “We urge all organizations to review the guidance in this advisory as well as visit www.cisa.gov/shields-up for continually updated information on how to protect yourself and your business.”
“The FBI is focused on exposing and disrupting malicious cyber activity by Russia against our allies and our own networks,” said Bryan Vorndran, FBI Cyber Division Assistant Director. “We are working alongside our federal and international partners to quickly share information that helps private industry as well as the public to better protect and defend their systems from these threats. We will continue to investigate these malicious threat actors through our unique authorities and hold them accountable for their actions. We urge our partners and the public to report any suspicious activity to www.ic3.gov.”
“Threats to critical infrastructure remain very real,” said Rob Joyce, NSA Cybersecurity Director. “The Russia situation means you must invest and take action.”
“Recent intelligence and historic instances of destructive cyber attacks indicate now is the time for organisations to improve their cyber security posture,” said Abigail Bradshaw, Head, Australian Cyber Security Centre. “In particular, critical infrastructure organisations should act now to raise defences, not wait until being attacked. The ACSC stands ready to support its critical infrastructure partners in responding to the threats we face – by raising their awareness of the threat, sharing indicators of compromise, and providing technical mitigation advice.”
“Russia has significant cyber capabilities and a demonstrated history of using them irresponsibly, and state-sponsored malicious cyber activity is a real risk to organizations around the world,” said Sami Khoury, Head, Canadian Centre for Cyber Security. “By joining alongside our partners in releasing today’s joint advisory, the Communications Security Establishment and its Canadian Centre for Cyber Security continue to support making threat information more publicly available, while providing specific advice and guidance to help protect against these kinds of risks.”
“We are currently seeing an increased potential for cyber-attacks on critical infrastructures which may have a serious impact, even for countries and organisations not directly targeted,” said Lisa Fong, Director of New Zealand’s National Cyber Security Centre. “Organisations should take the opportunity to consider their security posture, understand their critical systems and risks – including across their supply chain – and exercise readiness. This joint advisory with our partners provides organisations with important information which will help them to build their cyber resilience by identifying and mitigating risks they face.”
“In this period of heightened cyber threat, it has never been more important to plan and invest in longer-lasting security measures,” said Lindy Cameron, NCSC CEO. “It is vital that all organisations accelerate plans to raise their overall cyber resilience, particularly those defending our most critical assets. The NCSC continues to collaborate with our international and law enforcement partners to provide organisations with timely actionable advice to give them the best chance of preventing cyber-attacks, wherever they come from.”
“Cyber attacks have evolved and increased in scale and severity over recent years, with the criminal groups behind them targeting the critical infrastructure of countries around the world,” said Rob Jones, NCA Director General for Cyber. “The NCA leads the UK law enforcement response to this threat, working with a range of international partners to investigate cyber criminals and disrupt the services they rely on. It is vital that organisations help bolster this response by enhancing cyber resilience and reporting any incidents of cyber crime to the authorities, to allow timely mitigation of further attacks.”
Because evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks, the cybersecurity authorities are providing this robust advisory with several resources and mitigations that can help the cybersecurity community protect against possible cyber threats from these adversarial groups. Executives, leaders, and network defenders are urged to implement recommendations to prepare for and mitigate the varied cyber threats listed in the Cybersecurity Advisory here.
All organizations should share information about incidents and unusual cyber activity with their respective cybersecurity authorities. When cyber incidents are reported quickly, it can contribute to stopping further attacks. In the U.S., organizations should inform CISA’s 24/7 Operations Center at firstname.lastname@example.org or (888) 282-0870, or an FBI field office.