The Threat
On March 21st, 2022, U.S. President Joe Biden publicly stated that there is an increased risk of Russian Advanced Persistent Threat (APT) groups targeting critical infrastructure in the United States. These statements were made as a result of continued cyber-attacks being launched at organizations in Ukraine by Russian affiliated threat actors. Notable recent incidents include four wiper malware campaigns and ads, appearing on a known Russian hacker forum, where threat actors were looking to buy access to major oil and gas companies.
Organizations are recommended to review their current defenses and operate under a heightened awareness for threats. Recommendations for defending against Russian APT groups are available below and in the CISA SHIELDS UP report.
This Security Advisory serves as a follow up and a deeper dive to this morning's Threat Update, Heightened Threat Scenario: Russian Cyberattacks.
What we’re doing about it
- Threat hunts have been, and continue to be performed for indicators associated with Russian cyber criminal and Russian State-sponsored threat actor groups
- Asset Data for clients with eSentire’s Managed Vulnerability Service (MVS) has been leveraged to determine if clients were vulnerable to known targeted vulnerabilities by Russian APT groups
- Impacted clients have been notified directly through the SOC
- Detections to identify known Russian APT tools and techniques are in place across both eSentire MDR for Endpoint and Network products
- eSentire continues to develop new detections across the eSentire product suite in response to Russian APT activity
- Known malicious IP addresses associated with Russian and other threat actor groups are blocked via eSentire’s Global Deny List
- The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities
What you should do about it
- Organizations without eSentire’s Managed Vulnerability Service (MVS) are recommended to review their environment for critical vulnerabilities and vulnerabilities known to be targeted by Russian APT groups
- Ensure that an email security product is in place to identify and prevent potential phishing and malspam attacks
- User training and a reporting process should be in place to ensure end-users can identify and report potentially malicious content that bypasses current security tools
- Enforce the use of Multi-Factor Authentication (MFA) for all externally facing services
- Review configuration policies to protect against “fail open” and “re-enrollment” MFA bypass scenarios
- Ensure that all non-active accounts are fully disabled across the network including Active Directory and MFA systems
- Require the use of long, unique passwords to minimize the likelihood of successful bruteforce attacks
- Be prepared to isolate critical infrastructure from the internet
- Create and test a Disaster Recovery Plan (DRP) for scenarios including information theft, website defacements, and the deployment of ransomware or wiper malware
- Review and apply the recommendations provided by CISA in the SHIELDS UP report
Additional information
The Whitehouse statement on potential cyberattacks from Russian APT groups does not provide technical details or additional context for future attacks. Based on recent cyberattacks in Ukraine by Russian affiliated threat actors, attacks may include the deployment of wiper malware, ransomware, or information stealing malware. Critical infrastructure covers a range of industries; attacks may target energy, finance, defense, manufacturing, government, and other major industries.
eSentire has provided additional resources with information related to recent Russian APT activity:
References:
[1] https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/21/statement-by-president-biden-on-our-nations-cybersecurity/
[2] https://www.cisa.gov/shields-up
[3] https://www.cisa.gov/uscert/ncas/alerts/aa22-011a
[4] https://www.esentire.com/resources/library/january-2022-threat-intelligence-observations
[5] https://www.esentire.com/resources/library/march-2022-threat-intelligence-observations-on-demand
[6] https://www.esentire.com/resources/library/threat-briefing-potential-cyber-threats-stemming-from-russias-invasion-of-ukraine
[7] https://www.esentire.com/security-advisories/cyber-threats-due-to-russian-and-ukrainian-tensions
[8] https://www.esentire.com/security-advisories/esentire-threat-intelligence-advisory-cyclops-blink-malware
[9] https://www.esentire.com/security-advisories/russian-apt-exploits-known-vulnerability
