US govt warns of Russian hackers targeting critical infrastructure

The FBI, CISA, and the NSA have warned critical infrastructure network defenders to be ready to detect and block incoming attacks targeting organizations from US critical infrastructure sectors, orchestrated by Russian-backed hacking groups.

Advanced persistent threat (APT) actors linked to Russia have been observed attacking a wide range of US organizations using various effective tactics to breach their networks, ranging from spearphishing and brute force to exploiting a large variety of known security vulnerabilities.

"Russian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware," the joint advisory reads.

"The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments—including cloud environments—by using legitimate credentials.

"In some cases, Russian state-sponsored cyber operations against critical infrastructure organizations have specifically targeted operational technology (OT)/industrial control systems (ICS) networks with destructive malware."

The three federal agencies highlight the following attacks where Russian APT groups — including APT29, APT28, and the Sandworm Team — have used destructive malware to specifically target industrial control systems (ICS) and operational technology (OT) networks belonging to critical infrastructure orgs worldwide:

US critical infrastructure orgs exposed to Russian-backed cyber operations are advised to focus on detecting their malicious activity by enforcing robust log collection/retention and looking for behavioral evidence or network and host-based artifacts.

If they detect any potential Russian-linked APT activity while monitoring their IT or OT networks they're also encouraged to isolate all potentially affected systems, secure their backups, collect evidence of the potential breach, and report the incident to CISA or the FBI after asking IT experts' help with incident response tasks.

Warnings of Russian APTs targeting US orgs

This joint advisory follows an NCSC(UK)-CISA-FBI-NSA joint security advisory issued in May 2021 to urge network defenders to patch their systems as promptly as possible to match the speed with which Russian-sponsored SVR hackers (aka APT29, Cozy Bear, and The Dukes) were changing targets in their attacks.

That warning came after US and UK governments attributed the SolarWinds supply-chain attack and COVID-19 vaccine developer targeting to Russian SVR operators' cyber-espionage efforts from April 2021.

The NSA, CISA, and the FBI also informed organizations and service providers on the same day regarding the top five vulnerabilities exploited in SVR attacks against US interests.

In a third joint advisory published in April, the FBI, DHS, and CIA alerted US orgs of continued attacks linked to the Russian SVR against the US and foreign organizations.

In July, the US government also announced it's offering a reward of up to $10 million through its Rewards for Justice (RFJ) program for info on malicious cyber activities conducted by state-sponsored threat actors targeting the country's critical infrastructure sectors.