US Issues Russian Cyber Threat Warning
The Cybersecurity Infrastructure Security Agency, Federal Bureau of Investigation and the National Security Agency issued a joint Cybersecurity Advisory last week warning of Russian cyber threats to critical infrastructure in the United States.
The CSA provides an overview of Russian state-sponsored cyber operations, including commonly observed tactics, techniques and procedures, and provides detection actions, incident response guidance and mitigations. The agencies encourage critical infrastructure cybersecurity communities to “adopt a heightened state of awareness” against the threats.
While no specifics about the threats were mentioned, the CSA was released “to warn organizations of cyber threats and help the cybersecurity community reduce the risk presented by these threats.” The release outlines several mitigation strategies to reduce risk of compromise, including:
Take steps now to protect against the Russia cyber threat: Invest in logs and monitoring so you can hunt out malicious activity & minimize impacts if compromise occurs. Strengthen your networks by taking actions in our joint advisory with @CISAgov & @FBI. https://t.co/KfL75hJI5j pic.twitter.com/nKmIeSfcTS— NSA Cyber (@NSACyber) January 11, 2022
According to reports, the new guidance comes after White House National Cyber Director Chris Inglis testified before Congress in November that there has been a “discernible decrease” in the number of cyberattacks against U.S. companies that can be traced back to Russia, with no clear reason behind the decrease.
Multiple cyberattacks by Russia-based groups against U.S. companies happened last year, including against Colonial Pipeline, meat producer JBS USA and IT group Kaseya.
Last week, Ukraine government websites were defaced and potentially destructive malware was detected on Ukrainian systems. Oleg Nikolenko, Ukraine’s foreign ministry spokesman announced that the investigation is ongoing, but preliminary reports suggested that the Russian secret services hacker groups were behind the attack on as many as 70 central and regional authority websites.
Following the cyber incidents, the CISA also published a checklist of actions for organizations, regardless of sector or size, to take to protect against cyber incidents.
“The identification of destructive malware is particularly alarming given that similar malware has been deployed in the past—e.g., NotPetya and WannaCry ransomware—to cause significant, widespread damage to critical infrastructure,” stated the release.
Recent Cyberattacks on Infrastructure
In February last year, a water treatment plant in Oldsmar, Florida, reported that a hacker had breached its computer networks and changed the level of sodium hydroxide from 100 parts per million to 11,000 per million.
Sodium hydroxide—also known as lye—is commonly used at water treatment plants to control the acidity of drinking water and remove metals. However, too much of the chemical can make the water dangerous to drink.
After it appeared that the hacker had left the system, the operator immediately returned the sodium hydroxide to the previous levels, ensuring that no harm would come to the public or the drinking water. However, to put local residents at ease, Gaultieri noted that even if the operator hadn’t been present, the issue would have been caught during a secondary chemical check when the water is moved to holding tanks.
Since the incident, Oldsmar local authorities alongside the Federal Bureau of Investigation and the U.S. Secret Service have been investigating the hack. In February, investigators were unsure if the hacker originates within the U.S. or somewhere outside of the country.
In the past year, American cybersecurity firm Mandiant told Bloomberg that hacker attacks against industrial systems have increased, with hackers mostly engaging in limited-impact operations. Other experts have pointed out that industrial control systems have become more of a target since its transition in becoming more interconnected within the OT environment and connected to the IT environment as well.
The increase in vulnerability is also attributed to the shift of operations to more remote environments in wake of the ongoing coronavirus pandemic.
To mitigate these issues, President Biden has already noted on increasing cybersecurity. Since the start of the year, the Department of Homeland Security has already issued 25 advisories listing various industrial control systems that could be vulnerable to hacking.
By April, Neuberger told reporters that the government was undertaking a new effort to help electric utilities, water districts and other critical industries protect against potentially damaging cyberattacks. The goal is to ensure that control systems serving 50,000 or more Americans have the core technology to detect and block malicious cyber activity.
Following that announcement, the White House has since launched a 100-day initiative aimed at protecting the country’s electricity system from cyberattacks by encouraging owners and operators of power plants and electric utilities to improve their capabilities for identifying cyber threats to their networks.
While additional measures are being taken, other industry leaders have reported that they’re disappointed, however not surprised by the uptick in attacks.
A few months later, on May 7, Colonial Pipeline reported that it was the victim of a ransomware attack on its corporate computer systems. Slightly different from an average cyberattack, ransomware attacks are usually conducted by criminal hackers who scramble data with an encryption and paralyze victim networks. The hackers typically leave instructions on the infected computers and/or demand a large ransom payment in exchange for decryption codes.
Following the attack, private cybersecurity firm FireEye/Mandiant was hired to manage the incident response investigation. Although, the Federal Bureau of Investigation had already confirmed DarkSide ransomware as the ones responsible for the attack.
At the time, Cybersecurity technology company Cyberreason also weighed in on information about DarkSide, noting that the organization is newer but had previously targeted domain controllers using double extortion methods, meaning that they encrypt data of the target, while also exfiltrating data threatening to make it public.
As a result of the incident, Colonial Pipeline reported that some of its company information and technology systems were affected. In a statement, the company noted that once it realized what was happening, it moved proactively to move systems offline and halted its pipeline operations, which transport more than 100 million gallons a day.
On the morning following the attack, the White House reported that President Joe Biden was briefed on the incident and that federal government agencies ranging from the Department of Energy to the Transportation Security Administration would also be working with Colonial Pipeline and the Cybersecurity and Infrastructure Security Agency to assess the implications of the attack, restore operations and avoid disruptions to the supply.
In additional efforts to help mediate any potential supply issues, the Biden administration issued an emergency waiver extending hours for truck drivers delivering fuel across 17 states, including several across the southeastern U.S. that depend on the pipeline for fuel. According to additional reports, the government was also planning to conduct various scenarios and work in conjunction with state and local authorities.
The following Sunday, Colonial Pipeline was reported to have restored some smaller, lateral lines between terminals and delivery points. On Monday, the company resumed limited shipments, delivering fuel from North Carolina to a terminal in Maryland under manual controls while existing inventory is available.
Contrary to reports that followed the ransomware attack story saying that Colonial had no intentions of paying and extortion fee, last Friday the pipeline company submitted to paying DarkSide nearly $5 million (75 Bitcoin) in order to restore the country’s largest fuel pipeline.
According to reports, in an effort to get gasoline and jet fuel flowing again to major cities along the East Coast, Colonial paid the ransom in a difficult-to-trace cryptocurrency. Once accepted, DarkSide provided Colonial with a decrypting tool to restore its disabled computer network.
Around 5 p.m. that Wednesday, fuel shipments were officially resumed to normal operations.
Earlier this month, a U.S. senior administration official announced that Russia's domestic intelligence agency has arrested the hacker responsible for the attack. Multiple people were reportedly detained who were associated with REvil, the type of ransomware that caused the attack.