State-sponsored hackers from Russia continue to prevail in the cyberthreat landscape. Government authorities and organizations globally are warning about frequent cyberespionage campaigns from Russian actors. Recently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), FBI, and National Security Agency (NSA) released a joint advisory on detecting, responding, and mitigating security threats from Russian state-sponsored actors. The advisory provides an overview of Russian hackers’ cyber operations, including their commonly used tactics, techniques, and procedures (TTPs).
“CISA, the FBI, and NSA encourage the cybersecurity community—especially critical infrastructure network defenders—to adopt a heightened state of awareness, conduct proactive threat hunting, and implement the mitigations identified in the advisory,” the advisory said.
Russian APT Actors
The federal agencies stated that Russian state-sponsored advanced persistent threat (APT) actors leveraged various attacking vectors like spearphishing, brute force, and exploiting known vulnerabilities to break into targeted network systems.
Vulnerabilities known to be exploited by Russian state-sponsored APT actors for initial access include:
- CVE-2018-13379 existed in FortiGate VPNs
- CVE-2019-1653 in Cisco router
- CVE-2019-2725 in Oracle WebLogic Server
- CVE-2019-7609 in Kibana
- CVE-2019-9670 in Zimbra software
- CVE-2019-10149 in Exim Simple Mail Transfer Protocol
- CVE-2019-11510 in Pulse Secure
- CVE-2019-19781 in Citrix
- CVE-2020-0688 in Microsoft Exchange
- CVE-2020-4006 VMWare (note: this was a zero-day at time.)
- CVE-2020-5902 F5 Big-IP
- CVE-2020-14882 Oracle WebLogic
- CVE-2021-26855 Microsoft Exchange
Targeted Sectors
Russian actors reportedly targeted a variety of U.S. and international critical infrastructure organizations in the Defense, Health Care, Public Health, Energy, Telecommunications, and Government Facilities Sectors.
Also Read: Russia Blocks Tor Web Over Privacy Concerns
What to do if you become a victim of APT
The advisory stated that organizations detecting potential APT activity in their network systems should:
- Immediately isolate affected systems.
- Secure backups. Ensure your backup data is offline and secure. If possible, scan your backup data with an antivirus program to ensure it is free of malware.
- Collect and review relevant logs, data, and artifacts.
- Consider soliciting support from a third-party IT organization to provide subject matter expertise, ensure the actor is eradicated from the network, and avoid residual issues that could enable follow-on exploitation.
Mitigation
CISA, the FBI, and NSA recommended organizations implement the below security measures to increase their cyber resilience against rising threats:
- Develop internal contact lists. Assign main points of contact for a suspected incident and roles and responsibilities and ensure personnel knows how and when to report an incident.
- Minimize IT/OT security personnel availability gaps by identifying surge support for responding to an incident.
- Ensure IT/OT security personnel monitor key internal security capabilities and identify anomalous behavior. Flag any identified IOCs and TTPs for immediate response
- Create, maintain, and exercise a cyber incident response and continuity of operations plan.
- Require multi-factor authentication for all users, without exception.
- Require accounts to have strong passwords and do not allow passwords to be used across multiple accounts or stored on a system an adversary may have access to.
- Identify, detect, and investigate abnormal activity that may indicate lateral movement by a threat actor or malware.
