American cybersecurity and intelligence agencies released a joint advisory this week on how to detect, respond to, and mitigate cyberattacks orchestrated by Russian state-sponsored hackers. This advisory comes amid renewed tension between the US and Russia over Ukraine and Kazakhstan.
To that end, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have laid out tactics, techniques, and procedures deployed by the threat actors. This includes spear-phishing, brute force, and exploiting known vulnerabilities to gain initial access to target networks.
“Russian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware,” the agencies said in the advisory.
“The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments — including cloud environments — by using legitimate credentials.”
Historically, Russian advanced persistent threat (APT) groups have set their sights on operational technology (OT) and industrial control systems (ICS) with the goal of releasing harmful malware. Most notably, this would include the intrusion campaigns against Ukraine and the US energy sector along with attacks exploiting trojanized SolarWinds Orion updates in order to breach US government agency networks.
Additionally, in order to increase cybersecurity against this state-sponsored threat, the agencies recommend mandating multi-factor authentication for all users, looking out for signs of abnormal activity implying lateral movement, enforcing network segmentation, and keeping operating systems, applications, and firmware up to date.
“Consider using a centralized patch management system,” the advisory reads. “For OT networks, use a risk-based assessment strategy to determine the OT network assets and zones that should participate in the patch management program.”
Other recommended best practices include implementing robust log collection and records, requiring accounts to have strong passwords, enabling strong spam filters to prevent phishing emails from reaching end-users, implementing rigorous configuration management programs, disabling all unnecessary ports and protocols, and ensuring that OT hardware is in read-only mode.