U.S. Reviews Russian Cybersecurity Threats

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published a detailed warning of amplified threats from Russian cyberattackers and affiliated organizations as the Ukraine invasion continues.

The announcement warns about the vulnerability of applications using Remote Desktop Protocol (RDP), while encouraging the use of multifactor authentication (MFA) and the segmentation of operational technology (OT) from information technology networks (IT).

The announcement was made in concert with the Five Eyes group of government security and intelligence agencies from the U.S., Australia, Canada, New Zealand, and the U.K.

“The intent of this joint CSA [Cybersecurity Advisory] is to warn organizations that Russia’s invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity,” the announcement states. “This activity may occur as a response to the unprecedented economic costs imposed on Russia as well as materiel support provided by the United States and U.S. allies and partners.”

Among the groups cited as specific threats by the Five Eyes are the following:

• The CoomingProject
• Killnet
• MUMMY SPIDER
• SALTY SPIDER
• SCULLY SPIDER
• SMOKEY SPIDER
• WIZARD SPIDER
• The Xaknet Team

The warning admonishes cybersecurity personnel to prepare carefully to avoid ransomware, destructive malware, distributed denial of service (DDoS) attacks, and cyber espionage by doing the following:

• Ensuring all software and firmware are up to date with known patches implemented.
• Implementing MFA and strong passwords, guarding against re-enrollment routines.
• Using RDP only on virtual private networks (VPNs) or similar segregated networks.
• Training end users to ensure protection against phishing attacks and other vulnerabilities.
• Segmenting networks to avoid making OT networks accessible from outside the organization.

Industrial Systems at Risk

The warning follows a CISA announcement earlier this month that advanced persistent threat (APT) actors have been targeting industrial control systems (ICSs) in North America, specifically ones associated with Schneider Electric programmable logic controllers (PLCs), OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers.

The vulnerability of ICSs has become a focal point for companies such as Dragos, which maintains that insider threats are also a major vulnerability for ICSs. “[T]here are many outsider threats in any secured environment – natural disasters, hackers, terrorists, hacktivists, organized crime groups, etc.,” writes Tom Winston, director of intelligence content at Dragos, in a blog. “However, insider threats play a much larger role than most people realize.”

Clouds Under Threat

This week’s announcement also tags a broader CISA initiative called Shields Up, which provides guidance and information updates on the increased potential of Russian hacking. In addition to the guidelines listed above, Shields Up also stresses a series of measures specifically for cloud environments. These include a series of protections and modifications to ensure that email doesn’t become a target of attack.

“[A]ttacks frequently occurred when victim organizations’ employees worked remotely and used a mixture of corporate laptops and personal devices to access their respective cloud services,” states the Shields Up site. “Despite the use of security tools, affected organizations typically had weak cyber hygiene practices that allowed threat actors to conduct successful attacks.”

Bottom line? The CISA site and associated links are full of suggestions and resources that any security professional should find helpful, at least in terms of covering the basics.