Russia has continually been a thorn in the side of the United States' cybersecurity industry for years, and that doesn't appear to be changing anytime soon.
Malicious threat actors responsible for cyberattacks against critical infrastructure have been linked to Russia repeatedly, including the infamous REvil and DarkSide ransomware gangs who were responsible for cyber incidents like JBS Foods and Colonial Pipeline, respectively.
To help address the constant and growing threat that Russian state-sponsored actors pose to organizations and governments around the world, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) issued a joint cybersecurity advisory.
The advisory reads:
"CISA, the FBI, and NSA encourage the cybersecurity community—especially critical infrastructure network defenders—to adopt a heightened state of awareness and to conduct proactive threat hunting."
It then lists three things that every organization can do right now to reduce the risk of falling victim to a cyberattack:
- "Be prepared. Confirm reporting processes and minimize personnel gaps in IT/OT security coverage. Create, maintain, and exercise a cyber incident response plan, resilience plan, and continuity of operations plan so that critical functions and operations can be kept running if technology systems are disrupted or need to be taken offline."
- "Enhance your organization's cyber posture. Follow best practices for identity and access management, protective controls and architecture, and vulnerability and configuration management."
- "Increase organizational vigilance. Stay current on reporting on this threat. Subscribe to CISA's mailing list and feeds to receive notifications when CISA releases information about a security topic or threat."
What vulnerabilities are exploited by Russian threat actors?
The joint advisory notes that Russian state-sponsored advanced persistent threat (APT) actors use common but effective tactics, such as phishing, brute force, and exploiting known vulnerabilities.
CISA provides a list of these vulnerabilities known to be exploited by threat actors:
-
CVE-2018-13379 FortiGate VPNs
-
CVE-2019-1653 Cisco router
-
CVE-2019-2725 Oracle WebLogic Server
-
CVE-2019-7609 Kibana
-
CVE-2019-9670 Zimbra software
-
CVE-2019-10149 Exim Simple Mail Transfer Protocol
-
CVE-2019-11510 Pulse Secure
-
CVE-2019-19781 Citrix
-
CVE-2020-0688 Microsoft Exchange
-
CVE-2020-4006 VMWare (note: this was a zero-day at time.)
-
CVE-2020-5902 F5 Big-IP
-
CVE-2020-14882 Oracle WebLogic
-
CVE-2021-26855 Microsoft Exchange (Note: this vulnerability is frequently observed used in conjunction with CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065)
If your organization uses any of the above software, it is time to get those vulnerabilities patched if you have not done so already.
Does CISA advisory help organizations?
It's always important to stay on top of all things cybersecurity related to reduce the risk posed to your organization. So how does an advisory like this help organizations? If you're a critical infrastructure organization, shouldn't you already know all this?
Some security professionals believe CISA should be doing a little more.
John Bambenek, Principal Threat Hunter at Netenrich, shared his thoughts on the advisory:
"Advisories like this do little to help defenders actually protect themselves. I read this and don't have any more insight into detecting and preventing these attacks than before. It's 2022, these agencies hopefully can reach directly out to organizations with more specific guidance because public announcements aren't helpful and there are reasons not to be too specific in them as well."
Others think that these advisories serve as a good reminder to organizations to always be persistent.
Tim Wade, Technical Director at Vectra, weighed in:
"I can't recall a time in my life when Russia wasn't aggressively probing Western resolve—ranging from tactical incursions into air space to pulling strategic economic levers. This activity is just a continuation of that longstanding tradition, and I read this advisory as another periodic reminder of the background radiation of global politic. If you're operating critical infrastructure and are under the impression that you aren't squarely in an operator's crosshairs, you're wrong."
While the benefits of these advisories from CISA can be debated, they do serve their purpose and remind organizations of the many risks and vulnerabilities threat actors are constantly looking to exploit.
For more information on Russian APT actors and what steps your organization can take to protect itself, see the full advisory: Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure.