A new joint alert from the FBI, Cybersecurity Infrastructure and Security Agency, and the National Security Agency warns all critical infrastructure entities, including the healthcare sector, of ongoing targeted cyberattacks from Russian state-sponsored cyber operations.
The Jan. 11 joint cybersecurity advisory includes an overview of ongoing operations and identified mitigations, as well as tactics, techniques, and procedures. Network defenders will also find guidance for detection, mitigation and incident response.
These advanced persistent threat (APT) actors have historically used common tactics to effectively gain access to targeted networks, including the use of brute-force tactics and spear-phishing. In July, a federal alert showed Russian-backed hackers have been conducting a two-year espionage campaign via brute-force attacks against global enterprise and cloud environments.
The state-sponsored actors also commonly exploit known vulnerabilities, such as those found in certain FortiGate Virtual Private Networks, Pulse Secure, Citrix, Microsoft Exchange, and VMWare products, among others.
In healthcare, these Russian-backed attacks included targeting the pharmaceutical and academic research sectors and vaccine developers with cyberattacks, in an effort to steal information tied to coronavirus research. The Russian Foreign Intelligence Service (SVR) was behind the massive SolarWinds compromise.
CISA warns Russian APT actors have “demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware.”
Successful exploits enable persistent, long-term access to victims’ networks through the use of legitimate, stolen credentials, which often remain undetected by the enterprise. The group has also been observed targeting certain operational technology and industrial control system networks with destructive malware.
The federal agencies are urging critical infrastructure network defenders to adopt a heightened state of awareness, including proactive threat hunting to strengthen overall operational resiliency against sophisticated threats.
The alert contains indicators of compromise and insights into detection, which relies heavily on in-depth log collection and retention. Organizations will also find recommendations to prepare defense mechanisms for these types of attacks, along with guidance on vulnerability and configuration management. The alert also includes links to supportive resources.