The Department of Justice (DoJ) on Thursday released two indictments charging four Russian nationals who worked for the Russian government with attempting, supporting and conducting computer intrusions that in two separate conspiracies targeted the global energy sector between 2012 and 2018.
The DoJ said these hacking campaigns targeted thousands of computers at hundreds of companies and organizations in some 135 countries.
On the same day as the indictments, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the Department of Energy (DOE) released a joint cybersecurity advisory (CSA) that outlines the tactics, techniques and procedures (TTPs) used by the indicted threat actors as well as a series of mitigation recommendations.
The advisory maps the TTPs used in the global energy sector campaign and the compromise of a Middle East-based energy sector organization to the MITRE ATT&CK for Enterprise and ATT&CK for ICS frameworks.
CISA, the FBI, and DOE said that state-sponsored Russian cyber operations continue to pose a threat to U.S. energy sector networks. CISA, the FBI, and DOE urge the energy sector and other critical infrastructure organizations to apply the recommendations listed in the CSA's mitigations.
In a tweet that responds to the advisory, Dragos CEO Robert Lee, said some of the recommendations offered were not practical.
Some examples: Under network segmentation, the CSA pushes for data diodes “wherever possible.” Lee said there are some good use cases for diodes, but they are really not something security teams want wherever possible and are very impractical in modern ICS environments in most cases.
Under network monitoring, Lee said the CSA advises that organizations should create alarms for any ICS traffic outside normal operations. Lee maintained that this is impractical and a great way to flood the organizations with millions of alerts.
“ICS networks are not the static environments people pretend,” Lee said in the tweet.