Last month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Department of Energy (DOE) issued a joint advisory providing “information on multiple intrusion campaigns conducted by state-sponsored Russian cyber actors” that targeted “U.S. and international Energy Sector organizations.” While CISA, the FBI, and DOE all responded to these campaigns “with appropriate action in and around the time they occurred,” the U.S. government determined that it was important to share information about the attacks “in order to highlight historical tactics, techniques, and procedures (TTPs) used by adversaries to target U.S. and international Energy Sector organizations.”
The joint advisory detailed two specific cyber intrusion campaigns against U.S. and international oil refineries, nuclear facilities, and energy companies. The first campaign involved Russian Federal Security Service (FSB) officers who “conducted a multi-stage campaign in which they gained remote access to U.S. and international energy sector networks, deployed [Information Control System (ICS)]-focused malware, and collected and exfiltrated enterprise and ICS-related data.” The second campaign involved Russian cyber actors affiliated with the Russian Federation Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhm) who “gained access to and leveraged TRITON (also known as HatMan) malware to manipulate a foreign oil refinery’s ICS controllers.” Attackers involved in both attacks had been charged in federal criminal indictments that were recently unsealed by the U.S. Department of Justice.
The state-sponsored attacks included various common tactics and techniques, including, but not limited to, the following:
- Spear phishing campaigns
- Use of malicious versions of legitimate software updates on multiple ICS vendor websites
- Data exfiltration
- Supply chain attacks
The joint advisory also recommended various “mitigation strategies” to help potential targets protect their networks from similar attacks in the future. These mitigation strategies include the following:
- Improving management of Privileged Account Management strategies
- Setting and enforcing more secure password policies for all accounts
- Removing or denying access to unnecessary and potentially vulnerable software
- Increasing use of audits of systems, permissions, insecure software, and insecure system configurations and
- Enforcing multifactor authentication requiring users to provide two or more pieces of information (such as username and password plus a token) to authenticate into a system.
The war in Ukraine has led to an increase in cyberattacks, and experts fear that the severity and frequency of these attacks will only increase as hostilities continue. We have recently discussed this possibility in a separate article addressing cybersecurity concerns in the wake of Russia’s attack on Ukraine.
As always, it is critical to review your organization’s cyber hygiene and start taking precautions to protect your information technology and operational technology networks. And, as exemplified by the recent joint release by the U.S. government, this is especially relevant for those in the U.S. critical infrastructure sector.