On April 20, 2022, the cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom—the so-called "Five Eye" governments—announced the publication of Alert AA22-110A, a Joint Cybersecurity Advisory (the "Advisory") warning critical infrastructure organizations throughout the world that the Russian invasion of Ukraine could expose them "to increased malicious cyber activity from Russian state-sponsored cyber actors or Russian-aligned cybercrime groups." The Advisory is intended to update a January 2022 Joint Cybersecurity Advisory, which provided an overview of Russian state-sponsored cyber operations and tactics, techniques, and procedures ("TTPs").
In its announcement, the authorities urged critical infrastructure network defenders in particular "to prepare for and mitigate potential cyber threats by hardening their cyber defenses" as recommended in the Advisory.
Overview. The Advisory notes that "evolving intelligence" indicates that the Russian government is exploring options for potential cyber attacks and that some cybercrime groups have recently publicly pledged support for the Russian government and threatened to conduct cyber operations on behalf of the Russian government. The Advisory summarizes TTPs used by five state-sponsored advanced persistent threat ("APT") groups, two Russian-aligned cyber threat groups, and eight Russian-aligned cybercrime groups. Additionally, it provides a list of mitigations and suggests that critical infrastructure organizations should implement certain mitigations "immediately."
Russian State-Sponsored Cyber Operations. The Advisory notes that Russian state-sponsored cyber actors have "demonstrated capabilities" to compromise networks!保持长期持续访问网络从信息技术网络和操作技术网络排出敏感数据并使用破坏性恶意软件干扰关键工业控制系统及OT网络咨询详解俄罗斯APT五大类:
Russian Foreign Intelligence Service ("SVR"): SVR has likewise targeted multiple critical infrastructure organizations, although the Advisory does not specify the sectors in which these organizations operate. SVR's TTPs include custom and sophisticated malware targeting Windows and Linux systems and lateral movement within a compromised network that can bypass multi-factor authentication ("MFA") on privileged cloud accounts. The U.S., UK, and Canada have attributed the SolarWinds Orion supply chain compromise to the SVR.
Russian General Staff Main Intelligence Directorate ("GRU"), 85th Main Special Service Center ("GTsSS"): GTsSS primarily targets government organizations, travel and hospitality entities, research institutions, non-government organizations, and critical infrastructure entities. Its TTPs include harvesting credentials to gain access to targets via spear phishing emails and spoofed websites that trick users into entering their account names and passwords.
GRU's Main Center for Special Technologies ("GTsST"): GTsST is known to target critical infrastructure entities, including those within the Energy, Transportation, and Financial Services Sectors, as well as member states belonging to the North Atlantic Treaty Organization ("NATO") and Western governments and military organizations. GTsST is particularly known to use destructive or disruptive attacks, such as distributed denial of service ("DDoS") and wiper malware.
Russian Ministry of Defense, Central Scientific Institute of Chemistry and Mechanics ("TsNIIKhM"): TsNIIKhM is known publicly as a research organization in the Russian Ministry of Defense, but the Advisory notes it has developed destructive ICS malware, known as Triton, HatMan, and TRISIS.
Russian-Aligned Cyber Threat Groups. The Advisory addresses two state-sponsored cyber threat groups: PRIMITIVE BEAR and VENOMOUS BEAR. The former is known to target Ukrainian organizations and the latter is known to target NATO governments, defense contractors, and "other organizations of intelligence value." Notably, the Advisory explains that none of the governments responsible for the Advisory have formally attributed either of these groups to the Russian government, but nevertheless seems to recognize that these groups are aligned with the Russian government.
Russian-Aligned Cybercrime Groups. The Advisory details eight cybercrime groups aligned with the Russian government. The Advisory notes that these groups are often financially motivated and pose a threat to critical infrastructure organizations throughout the world, primarily through ransomware and DDoS attacks. The Advisory notes that while these groups "may conduct cyber operations in support of the Russian government ...网络犯罪分子极有可能继续主要基于金融动机运作,这可能包括攻击政府和关键基础设施组织。
MUMMY SPIDER: This group operates an advanced, modular botnet, known as Emotet, which primarily functions as a downloader and distribution service for other cybercrime groups. Emotet has been used to target "financial, e-commerce, healthcare, academia, government, and technology organizations' networks" throughout the world.
SALTY SPIDER: This group also operates a botnet, known as Sality, which uses advanced peer-to-peer malware loaders. SALTY SPIDER has conducted DDoS attacks against Ukrainian web forums discussing the Russian invasion of Ukraine.
SCULLY SPIDER: This group operates a "malware-as-a-service" model, which includes maintaining a command and control infrastructure and selling access to its malware and infrastructure to affiliates. SCULLY SPIDER also operates the DanaBot botnet, which effectively functions as an initial access vector for other malware and can result in ransomware deployment. The group primarily targets organizations in the United States, Canada, Germany, United Kingdom, Australia, Italy, Poland, Mexico, and Ukraine.
SMOKEY SPIDER: This group operates a malicious bot, known as Smoke Loader or Smoke Bot, which is used to upload other malware. The group's bot has been used to distribute malware payloads used in DDoS attacks against Ukrainian targets.
WIZARD SPIDER: This group develops TrickBot malware and Conti ransomware. This group has targeted construction and engineering companies, legal and professional services, manufacturing, retail, U.S.healthcare, and first responder networks, and has publicly pledged support to the Russian government, threatened critical infrastructure organizations of countries perceived to "carry out cyberattacks or war against the Russian government," and threatened to "retaliate against perceived attacks against the Russian people."
The Xaknet Team: The Xaknet Team has only been active since March 2022 and has stated they will work "exclusively for the good of [Russia]." The group has threatened to target Ukrainian organizations in response to perceived attacks against Russia and, in March 2022, leaked emails of a Ukrainian official.
Mitigations. The Advisory provides several mitigations that it recommends critical infrastructure organizations implement "immediately": (1) updating software!最大可能执行MFA并需要强密码安全监控远程桌面协议并(4)提供终端用户对潜在网络威胁的认识和培训。
a咨询还建议关键基础设施组织维护者“在识别潜在恶意活动指标时努力克尽职责”,并在检测APT或绑定软件活动后采取具体步骤。
这些步骤包括:(1)立即隔离受影响的系统识别阻塞疑似攻击者IP流量,允许防火墙速率限制,通知组织互联网服务提供人和远程触发黑洞安全备份(4) 收集并审查相关日志、资料和人工品(5)考虑加入第三方IT组织并(6)向适当的网络和执法当局报告事件。咨询还“强烈劝阻”向犯罪方支付赎金,指出支付并不总能成功恢复受害者的档案,这种支付可能“鼓动对手攻击更多组织,鼓励其他犯罪方分发赎金件和/或资助非法活动。”