Advisory Says Russia-Backed APT Actors Have Significant Cyber Capabilities
The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) are the three federal agencies behind the advisory. It aims to assist the cybersecurity community in dealing with the cyber threats. The agencies have observed advanced persistent threat (APT) actors backed by Russia attacking a number of US critical sector organizations. They employ numerous methods of attack to access vulnerable networks. These include “spearphishing, brute force, and exploiting known vulnerabilities against accounts and networks with weak security.” Furthermore, the actors have displayed “sophisticated tradecraft and cyber capabilities” through their activities such as compromising third-party infrastructure and software. They have also been found to develop and deploy custom malware. “The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments—including cloud environments—by using legitimate credentials,” the Joint Advisory reads.
High-Profile Cyber Incidents Involving Russian APT Actors
The threat actors have previously deployed their cyber capabilities to attack a broad range of critical infrastructure organizations in the US and other countries. These include companies in “the Defense Industrial Base as well as the Healthcare and Public Health, Energy, Telecommunications, and Government Facilities Sectors.” The Joint Advisory also highlights three high-profile incidents that involved Russia-backed APT actors. These incidents were publicly attributed by American government reporting, as well as legal actions:
The targeting of dozens of state, local, tribal, and territorial (SLTT) governments and aviation networks. The attack lasted from September 2020 to at least December 2020. The threat actors managed to compromise networks and exfiltrated data of multiple victims. Between 2011 and 2018, Russian state-backed APT actors gained remote access to US and international energy sector networks. The actors conducted a multi-stage intrusion campaign, deployed malware targeting ICS (Industrial Control System), and exfiltrated data. The threat actors carried out a campaign against Ukrainian critical infrastructure in December 2015. The cyberattack targeted energy distribution companies, which caused many of them to experience unplanned power outages. Consequently, the attackers deployed BlackEnergy malware to steal user credentials, and a different malware (KillDisk) to turn infected devices inoperable. The next year, the same actors targeted a Ukrainian electrical transmission company. Here, the actors conducted a cyber intrusion campaign and deployed specially designed malware to disrupt power grids.